Problem cutting off anydesk and telegram access

enesas

Hello
I block the internet of certain devices in pfsense certain time zones. However, anydesk and telegram access continues even though I choose "any" as the protocol.
how does this happen?
do they use other protocols other than these protocols?
If not, why isn't it blocked?

viragomann

@enesas said in Problem cutting off anydesk and telegram access:

I block the internet of certain devices in pfsense certain time zones.

How do you do this? By activating the rule manually?

If so you have also to clear the respective states.

Enabling a block rule doesn’t cut existing connections.

johnpoz

@enesas did you clear any existing states. Remember pfsense is a stateful firewall - states are looked at before rules..

If you allowed something and it created a state, and then blocked it - it would not actually be blocked until that state has expired or timeout or been removed.

When creating a new rule that blocks something, you need to make sure there are no currently existing states that would allow what your trying to block.

Are you doing this via a scheduled access - if so did you happen to check "Do not kill connections when schedule expires under System > Advanced on the Miscellaneous tab."

enesas

@johnpoz said in Problem cutting off anydesk and telegram access:

olmanız gerekir.
Bunu zamanlanmış bir erişim yoluyla mı yapıyorsunuz - öyleyse "Çeşitli sekmesindeki Sistem > Gelişmiş altında Zamanlama sona erdiğinde bağlantıları öldürme

I'm doing it with the timing rule. I have system>advanced>miscellaneous>Schedule States unchecked.
Do you need to mark?

viragomann

@enesas
No, that option should be unchecked. But anyway, it doesn't have any affect on block rules. A block rule has no states to kill.
So you have to turn your schedule rule into a pass rule.

enesas

@viragomann I didn't understand how to convert it to a transition rule.
how do you do that?

viragomann

@enesas
Simply select pass at action and invert the schedule time.
If you have multiple rules put it to the top of the rule set followed by a block rule (non´t scheduled) for the respective devices.

enesas

@viragomann
I UNDERSTAND. THANK YOU VERY MUCH. I WILL TRY.

but it's weird why pfsense can't get the current shape.

johnpoz

@enesas said in Problem cutting off anydesk and telegram access:

pfsense can't get the current shape.

shape? If you mean states they are listed under diagnostic states..

enesas

@johnpoz No. why can't it make the time based block rule I created above? I meant it.
thank you

johnpoz

@enesas again look at the states.. If there is a state then a block rule will not work. Also doing a scheduled block rule on floating problematic if you have a any allow rule on the interface.

If want help would be helpful for anyone wanting to help you what is currently on your lan, what is currently on your wan - all rules. Rules are evaluated in order, for all we know that rule blocking is below a rule that allows. Lost track of how many times have seen - hey why does my block rule not work, and its setting below the any any rule..

Once a rule is triggered other rules are not evaluated.

ahsunh

@enesas Dear Friend as per your stated rule any desk and telegram uses ipv6 for using make sure you uncheck ipv6 traffic on advanced option in pfsense not to allow ipv6 in your network or simply use both ipv4 and ipv6 then check your states.

enesas

@ahsunh
Allow IPv6 is not checked.
But putting the default block rule suggested above and then the allow rule worked.
thanks