Interrupt connections programatically

victropolis

@akuma1x @NogBadTheBad mobile data is a completely different problem, and unfortunately, there isn't a very good solution that I've found. I wish NETGATE would make a pfSense mobile firewall app that could be administered remotely. That would rock.

akuma1x

@NogBadTheBad said in Interrupt connections programatically:

Are you sure your state didn't drop after your first speed test ?

Try it with a constant ping, does it still work.

Let me try that... be right back.

Jeff

akuma1x

Ok, so it doesn't actually work successfully on a ping test I was running. I started at 3:59pm, the block rule activated at 4pm, and I stopped the ping at 4:01pm. It ping'ed the entire time. I tried a youtube video as well, it played right thru the stop time.

So, @NogBadTheBad you are correct, the state isn't closed and shutdown. I know that's most likely how pfsense is supposed to behave, and that's ok.

Here's the catch, though... When I went to ping again, after the stop time, the connection was blocked. When youtube ended the video, now a couple of minutes after the stop time, and went to autoplay the next video in the recommended queue, nothing played. So, this kinda mostly does work, just not immediately when the schedule activates.

My kids always grumble when the schedule shuts down their online PS4 play, as I'm betting the game console is opening and closing states like crazy to do those kinds of games. It works just fine for my situation.

Jeff

victropolis

@akuma1x @NogBadTheBad I simply cannot get this to work, and have concluded that it's a bug in the pfSense software. I have opened the following bug:

https://redmine.pfsense.org/issues/9615

NogBadTheBad

Post a screenshot of your schedule.

Also you shouldn't need that second rule.

Screenshot 2019-07-09 at 16.54.38.png

Screenshot 2019-07-09 at 17.00.49.png

Screenshot 2019-07-09 at 17.12.39.png

Screenshot 2019-07-09 at 17.04.02.png

victropolis

@NogBadTheBad Screen Shot 2019-07-09 at 10.12.17.png

NogBadTheBad

Does the schedule icon change colour, when you think it should?

victropolis

@NogBadTheBad It's currently yellow. yes. At 2pm it should turn green.

victropolis

@NogBadTheBad The reject and pass rules work as expected, with the exception of pre-existing connections. New connections are blocked, but any connections that were started and maintained during a pass schedule window are allowed to continue.

akuma1x

@victropolis said in Interrupt connections programatically:

@NogBadTheBad The reject and pass rules work as expected, with the exception of pre-existing connections. New connections are blocked, but any connections that were started and maintained during a pass schedule window are allowed to continue.

Yep, that's the nature of a stateful firewall, like pfsense. The options of using pass or block to make it behave like you (and me sometimes) want, simply don't work like what we expect. It is what it is...

https://www.cybrary.it/0p3n/stateful-vs-stateless-firewalls/

Jeff

akuma1x

Now that I think about this again, how are your "kids" connecting to your network? Are they all wireless, like ipads, phones, etc.?

You mention iOS if one of your earlier posts, does that mean they are all mobile?

If you have the right gear, you could set your wifi to actually turn off at your designated times. That would be easier than banging your head against the wall with firewall rules and schedules that don't work like you're expecting. As an example of this, I've got Ubiquity access points at work. I have programmed them to shut off the "guest" wifi network at night, when no guests are physically in the building. Therefore, no wifi shenanigans going on after hours. You could do something similar, again, if you have gear that supports this.

Jeff

victropolis

@akuma1x said in Interrupt connections programatically:

https://www.cybrary.it/0p3n/stateful-vs-stateless-firewalls/

Then they shouldn't say that "By default, when a schedule expires, connections permitted by that schedule are killed. This option overrides that behavior by not clearing states for existing connections"

victropolis

@akuma1x the wifi router is behind the pfSense firewall and all devices behind the pfSense firewall get their IP addresses and DNS from the pfSense firewall. The issue I'm talking about is specifically pertaining to devices that do not have mobile data connections, such as iPads without 3G or LTE.

NogBadTheBad

@victropolis said in Interrupt connections programatically:

@akuma1x the wifi router is behind the pfSense firewall and all devices behind the pfSense firewall get their IP addresses and DNS from the pfSense firewall. The issue I'm talking about is specifically pertaining to devices that do not have mobile data connections, such as iPads without 3G or LTE.

What port is connected on the Wi-Fi router to pfSense ?

victropolis

@NogBadTheBad where can I find that?

Grimson

Old news, check existing bugs before you create a new ticket: https://redmine.pfsense.org/issues/8820

victropolis

@NogBadTheBad Screen Shot 2019-07-09 at 12.53.07.png

NogBadTheBad

@victropolis said in Interrupt connections programatically:

@NogBadTheBad where can I find that?

What IP address does your LAN interface have and what IP address are the WiFi clients getting.

If you use a WiFi router and connect the WAN port to pfSense LAN everything will be nated.

victropolis

@NogBadTheBad 192.168.1.1 is the IP of the pfSense. 192.168.1.2 is the IP of the wifi router. Everything else is 192.168.1.*