Blocking scheduling not quite working

Techsanity

I have rules setup to block my sons devices on a schedule. Blocking starts at 8pm during the week and 11pm on the weekend. However some how he continues to have access to the web if he is in the middle of playing a game and has realized this so he continues to play past the 8pm cut off.
Am I missing an option here?

Gertjan

Hi,

@techsanity said in Blocking scheduling not quite working:

Am I missing an option here?

Should we come over and check ?
What about showing the rules and schedules ?

heper

Use allow rules behind a schedule instead of block rules.

Techsanity

@gertjan Sorry I was asking from my phone at the time and thought maybe it was something easy, since I've only been using pfSense about a month now
0_1535363306793_Screen Shot 2018-08-27 at 5.47.29 AM.png
0_1535363424773_Screen Shot 2018-08-27 at 5.49.05 AM.png
0_1535363436866_Screen Shot 2018-08-27 at 5.49.23 AM.png
0_1535363446617_Screen Shot 2018-08-27 at 5.49.41 AM.png
0_1535363454468_Screen Shot 2018-08-27 at 5.49.54 AM.png

Gertjan

So, it seems @heper is right.
Make the first two rules allow rules for "AlexanderDevices" - these two will be scheduled.
Add a new rule after these two, and make this one blocking "AlexanderDevices" all time time (not scheduled).

See, for example, https://forum.netgate.com/topic/92932/schedules-for-rules-want-to-reset-states-just-before-blocking/4

Techsanity

Ok, I will have to change this later after work. I had set this up this way just because I had found a “guide” that set it up this way.

Techsanity

so it should be like this then? do I need to make any changes to the "Default allow LAN to any rule"?
0_1535402254598_Screen Shot 2018-08-27 at 4.36.34 PM.png

Gertjan

Looks better.
As soon as Alex goes outside the schedule, he'll be hitting rule "3", the wall ....

Techsanity

ok, well its after 8pm and my son was still sitting on his computer playing roblox. So I am now confused as to how he is continuing to have internet access.
I went into his room and he shut his computer off, so i turned it back on and tried to access the internet and could not.
He says it only works if he goes into a roblox game before 8pm, then he can continue to play after the 8pm cut off.

Grimson

https://redmine.pfsense.org/issues/8820

Techsanity

@grimson so basically my son has found a bug and is exploiting it... pfSense FAIL
and it seems they don't care to fix this bug with any definite time line.

Gertjan

Still, you haven't said your last word.
According to https://redmine.pfsense.org/issues/8820 checkout the last post here :
https://forum.netgate.com/topic/69331/scheduled-blocks-won-t-work-without-manual-states-reset/61

Use the cron package.
If you have all the MAC address of Alex's devices, give them static DHCP IP addresses, this way you will know his IP addresses.
Then, with a cron rule you can force to flush the states table.

edit : I have a wired PC called "left". It has both an DHCP static IPv4 and IPv6.
I killed all states for PC "left" : 2001:470:1f13:5c0:2::c7 and 192.168.1.7
Placed a block rule that blocks "left". And just above a scheduled rule for PC "left" that gives access between 10h30 and 10h45 every day.
I executed "pfctl " by hand, but it is easy to create a cron rule that kills all states for an IPv4 (and IPv6) each day at 10h45 every day (make that 10h46 ;) ).

Results : my PC was blocked before 10h30.
The PC "left" regained access between 10h30 and 10h45
When the clocks showed 10h45, I executed

/sbin/pfctl -k 192.168.1.7
/sbin/pfctl -k 2001:470:1f13:5c0:2::c7

Worked for me.

Techsanity

does this look right?
0_1535450703661_Screen Shot 2018-08-28 at 6.02.30 AM.png

Gertjan

I guess so.

Keep in mind that you only need to flush states when you want to break present connections == at the end of the authorized scheduled time.
The IP should be the one that "Alex" is using.

Never wonder if something works. You should proof it to yourself. Like : use you own smartphone ** - look up it's IP, introduce some rules and a scheduled time, and test drive, see if what you see is what you want to see.
If it works for an "IP", it also works for another IP.

** or any other networked device you have.

Techsanity

@gertjan I guess my question was more if the “day” was correct. I have the times set for 8:01pm Monday-Thursday and Sunday and then for 11:01pm Friday & Saturday
But it showed in putting numbers for the days

Gertjan

Checkout : Status => System Logs => System General

Enter console mode or SSH access, goto god mode (option 8) and type

logger hello there !!!

Refresh the Status => System Logs => System General page.
You will see this :

0_1535464081309_7a4971a9-9f9d-494a-9ba7-89099c22cd23-image.png

Use this to check (== logger command) that you obtain the result that you expect. In your case : double both cron rules (== one for the start and one for the end of the schedule) with a "logger Alex may go ahead ...." and "logger Alex shutting down ....."
Now, you only have to look at your log to see if the commands executed when you want them to execute ;)

Btw : I'm not a cron expert, I'm using the trail and error method which always gives the wanted result.