pfblockerng ASN aliase rule doesn't seem to work

@ahtos I blocked these AS numbers which I learned from here:
https://bgp.he.net/search?search%5Bsearch%5D=netflix&commit=Search

2906 #Netflix
55095 #Netflix
40027 #Netflix
394406 #Netflix
136292 #Netflix

The app on IOS loads, I can browse around but it doesn't stream anything. It's also a no go in the browser.

I haven't tested using that as a pass rule followed by a block any to any to allow only netflix and the others based on AS number.

Packet capture show connections on the 45.57.0.0/17 and the 198.38.96.0/19 blocks. Probably changes with location..

ahtos

@jwj Again, I much appreciated the time you take to help me out. I tried the ASN you gave me and it seems to be hit and miss. I believe the App keeps changing his destination. During two capture I saw the destination IP change one to an Apple ASN and the second to AWS. I think, I will have to go a different road. Could you tell me if screentime can block specific apps for a period of time? I am on their website but I don't really see any information in regards to period block. It seems like you can either block or allow it.

Thank you and sorry for the late reply, I am still learning how to use pfsense.

@ahtos

It can't. It's all or nothing on a schedule. That's what Apple calls downtime. App limits set a time limit for each day. Say only 30 minutes a day using an app.

You can have downtime mixed with always available apps, so nothing after 11pm except those that are always available...

I always felt that screentime was a blunt weapon. Too punitive.

Maybe @BBcan177 has some insight beyond what I know?

ahtos

@jwj Could you tell me which version on pfsense you are on? Maybe if I set mine as the same as your then I might be able to use pfblockerng-devel. I might have to use an app similar to screentime but seem to be less restrictive called FamiSafe. I was hoping to use a single tool instead of combination oh well, I got to learn new things and got troubleshooting insight from you.

@ahtos I'm currently on 2.4.5. Yes, it has issues with pfctl and filter reloads but I was working with the Netgate support folks to replicate the issue. I may go back to 2.4.4-p3 if I can find a moment to take everyone at home offline. pfblockerng-devel has been good for me for a long time now. You can share your pfblockerng-devel error here and see what the package developer @BBcan177 has to say. He's a good guy, super helpful.

ahtos

@jwj The only problem is when I get the error, I can't reach the pfsense anymore... so no logs to look at...

@ahtos What hardware are you using? Do you have a physical console? I know it is nessesary to uninstall the old pfblockerng before installing the devel version. It's not an update/upgrade thing.

ahtos

@jwj I do have a physical box but I don't have access to a console cable. I ordered one but it will take sometime with the current situation. I did a backup of the config before I install the pfblockerng package.

@ahtos I'm not sure what to say about updating pfblocker other than you do want to get to the devel version.

Also out of technology suggestions about your other issue. If your at the end of your rope you could just shut off access entirely other than during "school" hours. As I have said I am a much bigger proponent of the carrot than the stick, but sometimes needs demand... :(

ahtos

@jwj At this point, we have no choice but to shut it down. We do need to work the next day even if it is remotely. If we were not in this unique situation, I don't think we would have the discussion. Just trying to make the best out of an unpleasant time. Like you, I don't want to impose austerity and rather have a dialogue and understanding. I recalled someone told me this once " Children are the most beautiful things in the world until they learn to talk back to you ", I thought it was funny at the time, but there are definitely truth in it :-)

I think, I will put the old router back and set the pfsense on the side so I can work with it. I will try to see if I can get any logs to share.

@ahtos Sounds like the best choice. For you and your families sanity all things considered. Though I hated it when I was young there is some truth to "my roof, my rules".

When time allows you can think through how you want to setup tiered access. I have a full access network, filtered access, and no access. The no access for the naughty IoT devices.

ahtos

@jwj It doesnt look like I can't downgrade psfsense. I will remove the old pfblockerng and add pfblockerng-devel. I was googling the issue and I sees few people seem to have the same issue. I will leave pfblockerng as it and see if after a cronjob I will loose any connection. I will also remove all other packages I have installed.

ahtos

Resolved.
Just an update on the issue if someone ever face the same problem.
I reinstalled PFSense, then PFBlockerNG-DEV.
I didn't create any auto-rules and only uses native aliases. Maybe it's something obvious, but in my case they didn't play well together. I installed ntopng to find out all the required ASN, there are a few more than just netflix/youtube for the APPs. However, I got a second problem from time to time I wouldn't get an IP from the WAN and many dpinger send-to error 65. The problem was my onboard NIC is a RealTek and not Intel. Moving the WAN to an Intel port seem to fix the issue for me. I understand the recommendation is to use Intel.

Thank you John for your time and help!