Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard connection state not reset when schedule expires.

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 889 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nheath
      last edited by

      I have two rules with complementary schedules to only allow internet use during specified times.
      807193a2-0e2e-4a0e-bcbd-2350dccde829-image.png
      The pass rule is (from reading the docs on schedule) to keep track of the open states so they get closed when the schedule expires.

      This works correctly for normal downloads or web browsing and even OpenVPN TCP connections. BUT if a wireguard connection is made during ALLOW times it is kept active into the block times and is allowed to be used (seems the state reset from the pass rule doesn't apply to it). If the wireguard connection is dropped while in BLOCK times it cannot be reinstated (the block rule appears to work in that case).

      Why isn't the pass rule killing the wireguard state?

      N 1 Reply Last reply Reply Quote 0
      • N Offline
        nheath @nheath
        last edited by

        Addendum: OpenVPN UDP, like wireguard, does not lose connection when the block rule goes into effect and the pass rule schedule expires. OpenVPN UDP like wireguard continues to function while in the block times.

        JeGrJ 1 Reply Last reply Reply Quote 0
        • JeGrJ Offline
          JeGr LAYER 8 Moderator @nheath
          last edited by

          @nheath Why do you also have a schedule on the Reject rule? I don't really understand the logic here?

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          N 1 Reply Last reply Reply Quote 0
          • N Offline
            nheath @JeGr
            last edited by

            @jegr Maybe I am missing something fundamental.
            I have rules at the bottom to route packets that fall through the rules out the VPN.
            Several other rules to route specific websites that do not work over VPN directly out my WAN.
            The reject rule above would be the one I use to kill internet connectivity except a few chosen destinations.
            The pass rule as I understand it is simply to keep track of state so when the allow time expires pfsense knows what connections it needs reset.

            I suppose the other way to do it would be to have a VPN rule for only Always_On and then the only the pass rule.

            I'm still learning so any suggestions would be helpful.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.