Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Scheduled blocks won't work without manual states reset

    Scheduled Pinned Locked Moved Firewalling
    71 Posts 25 Posters 27.0k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      twinbytes
      last edited by

      I managed to get cron to work without saying * for the hour.  I found out that although the schedule runs at 1800 hours (6pm) I have to schedule Cron to run at 2201 hours for it to think it is 1 minute past the hour.  It then successfully runs the cron job 1 minute after the scheduled job and clears the state table.  So for Cron to run the job 1 minute after the scheduled rule, I have to actually program Cron to run 4 hours and 1 minute after the scheduled rule.

      My question now is why does Cron think it is 2200 hours when it is 1800 hours?  In other words, why does Cron think the time is 4 hours ahead of what the schedule does?

      1 Reply Last reply Reply Quote 0
      • T Offline
        thecableguy
        last edited by

        @twinbytes:

        I managed to get cron to work without saying * for the hour.  I found out that although the schedule runs at 1800 hours (6pm) I have to schedule Cron to run at 2201 hours for it to think it is 1 minute past the hour.  It then successfully runs the cron job 1 minute after the scheduled job and clears the state table.  So for Cron to run the job 1 minute after the scheduled rule, I have to actually program Cron to run 4 hours and 1 minute after the scheduled rule.

        My question now is why does Cron think it is 2200 hours when it is 1800 hours?  In other words, why does Cron think the time is 4 hours ahead of what the schedule does?

        Have you set the timezone correctly? - System/General Setup.

        1 Reply Last reply Reply Quote 0
        • T Offline
          twinbytes
          last edited by

          @thecableguy:

          @twinbytes:

          I managed to get cron to work without saying * for the hour.  I found out that although the schedule runs at 1800 hours (6pm) I have to schedule Cron to run at 2201 hours for it to think it is 1 minute past the hour.  It then successfully runs the cron job 1 minute after the scheduled job and clears the state table.  So for Cron to run the job 1 minute after the scheduled rule, I have to actually program Cron to run 4 hours and 1 minute after the scheduled rule.

          My question now is why does Cron think it is 2200 hours when it is 1800 hours?  In other words, why does Cron think the time is 4 hours ahead of what the schedule does?

          Have you set the timezone correctly? - System/General Setup.

          Yes, the time zone is correct in General setup.

          1 Reply Last reply Reply Quote 0
          • T Offline
            twinbytes
            last edited by

            I saw another discussion someone wrote to use the following code but it doesn't work for me.

            pfctl -k x.x.x.x/24 ; pfctl -k 0.0.0.0/0 -k x.x.x.x/24

            I assume if my pfsense box is 192.168.1.1 that the x.x.x.x should be that IP address?  Or is there something else I should be doing?  That threat is closed to comments or I'd ask there.

            1 Reply Last reply Reply Quote 0
            • T Offline
              twinbytes
              last edited by

              Since killing the state table by IP, even manually pressing the button, is unreliable and the only method is resetting the entire firewall state table manually, I've set a scheduled reboot using Cron which works perfectly.  I know it's not the idea solution rebooting the server every night, but I need results and this is the only reliable method.
              /sbin/shutdown -r now

              I hope pfsense will have a patch to fix clearing the state tables by ip address.

              1 Reply Last reply Reply Quote 0
              • T Offline
                thecableguy
                last edited by

                @twinbytes:

                Since killing the state table by IP, even manually pressing the button, is unreliable and the only method is resetting the entire firewall state table manually, I've set a scheduled reboot using Cron which works perfectly.  I know it's not the idea solution rebooting the server every night, but I need results and this is the only reliable method.
                /sbin/shutdown -r now

                I hope pfsense will have a patch to fix clearing the state tables by ip address.

                I can't believe we are the only people who want this 'feature', I would expect pfsense to be capable of what the $100 routers seem to do quite well.

                1 Reply Last reply Reply Quote 0
                • N Offline
                  n3by
                  last edited by

                  You are not alone and this is a very old problem on pfsense… only this thread is 3 years old.
                  In time what you can't fix you learn to live with that or if you can't, then you will try to find a solution that work to your needs.

                  This is how it finally work for my kids, see the attachment:

                  • allow DHCP only to this VLAN/firewall.
                  • allow DNS & NTP only to this firewall.
                  • deny access to this firewall for all client except admin IP...

                  legend:
                  inet lucia = Mon-Sun 12:00-12:30 / Mon-Fri 19:00-20:30 / Mon-Sun 14:30-17:00 ( school )
                  vacanta = every day 06-23 ( no school )
                  zilnic = every day 06-22:15

                  p.s.
                  extra cron script to kill states,
                  don't forget to make the script x
                  ...
                  15-30 22 * * * root /usr/local/bin/pf_stop_tablete_copii.sh

                  #!/bin/sh
                  
                  /sbin/pfctl -K 192.168.101.111
                  /sbin/pfctl -K 192.168.101.112
                  

                  schedule.jpg
                  schedule.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    twinbytes
                    last edited by

                    @ecfx:

                    You are not alone and this is a very old problem on pfsense… only this thread is 3 years old.
                    In time what you can't fix you learn to live with that or if you can't, then you will try to find a solution that work to your needs.

                    This is how it finally work for my kids, see the attachment:

                    • allow DHCP only to this VLAN/firewall.
                    • allow DNS & NTP only to this firewall.
                    • deny access to this firewall for all client except admin IP...

                    legend:
                    inet lucia = Mon-Sun 12:00-12:30 / Mon-Fri 19:00-20:30 / Mon-Sun 14:30-17:00 ( school )
                    vacanta = every day 06-23 ( no school )
                    zilnic = every day 06-22:15

                    p.s.
                    extra cron script to kill states,
                    don't forget to make the script x
                    ...
                    15-30 22 * * * root /usr/local/bin/pf_stop_tablete_copii.sh

                    #!/bin/sh
                    
                    /sbin/pfctl -K 192.168.101.111
                    /sbin/pfctl -K 192.168.101.112
                    

                    Thanks, I'm not sure this all makes sense to me but it looks like an uppercase K where I was using a lowercase k? 
                    Also, to specify allowe DHCP, DNS, NTP only to this firewall, i'm not sure where to set those rules?

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      n3by
                      last edited by

                      see the attachment.

                      I have also a DNS server in another lan 192.168.22.16 for kids that filter dns with pihole and forward requests to opendns ( family shield… adult content... ) so I had to allow also open DNS directly just in case my server is offline.
                      Local DNS/NTP is your LAN interface IP and 127.0.0.1

                      Untitled.jpg
                      Untitled.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        twinbytes
                        last edited by

                        Odd thing, my router didn't reboot tonight at 10:05pm as scheduled (which I put 2:05am because it was working 4 hours in ahead previously).  I tried setting the correct time and now it works.  It seems to have fixed itself.  Very weird but thought I'd share that problem is solved.
                        Just need to test more with rules to avoid rebooting.

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          thecableguy
                          last edited by

                          Have you tried Opnsense? It has the latest BSD.

                          1 Reply Last reply Reply Quote 0
                          • T Offline
                            twinbytes
                            last edited by

                            @thecableguy:

                            Have you tried Opnsense? It has the latest BSD.

                            I haven't tried Opnsense, but honestly I just setup pfsense and want to give it a fair shot.  I switched from ipfire which was having more problems.  pfsense seems much better than ipFire so far, although it has the same challenges with removing states after scheduled blocks without rebooting.  The good news is with pfsense I can at least schedule a reboot where ipfire I couldn't do that.

                            With more time I'll learn more tricks I can share. :)

                            1 Reply Last reply Reply Quote 0
                            • T Offline
                              thecableguy
                              last edited by

                              @twinbytes:

                              @thecableguy:

                              Have you tried Opnsense? It has the latest BSD.

                              With more time I'll learn more tricks I can share. :)

                              Looking forward to it as I am almost out of hair!  ;)

                              1 Reply Last reply Reply Quote 0
                              • T Offline
                                thecableguy
                                last edited by

                                @twinbytes:

                                @thecableguy:

                                Have you tried Opnsense? It has the latest BSD.

                                I haven't tried Opnsense, but honestly I just setup pfsense and want to give it a fair shot.  I switched from ipfire which was having more problems.  pfsense seems much better than ipFire so far, although it has the same challenges with removing states after scheduled blocks without rebooting.  The good news is with pfsense I can at least schedule a reboot where ipfire I couldn't do that.

                                With more time I'll learn more tricks I can share. :)

                                Anything new?

                                1 Reply Last reply Reply Quote 0
                                • F Offline
                                  flaux
                                  last edited by

                                  I tried everything in this thread.

                                  This is still not fixed.

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    Savas
                                    last edited by Savas

                                    I have a combo solution which works well (so far). Set your schedules for allowing instead of blocking with scheduled cron jobs (example: /usr/bin/nice -n20 /sbin/pfctl -k 192.168.1.10) for flushing states, say in every 60min, followed by a blocking rule.

                                    this is how my rules look like on the LAN interface

                                    0_1527596799306_kids.JPG

                                    1 Reply Last reply Reply Quote 0
                                    • I Offline
                                      ipfftw
                                      last edited by

                                      Wow this new forums software is horrible. Doesn't work right with noscript at all, and i had to switch to chrome (Spew)....

                                      that said, i have stumbled upon this "bug" and am obviously trying to do the same thing as you all. I noticed that my schedule was applying, and new connections are being filtered, but if a user has a voice channel open (Discord i think), then the connection is not terminated till i do a full state reset.

                                      Sorry that i dont have anything new to add except that pfsense should fix this OBVIOUS BUG....

                                      1 Reply Last reply Reply Quote 0
                                      • SLIMaxPowerS Offline
                                        SLIMaxPower
                                        last edited by

                                        and still current on 2.4.4-RELEASE (amd64)

                                        1 Reply Last reply Reply Quote 0
                                        • GertjanG Offline
                                          Gertjan
                                          last edited by

                                          Checkout https://forum.netgate.com/topic/134145/blocking-scheduling-not-quite-working/16

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          I 1 Reply Last reply Reply Quote 0
                                          • I Offline
                                            ipfftw @Gertjan
                                            last edited by

                                            Hey mr gertjan, it think you are saying that the command "/sbin/pfctl -K x.x.x.x." should be working but for me it does not work. I used an upper case -K as a switch though. I think because of the nature of this particular connection it stays established somehow. its a voice connection, discord. all other connections terminate fine with the schedule. But the non discord ones are most likely trying to establish new connections that are then blocked by the firewall (web browsing, game setup, etc)

                                            i was able to download the cron package from the package manager and i was able to run a command at the time of my choosing, but the -K commands do not seem to work.
                                            The only thing i can do that reliably works is to reboot the firewall :( . as you can imagine this is the nuclear option but what can i say, it does work.

                                            0_1538145456827_4745a562-0d14-4777-9503-785ec9f61471-image.png

                                            I dont have the default block or whatever you mention in that post either. Anyways if you can provide a concise description of the exact thing that works i will try it next week. pfctl does not seem to do it by itself.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.