Interrupt connections programatically

victropolis

I've got aliases, rules, and schedules configured to control my kids internet time, but any connections that are pre-established are not interrupted automatically when a usage window expires. Is there any built-in functionality in pfSense that can do this for me? Or, can I somehow write a script that I can put in a crontab to go out and interrupt any connections from certain hosts on a given schedule? Thanks in advance!

NogBadTheBad

Post your rules.

victropolis

@NogBadTheBad Not sure how I can post my rules. It's pretty basic stuff. Block anything from an alias (a bunch of hosts on the network) according to a schedule and the schedule has four time blocks: midnight to 9am, 10am to 2pm, 4pm to 7pm, and 10pm to midnight. New connections are correctly blocked, but connections established during the non-blocked windows are not interrupted. Therefore, stuff like iMessage from iOS devices, which maintains a constant connection, are allowed to continue functioning curing the blocked periods.

NogBadTheBad

If you go into System -> Advanced -> Miscellaneous -> Schedules it reads "By default, when a schedule expires, connections permitted by that schedule are killed. This option overrides that behavior by not clearing states for existing connections"

You need to use your schedules on the pass rule not the drop.

My simple ping to Google test between 17:45 & 18:00 UK time:-

Screenshot 2019-06-25 at 17.46.57.png

Screenshot 2019-06-25 at 18.01.05.png

Screenshot 2019-06-25 at 18.00.14.png

akuma1x

This is how I do it:

Set your schedule(s) up for the times you want to block/reject access, not the other way around. Create an alias with your static machine IP addresses, or set a static IP address for a single device.

Then, create a firewall block or reject rule, like in the @NogBadTheBad example. Make sure you add the schedule you created in there. That's it - when the block time arrives, all states are killed and the connection to the internet (in this example) is closed.

I just tested this on my network. Setup a time block for 12 noon to 12:15pm. Speed test from my phone over wifi worked just fine at 11:58am, at 12:01pm it's blocked.

Your kid devices don't have cellular service on them, do they? The pfsense firewall isn't involved in any blocking if those devices can "escape" your network and hit a cell signal.

Jeff

NogBadTheBad

@akuma1x said in Interrupt connections programatically:

This is how I do it:

Set your schedule(s) up for the times you want to block/reject access, not the other way around. Create an alias with your static machine IP addresses, or set a static IP address for a single device.

Then, create a firewall block or reject rule, like in the @NogBadTheBad example. Make sure you add the schedule you created in there. That's it - when the block time arrives, all states are killed and the connection to the internet (in this example) is closed.

I just tested this on my network. Setup a time block for 12 noon to 12:15pm. Speed test from my phone over wifi worked just fine at 11:58am, at 12:01pm it's blocked.

Your kid devices don't have cellular service on them, do they? The pfsense firewall isn't involved in any blocking if those devices can "escape" your network and hit a cell signal.

Jeff

Are you sure your state didn't drop after your first speed test ?

Try it with a constant ping, does it still work.

victropolis

@akuma1x This is pretty much exactly what I have going on. Yet, when the block time arrives, pre-established connections aren't interrupted. It seems that the trick is to have pass rules, rather than block rules per @NogBadTheBad . I'll play around with this when I get home tonight. So, @NogBadTheBad I guess I need to create a block rule for everyone I want to restrict and then create a pass rule on top of it. Right?

NogBadTheBad

Yup.

victropolis

@akuma1x @NogBadTheBad mobile data is a completely different problem, and unfortunately, there isn't a very good solution that I've found. I wish NETGATE would make a pfSense mobile firewall app that could be administered remotely. That would rock.

akuma1x

@NogBadTheBad said in Interrupt connections programatically:

Are you sure your state didn't drop after your first speed test ?

Try it with a constant ping, does it still work.

Let me try that... be right back.

Jeff

akuma1x

Ok, so it doesn't actually work successfully on a ping test I was running. I started at 3:59pm, the block rule activated at 4pm, and I stopped the ping at 4:01pm. It ping'ed the entire time. I tried a youtube video as well, it played right thru the stop time.

So, @NogBadTheBad you are correct, the state isn't closed and shutdown. I know that's most likely how pfsense is supposed to behave, and that's ok.

Here's the catch, though... When I went to ping again, after the stop time, the connection was blocked. When youtube ended the video, now a couple of minutes after the stop time, and went to autoplay the next video in the recommended queue, nothing played. So, this kinda mostly does work, just not immediately when the schedule activates.

My kids always grumble when the schedule shuts down their online PS4 play, as I'm betting the game console is opening and closing states like crazy to do those kinds of games. It works just fine for my situation.

Jeff

victropolis

@akuma1x @NogBadTheBad I simply cannot get this to work, and have concluded that it's a bug in the pfSense software. I have opened the following bug:

https://redmine.pfsense.org/issues/9615

NogBadTheBad

Post a screenshot of your schedule.

Also you shouldn't need that second rule.

Screenshot 2019-07-09 at 16.54.38.png

Screenshot 2019-07-09 at 17.00.49.png

Screenshot 2019-07-09 at 17.12.39.png

Screenshot 2019-07-09 at 17.04.02.png

victropolis

@NogBadTheBad Screen Shot 2019-07-09 at 10.12.17.png

NogBadTheBad

Does the schedule icon change colour, when you think it should?

victropolis

@NogBadTheBad It's currently yellow. yes. At 2pm it should turn green.

victropolis

@NogBadTheBad The reject and pass rules work as expected, with the exception of pre-existing connections. New connections are blocked, but any connections that were started and maintained during a pass schedule window are allowed to continue.

akuma1x

@victropolis said in Interrupt connections programatically:

@NogBadTheBad The reject and pass rules work as expected, with the exception of pre-existing connections. New connections are blocked, but any connections that were started and maintained during a pass schedule window are allowed to continue.

Yep, that's the nature of a stateful firewall, like pfsense. The options of using pass or block to make it behave like you (and me sometimes) want, simply don't work like what we expect. It is what it is...

https://www.cybrary.it/0p3n/stateful-vs-stateless-firewalls/

Jeff

akuma1x

Now that I think about this again, how are your "kids" connecting to your network? Are they all wireless, like ipads, phones, etc.?

You mention iOS if one of your earlier posts, does that mean they are all mobile?

If you have the right gear, you could set your wifi to actually turn off at your designated times. That would be easier than banging your head against the wall with firewall rules and schedules that don't work like you're expecting. As an example of this, I've got Ubiquity access points at work. I have programmed them to shut off the "guest" wifi network at night, when no guests are physically in the building. Therefore, no wifi shenanigans going on after hours. You could do something similar, again, if you have gear that supports this.

Jeff

victropolis

@akuma1x said in Interrupt connections programatically:

https://www.cybrary.it/0p3n/stateful-vs-stateless-firewalls/

Then they shouldn't say that "By default, when a schedule expires, connections permitted by that schedule are killed. This option overrides that behavior by not clearing states for existing connections"