Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Scheduled Firewall Rule for LAN

    Firewalling
    3
    5
    520
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Presbuteros
      last edited by

      The goal is to block a host on the LAN from both LAN and WAN during a 1 hour period from 0830-0930 every day.

      I have configured a range in Firewall>Schedules the following.

      Schedule Name: 1hrBlock
      Mon-Sun  0830-0930

      I have configured in Firewall>Rules>LAN the following:

      Interface:        LAN
      Adress Family: IPv4
      Protocol:        ANY
      Source: Single Host > 192.168.4.120
      Destination:    ANY
      Advanced Options > Schedule: 1hrBlock

      However, when that time period (0830-0930) comes, the host still has access to WAN and LAN.

      I see in Firewall>Rules>LAN under Advanced Options both State timeout and State type. Do either of these need to be configured so that the States of the host are dropped at 0830 for the schedule rule?

      Thanks for your help.

      1 Reply Last reply Reply Quote 0
      • G
        GoldFish
        last edited by

        what Is the rule order. The rules on an interface are applied from top down first. If there is a rule on top of this block rule which allows all Lan traffic, the packets would never hit this rule

        Secondly, afaik, active states from this machine will not be dropped until they expire. State timeout should help. When you apply a block rule that means no new session will be created but the existing ones will still go through.

        On the other side let’s say you allow access for a 1 hour window. States are dropped automatically after the 1 hour window which were created in that time period.

        • pfSense Enthusiast *
        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You cannot use a firewall rule to block a LAN host from accessing another LAN host.

          They are on the same subnet so that traffic doesn't go through the firewall at all.

          For access out WAN you want to use scheduled pass rules followed by an unscheduled block all rule.

          When a scheduled pass rule expires all states created BY THAT RULE will be killed.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            GoldFish
            last edited by

            @Derelict:

            You cannot use a firewall rule to block a LAN host from accessing another LAN host.

            If it’s absolutely necessary to block Lan then I would put this machine on a different subnet provided routing table is on pfsense and not a switch but then you will have to configure other rules for traffic flow

            • pfSense Enthusiast *
            1 Reply Last reply Reply Quote 0
            • P
              Presbuteros
              last edited by

              Thank you both for your input. I see I have to approach the idea in a different way.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.