Rules + Schedules Ineffective?



  • Hello All!

    Another item that I would like some assistance with if possible…....

    Setup:

    Modem = pfSense = WLAN / LAN.

    Rules on the pfBOX seemingly fail to take affect without me resetting the States table on the firewall.  For example.  To allow the studying son access to ARMA and Teamspeak during his breaks, I have created a rule that blocks access during study times.  The schedule times are 0:00 - 12:00 and another 14:00 - 20:00.  Rule is set up to Block, LAN interface, Protocol is ANY, sources is the Son's Alias (IP address of the PC); destination is the Teamspeak Alias (IP of the server used).  The schedule is noted beneath with the above times.

    To double test and make sure I am not inverting the times and getting access when I ought not and vice versa, I created a very simple rule to block MY PC.  The symptoms below remain....

    Now if I reset the state tables, the connection is broken and cannot be re-established until the allotted time.  BUT!  Once a connection is established, it is not severed when the rule comes into affect.  I can sit and watch the Rule become active, but I can also sit and watch the access / link persist.  SO.....I then created a reciprocal rule on the WAN with the SAME schedule but reversing the Aliases so the source is the Teamspeak Alias and the destination is the Son's Alias.  I read in a thread that a bi-directional link could leave the access open so best to cover both bases.  I also read to ensure I don't have floating rules (none), no other PASS rules above it (none) and that the right source and destination aliases are correct (done) - otherwise I would not get blocked after resetting the states.

    Hope I have provided enough information.  If anything else is needed, just reply!!!!!!

    Thanks!

    EDIT::::::
    My test period is in effect now.  BUT still had the link working 100%.  I exited the programme and then returned to it and BINGO!  I cannot establish a link.  So the rule is working to some degree.  It appears to be incapable of terminating the link / session or enforcing itself.  Perhaps I am missing something overly simple that I am looking beyond it?  :)



  • On the block rule, there is an advanced option to keep states. Set this to none. Then re-test. Make sure that this block rule is above all other rules.



  • @podilarius:

    On the block rule, there is an advanced option to keep states. Set this to none.

    Don't do that, has no relation to block rules, and on pass rules in circumstances like this it will just break things in general.

    Do make sure the block rule is above the rule that passes traffic. You'll probably also have to change your logic around, pass schedule states when they expire have their states killed, but block schedule rules don't touch states. You could hack in a state table flush in cron as a work around, but if you can determine a way to make that work by putting a pass rule on a schedule rather than a block, that will handle the state killing granularly and automatically.



  • @cmb:

    Don't do that, has no relation to block rules, and on pass rules in circumstances like this it will just break things in general.

    I read about the block rules having no relation to the states.

    @cmb:

    Do make sure the block rule is above the rule that passes traffic. You'll probably also have to change your logic around, pass schedule states when they expire have their states killed, but block schedule rules don't touch states. You could hack in a state table flush in cron as a work around, but if you can determine a way to make that work by putting a pass rule on a schedule rather than a block, that will handle the state killing granularly and automatically.

    Ok so let me get this straight.  I have two rules.  1 for stopping the access and another for allowing the access.  BUT!  I place my "Allow" rule above the "Block" rule so that it lets the traffic get out until its time expires at which point, its state will expire and no longer be applied.  The next rule that matches the traffic is a universal Block rule so it is all stopped.  Correct??

    And yes, the BLOCK rules are all above my pass rule for letting traffic get out.

    Thanks again!



  • I guess it works for me since I am blocking an iPod which doesn't keep keep a connection all the time. Turns off the radio to save power I am guessing. I will keep this thread in mind if I ever need to do this.



  • Ran a test.  Created a PASS rule for 15 minutes that allowed Teamspeak to connect.  Modified the BLOCK rule to stop ALL Teamspeak traffic.  Prior to the 15 minute window, access was blocked.  During the 15 minute window, access was permitted and wait for it….......AFTER the 15 minute window expired, access was still permitted.    :-\  To check that the rules are correct and will stop, I reset the states and bingo!  No connection.

    Next I will try a similar approach on the WAN side of the network as per comments I made above.

    EDIT:::::
    OK.  Tried the WAN Rule and same results.  TS still persists.  Then to test that I don't have a stupid rule somewhere (there are only 4 to review) I reset the state so that if a rule WAS letting the traffic through, it would still do so but resetting kills the link!  I can only draw the conclusion that the rules work and are applied in the right order.

    NEXT was to try the dangerous option above setting the state to "NONE" in advanced.  Same result.  TS still persists.  Reset states and POP!  No connection.  Further, the connection remains down until the allow window comes around and it connects and remains connected even when the allow window closes and the block rule ought to apply.

    I have even tried the States=NONE in advance on the WAN side.

    Resetting the rules, then rebooting has not helped.



  • What version are you running?



  • @podilarius:

    What version are you running?

    2.0.1-RELEASE (i386)
    built on Mon Dec 12 18:24:17 EST 2011
    FreeBSD 8.1-RELEASE-p6

    Copied from the Dashboard.

    More information.  Other rules that should have prevented TS from gaining access failed along with other rules such as those to block ARMA.  Also, I had posted a thread weeks ago about Minecraft getting past - which it still does.

    Since the Minecraft post, I have reinstalled (three times) pfSense and have duplicated the problem after each reinstall.  Is pfSense broken?

    Only two NICs in the box.  Modem cannot be reached - tried and checked.  IP addresses are mapped to MAC addresses and a block that prevents unauthorised IP addresses from getting out - so that option is deleted.  When I capture packets or watch how the LAN connects, the IPs in the alias are those that connect successfully and retain their connection when the schedule expires.

    Not sure what else I can offer…..............



  • Anyone have a fix for this?  I have the same trouble with Minecraft and others.  When the scheduled time to block Minecraft and many other sites arrives any open sessions continue…  If you disconnect it will correctly block any new connection attempts until the rule is no longer 'scheduled'.

    I have a client that has had trouble with some WiFi Squaters on the their open connection and I am able to successfully block any new connections after hours but open connections remain.

    Any ideas?  Thanks!

    BTW - running 2.0.1

    2.0.1-RELEASE (i386)
    built on Mon Dec 12 18:24:17 EST 2011
    FreeBSD 8.1-RELEASE-p6



  • Same problems here.  The rules prevent new connections, but do not interrupt connections already in progress.
    So most anything at Google using Chrome will continue to work after the blocking schedule because it
    does everything over a single connection.

    Trying the state tracking:none next.



  • @wscott:

    Same problems here.  The rules prevent new connections, but do not interrupt connections already in progress.
    So most anything at Google using Chrome will continue to work after the blocking schedule because it
    does everything over a single connection.

    Trying the state tracking:none next.

    Yes - I have been able to do the same thing.  New connections blocked, current connections persist.  Is pf broken or a bug or???



  • Please post a screenshot of your rules.
    Most probably the ordering of the rules is wrong.

    If you follow the explanation of cmb it will work.



  • I just tried to set this up for myself and also can't make pfSense disconnect SOME active connections when the allowed schedule time runs out.

    I am using pfSence 2.0.1 12/14/11 and I have attached a screen shot of my rules.

    The Always Allowed rule includes a list of IP addresses that are always allowed (AlwaysOut).  This works as expected.

    The Allow Internet rule is just as simple as it looks.  It allows Internet access during the 'School Allowed' schedule.  It works to allow access but does not cut off SOME of the already established connections.

    The No Internet rule basically just stops everything - overriding the default allow LAN to any rule.

    The problem is that the Allow Internet rule will allow some things to stay connected.  Skype and Minecraft for example will stay connected after the schedule should take the rule out of play as do already established Minecraft server connections.  New connections are blocked.  Most streaming radio but not all do drop once the schedule takes the rule in-active.

    Am I just doing something stupid or is there a problem with pfSense?




  • I have this EXACT problem with pfSense 2.0.1 (i386), trying to schedule my son's access to the internet. World of Warcraft connections still persist after my block rule has been turned on by the scheduler (which sits above all other rules for the LAN interface) until my son logs out. Has anybody figured out a fix for this??



  • Problem is that 2.01 don't cut existing network sessions.
    I haven't tested 2.1 yet, but if I recall correctly JimP have said that should do the work.

    Have you tested to do filter reload, after this scheduler kicks in?



  • Just another Dad here facing the same online addiction issue of my son.

    Version -
    2.0.2-RELEASE (i386)
    built on Fri Dec 7 16:30:14 EST 2012
    FreeBSD 8.1-RELEASE-p13

    Packages:-
    HAVP antivirus 0.91_1 pkg v1.01
    Lightsquid          1.8.0 pkg v.2.32  
    squid                2.7.9 pkg v.4.3.3  
    squidGuard 1.4_4 pkg v.1.9.2

    I have been playing with pfsense for about a month.  Everything works like a charm except time based restriction.  My son plays a lot of online games and I cannot get his butt off the computer.  I'm the IT guy in the house and my wife is the boss.  Anyway, we want to setup a time restriction access on the online games but allow WWW access so he can do his homework (well, really ?)  I have put over 12+ hours on trying everything to get it to work to no avail.  I've been read many discussions but just found this thread an hours ago.  I'm glad this is not just me finding the problem.  In fact, I have observed the exact same thing as you guys said here.  Regardless of "pass" or "block" rule, the existing state will not be killed.  Under System\Advance\Misc, the "schedule state" is NOT check, meaning it should clear the state when time definition expires.  However, it is not working as it should.  Basically, it just let the current state live forever.  I can duplicate this 100%.

    I also tried the time base ACL in squidguard.  But it basically only filter HTTP traffic…..

    I thought about using QoS to squeeze down the online game bandwith but it is not time based......

    I thought about setting up an old Cisco router to throttle bandwidth just for him but config is clumsy especially when the boss ask me to adjust time of blocking......

    I have no idea about what to try next.  I'm really tempted to put Norton online family for time restriction.  I don't prefer this way but it may the only way for now.

    Anyone in this discussion has worked something out yet ?

    -AC



  • There is a cron scheduler, I wander if you could setup a state flush just a minute after your block rule goes into effect.



  • Just thought I'd check in and see if anyone has been able to get pfSense to disconnect active sessions once the allowed time has expired.  I read through the info on 2.1 but didn't see any mention of it.

    I'll be trying it out next week sometime and will post back with the results but by the looks of the documentation the problem will still exist with 2.1…  Sadly....

    The scheduling feature is a good one for anyone trying to get control of their kids Internet access but it is also important in the business world...  I have a client that wants to keep an open network during business hours but then shut it down when the office closes at 5:00.  They still want certain machines to be live on the Internet after hours.

    I have been unable to get pfSense to close the correct sessions but allow others to continue...

    Here's hoping it was somehow addresses in 2.1.



  • I havent tested whether active sessions can be closed, but an alternative might be to throttle back to just 1 bit per sec as you cant throttle back to 0 which might be as good as.

    Have you also seen this thread?
    http://forum.pfsense.org/index.php?topic=7406.0

    I'm trying to find the webpage I found a while back when I wanted to do some traffic shaping which allowed me to set up rules so my website traffic has priority over lan users on a schedule and this worked well for me.

    If I find it again, I'll post the link.

    Edit:
    I think this was the webpage I used, also note in the comments a mention of using schedules.
    http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/



  • My solution look like this (attached image) using :

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013

    First created aliases for local ip addresses that is affected with time based restrictions. Created 2 aliases, one for allow internet and the second for stop internet. In the both aliases I put the same ip addresses. Of course dont forget to put those addresses in static DHCP lease.

    Then created 2 schedules and in first added time range (05:00 - 23:59) when internet is allowed. In the second schedule added time range when internet is not allowed (00:00 - 05:00).

    Be sure that option in System->Advanced->Miscellaneous - Schedules is NOT checked.

    In Firewall->Rules->Lan created 2 new rules right after default anti-lockout rule.

    First rule allow trafic (PASS) on interface LAN, IPv4, protocol : any, Source : alias for allow, and with schedule to allow internet.  Second rule is to (BLOCK) on interface LAN, IPv4, protocol : any, Source : alias for stop, and with schedule to stop internet.




  • Does it also work without the "Allow_Internet" rule?
    Without the "Allow_Internet" rule, traffic will be allowed by the ordinary "allow all on LAN" rule at times when it is not blocked. But maybe in that case the system will not know which are the states that need to be "switched off" when the block rule comes into effect.
    Would be interesting to know - I should try it myself  ;)



  • @phil.davis:

    Does it also work without the "Allow_Internet" rule?
    Without the "Allow_Internet" rule, traffic will be allowed by the ordinary "allow all on LAN" rule at times when it is not blocked. But maybe in that case the system will not know which are the states that need to be "switched off" when the block rule comes into effect.
    Would be interesting to know - I should try it myself  ;)

    I tried it without that ""Allow_internet" rule and then open states remain open…. somehow.

    Also I noticed that some states from floating rules remain open (sometimes) with that both allow and stop rules active.

    Thinking of moving those allow-stop rules to floating or wan area to see  what will happen.



  • @podilarius:

    There is a cron scheduler, I wander if you could setup a state flush just a minute after your block rule goes into effect.

    Well, that's exactly what I did!

    My solution is as follows:

    • Create an alias with all the IPs that should be blocked. Be also sure that you defined the corresponding static mappings in your DHCP server configuration. Let's call this alias 'Children'

    • Create a schedule named 'AccessDenied' and define it to whatever you need. In my case it's 22:00 - 07:00, each and every day.

    • Create a rule on your WAN interface like this: Action Block / Protocol Any / Source Any / Destination 'Children' / Schedule 'AccessDenied'

    • Create the reverse rule on you LAN interface: Action Reject / Protocol Any / Source 'Children' / Destination Any / Schedule 'AccessDenied'

    • As some of you already noted it, these rules will only block/reject new connections but won't kill existing one. This is because pfSense is doing 'statefull packet inspection (SPI)'. This means that, to determine if a packet should pass thru, it will first look at the existing states and then look at the firewall rules. If states shows that the packet is an answer to a previously authorized packet, it will pass thru, regardless any rule.

    So, in addition of the rules we already put in place, we also need to kill all the states from any IP belonging to the 'Children' list.
    I wrote the following (quick and dirty) script to do the job…

    
    for i in `pfctl -t Children -Ts`
    do
    	echo "Killing states from/to $i"
    	pfctl -k $i
    done
    
    

    … and put in /etc as pf_KillStates. (be also sure to chmod it with the value 777)

    • Finally, create a new cron job to launch /etc/pf_KillStates every day at 22:01 (1 minute after the beginning of the 'AccessDenied' schedule).

    Note that it seems that the command```
    pfctl -t Children -Ts

    pfctl: Table does not exist.

    
    Hope this will help some dads  ;)
    
    PS: You may have a useful look at the pfctl manpage (as I did!)
    http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl


    • Create a rule on your WAN interface like this: Action Block / Protocol Any / Source Any / Destination 'Children' / Schedule 'AccessDenied'

    Note: This rule is not needed in any normal installation. The WAN will already have a general block at all times, and in any case there will be no traffic initiated from the real public internet with destination IPs in 'Children', because 'Children' is a bunch of private IP addresses in the LAN behind pfSense.



  • Thanks for your precision Phil.
    It will help me to simplify my ruleset a bit.

    Merry X-Mas  :)



  • @podilarius:

    There is a cron scheduler, I wander if you could setup a state flush just a minute after your block rule goes into effect.

    Hello One and All,

    That was how I got around the drama.  Downside is that when holidays arrive, I forgot to remove the cron scheduler to kill all states.  Unhappy son (and me as well at times) until I woke up.

    I am relieved that the thread I started was not just me being dull or failing "to see the forest for the trees" and glad it has triggered some discussion.

    @derf, I am about to upgrade from 2.0.3 to the latest and once that is complete, I will then go through your steps. I also understand phil.davis remark about the WAN element.

    Nonetheless, does anyone know whether or not this part of pfSense will be (or has been) addressed?  As for the latter part of that question, I will soon find out. …....upgrading in 5 minutes.  Wish me luck!

    Hope we all had a fab Christmas and may 2014 be superb!!!



  • Good Luck OzRattler, may all your overs be wicket maidens…. ;-)



  • I would like to see that in the base code of a rule with a schedule.
    I have used this and it works great. Thanks.

    Phil.Davis, this was not to block incoming, but to block outgoing once the block schedule was in place. While it is true it is not needed in normal rule sets, but any rule that has a schedule on it, needs to have the states killed once it is supposed to be blocking. Or at least an option to kill the states. I can think of a situation where the rule should not drop states. This would be in a rule sending traffic to another shaping queue. This might help make sure the correct traffic shaping is used, but would interrupt the current session, which is probably unwanted.



  • @pere:

    I tried it without that ""Allow_internet" rule and then open states remain open…. somehow.
    Also I noticed that some states from floating rules remain open (sometimes) with that both allow and stop rules active.
    Thinking of moving those allow-stop rules to floating or wan area to see  what will happen.

    Pere, did you make any headway with your workaround for the "Schedule States" bug? I thought I'd re-invented your solution, but it only worked in testing. When I dropped my rules into a live environment they are failing to remove active states. I feel that I will need to hardcode a crontab script to call pcftl.

    On a side note… can anyone point me to the documentation for pfSense's version of the pfctl command?



  • I'm on 2.1.5 and the issue still persists. At 8pm I want the connections to be passed over to a 2nd vpn since the first vpn gets very slow at night.

    It correctly works if I turn a machine on past 8pm, the connection goes through the 2nd vpn. However for computers already on, they don't move over.

    Is there a fix without using cron?


  • Banned

    @NotAnAlias:

    Is there a fix without using cron?

    Use 2.2

    https://redmine.pfsense.org/issues/3558



  • Schedules do work properly with no hassle on 2.2 release.
    Thanks pfsense devs  :D



  • They still don't work quite right for me in 2.2-RELEASE. I set up a schedule for 5pm to 10pm, then created two rules: one passes TCP packets, the other passes UDP packets. Outside the scheduled time the rules don't exist and the default block rule drops packets. When 10pm rolled around, the TCP rule took effect, the TCP states were reset, and further TCP connections were blocked. But the UDP states continued operating and the game the rule was intended to disable continued running.

    I ran pfctl -s rules from the console and the pass rules for both TCP and UDP are gone, so it's apparently just that the existing UDP states were not reset when the schedule expired.



  • Updating that I have today moved across to 2.2 and just fixing other minor issues - such as the Console won't display options etc.

    I will be watching how the Schedules go especially since I toughened them up via CRON and flushing ALL states after the start time of any set schedule.

    Finger's are crossed!!!!

    Oz



  • I'm on 2.2.6 and behavior persists with certain state types. I understand the logic behind the handling of states, but the schedule should work.

    Have a son who has learned to use betternet vpn, which keeps a state open, unfortunately. In turn, this allows him full internet access after he's supposed to have it.

    EDIT:
    The bug supposed to address this (will find number and add to this post) seems not to have addressed the issue at all.

    In System - advanced - misc: (which BTW is a stupid place to bury this option) the option "schedule states" shows an unchecked checkbox by default.  According to the explanation:

    "By default, when a schedule expires, connections permitted by that schedule are killed. This option overrides that behavior by not clearing states for existing connections"

    The default behaviour of schedules should be as explained, but active states remain persistent after schedule block occurs.

    Is this a reopen bug issue? I don't think the bug should be closed.



  • pfsense - 2.2.6

    I've removed the default allow rule and setup allow rules permitting access.

    Works great for all but UDP.

    There appears to be no solution so I'm now going to play with placing the default allow back in and utilising the traffic shaper to kill data flow between certain times.
    I have my Fingers crossed.

    If there's a thread that I've missed with a solution (apart from the cron job) please let me know!

    Thank you!



  • Has this been fixed or has someone found a reliable work-around?



  • I'm on 2.2.6 and still experiencing this issue.. : https://forum.pfsense.org/index.php?topic=108943.0
    Waiting for a solution..



  • Any updates?

    I am having an issue using a scheduled block on Steam ports -states not clearing automatically..



  • Could someone please have a look at my LAN rules?

    I have Steam ports as an alias ' Steam' on 2x different schedules..

    The goal is to block Steam at a scheduled time however, the states do not flush ?

    Am I doing something wrong?