Schedule Alias Block not working

ozhound

Hi All,

I've recently switched from ClearOS to pfSense due to ClearOS being rubbish (I didn't have a need to change until I tried to enforce specific firewall rules and the 12-month-old Clearos 6 just didn't seem to work)

my goal is to stop the kids devices (allocated to a particular range of IP via mac) from using the internet from say 8pm to 8am

it just doesn't seem to work. the kids are still playing on their devices after 8pm.

Can you take a look at the screen shots and advise?

I have pfBlocker Configured and have disabled the rules I think may be instantly allowing traffic prior to the LAN rules being processed.

When I originally created the ruleset I used the allow by default and block via the "kids_block" schedule. this seemed to work but didn't drop the connection when the firewall started blocking. My sons Mac couldn't access the net, but if he was on the PC and playing an online game during the transition from allowed to blocked it kept the state open.

I then tried creating a 24/7 block for that alias with an allowed rule above that block. this doesn't seem to work at all.

Thanks in advance.

viragomann

The kids should be the source in the LAN rules instead destination, I think.
And the allow rule has to be underneath the block rules (24/7) to take effect.

If you have trouble with not closing existing connections by schedules also check System > Miscellaneous > Schedules.

2chemlud

@viragomann:

The kids should be the source in the LAN rules instead destination, I think.

Agree :-D

@viragomann:

And the allow rule has to be underneath the block rules (24/7) to take effect.

Not agree :-D

@viragomann:

If you have trouble with not closing existing connections by schedules also check System > Miscellaneous > Schedules.

System -> Advance -> Miscellaneous  and ther Schedules. But the default (not checked) should work…

viragomann

@2chemlud:

@viragomann:

And the allow rule has to be underneath the block rules (24/7) to take effect.

Not agree :-D

Agree  ::)  As this route should prohibit kids web access when the schedule isn't active.

And a further point:
Why do you allow your kids access to the pfSense WeGUI?

ozhound

Thanks for the responses. ill try these changes and let you know.

correct me if I'm wrong but doesn't the flow of the rule matching work from top to bottom? when a matching rule is found that "state" is passed or blocked with all other rules existing below the matching skipped/ignored?

2chemlud

You are right… ;-)