Scheduled Firewall Rule for LAN

  • The goal is to block a host on the LAN from both LAN and WAN during a 1 hour period from 0830-0930 every day.

    I have configured a range in Firewall>Schedules the following.

    Schedule Name: 1hrBlock
    Mon-Sun  0830-0930

    I have configured in Firewall>Rules>LAN the following:

    Interface:        LAN
    Adress Family: IPv4
    Protocol:        ANY
    Source: Single Host >
    Destination:    ANY
    Advanced Options > Schedule: 1hrBlock

    However, when that time period (0830-0930) comes, the host still has access to WAN and LAN.

    I see in Firewall>Rules>LAN under Advanced Options both State timeout and State type. Do either of these need to be configured so that the States of the host are dropped at 0830 for the schedule rule?

    Thanks for your help.

  • what Is the rule order. The rules on an interface are applied from top down first. If there is a rule on top of this block rule which allows all Lan traffic, the packets would never hit this rule

    Secondly, afaik, active states from this machine will not be dropped until they expire. State timeout should help. When you apply a block rule that means no new session will be created but the existing ones will still go through.

    On the other side let’s say you allow access for a 1 hour window. States are dropped automatically after the 1 hour window which were created in that time period.

  • LAYER 8 Netgate

    You cannot use a firewall rule to block a LAN host from accessing another LAN host.

    They are on the same subnet so that traffic doesn't go through the firewall at all.

    For access out WAN you want to use scheduled pass rules followed by an unscheduled block all rule.

    When a scheduled pass rule expires all states created BY THAT RULE will be killed.

  • @Derelict:

    You cannot use a firewall rule to block a LAN host from accessing another LAN host.

    If it’s absolutely necessary to block Lan then I would put this machine on a different subnet provided routing table is on pfsense and not a switch but then you will have to configure other rules for traffic flow

  • Thank you both for your input. I see I have to approach the idea in a different way.

Log in to reply