Firewall Rules Not Being Enforced
-
I know there are a few threads on this issue but none that I have found being recent nor specifically addressing what I am experiencing. For the record I am using as input the PFS documentation at https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html, https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html, https://docs.netgate.com/pfsense/en/latest/firewall/configure.html.
So my specific issue is the following. I am trying to setup a basic rule that allows internet access to a device during specified times on specified days, and for anything outside the scheduled time/days to reject.
Initially the device had a DHCP assigned IP, before setting up the rules and alias I set the device up with a static IP.
Once that was done I went and created a rule for that device using the static IP address assigned specifying the schedule I had setup.
The short story is that the rule is not controlling access per the scheduled as configured. To cover my bases I setup a rule and I setup an alias for the same device using the static IP to see if there would be any difference and there was not.
To further troubleshoot I created 2 rules (reject and pass) for the IP and the alias using the same schedule.
This was done to see if anything would happen thinking that if one didnt produce a result the other would and from there I could dive in and troubleshoot but again there was no impact on internet access.
I was thinking about creating a floating rule and applying to all interfaces but after reading up on it I decided to seek input from the forum before going that route.
I have included SS for the schedule, rule and alias to see if someone can see what I am not as this is not something I have not done before.
Schedule: The days/hours set are to allow internet access (pass) anything outside these days/hours are to (reject)
Alias: Configured with the device static IP
Rules: To troubleshoot I created rules using both the IP and the alias and reject and pass to see if any impact which there were none. I set on the LAN which seemed logical. I only included one of the rules to limit clutter, each are setup the same way only the "action" and "source" differ. Originally I had the "destination" set to "network/alias" which didnt yield a result and then changed it to "this firewall" thinking it would work but did not.
Any thoughts or suggestions appreciated. Thanks.
-
@LPD7 "This Firewall" is the pfSense itself. If the goal is to let this device access the Internet the destination needs to be Any (*).
This Firewall would kind of work as blocking that would block the pfSense DNS, but not public DNS or DoH in browsers.
-
@SteveITS Ok so switching to ANY should resolve the issue? I will give that a try. Thanks for the input, will update as to results.