Scheduled firewall rule does not drop existing Valorant connection

pestario85

Hi,
i'm blocking my kids connection based on schedule.
I have 2 rules: the first to drop the connections all the time, second to allow on specific times (scheduled one).
While most of the connections are dropped, the game one is not. Valorant and Roblox connections remain alive (with voice chat dropped in Valorant).
Is there anything I am missing with the rules?

I'm on Pfsense+ 22.05 but the same rules and results were with CE 2.5, 2.6, Plus 22.01

Below are the rules from backup with removed empty keys

<rule>
  <id></id>
  <tracker>1613394433</tracker>
  <type>pass</type>
  <interface>lan</interface>
  <ipprotocol>inet</ipprotocol>
  <statetype><![CDATA[keep state]]></statetype>
  <source>
    <address>kids_devices</address>
  </source>
  <destination>
    <any></any>
  </destination>
  <descr><![CDATA[allow kids sometimes]]></descr>
  <sched>allow_kids_times</sched>
</rule>

<rule>
  <tracker>1606551528</tracker>
  <type>block</type>
  <interface>lan</interface>
  <ipprotocol>inet46</ipprotocol>
  <statetype><![CDATA[keep state]]></statetype>
  <source>
    <address>kids_devices</address>
  </source>
  <destination>
    <any></any>
  </destination>
  <log></log>
  <descr><![CDATA[block kids always]]></descr>
</rule>

Bob.Dig

@pestario85 Maybe IPv6 is the problem? Hard to tell for me if it is not an UI screenshot. Next time show all the rules for that interface.

pestario85

@bob-dig sure, there is a screenshot.

Bob.Dig

@pestario85 It is hardly a firewall with only one LAN Interface. Also there is something missing at the bottom and floating.

pestario85

@bob-dig ok, here is the full screenshot.
No floating rules are currently defined.
No other rules applied to those clients.

Bob.Dig

@pestario85 So it could be very well a IPv6 problem, if you have IPv6 on LAN.
If not, I also can't see the problem.

pestario85

@bob-dig No IPv6 configured. Problem persists.

pestario85

@bob-dig it does show some existing connections on WAN interface

WAN	tcp	10.1.1.100:10171 (192.168.1.139:63967) -> 34.200.0.152:443	ESTABLISHED:ESTABLISHED	42 / 65	9 KiB / 37 KiB	
WAN	tcp	10.1.1.100:10534 (192.168.1.139:54451) -> 74.125.200.188:5228	ESTABLISHED:ESTABLISHED	11 / 13	1 KiB / 8 KiB

Do I need to any any WAN block rules?

SteveITS

@pestario85 Do you have "Do not kill connections when schedule expires" checked under System > Advanced on the Miscellaneous tab? (From the bottom of this doc page)

pestario85

@steveits no, it is unchecked.