Scheduled Blocking

armss001

Hello, I have been requested to block internet access between certain times of the day for the kids of some family friends. I have found that while the system blocks new connections it doesn't block already active states. I have found various other posts that have the same issue but they are either never resolved or the marked solution doesn't work for me.

Here I have a screen shot of the rules and I have also unchecked the box under the advanced options. I am hoping I have missed something stupid but as a tech for a cruise line, I hope it stays secret if I have.

Please help a desperate technician who is not willing to be beaten.

KOM

IIRC, the solution to this problem was to block them by default and then set times when they are allowed, instead of the other way around where you allow by default and use the schedule to set blocks.

armss001

That is what I have done, on the image they are in pairs, so the alias Rahne, is first allowed per the schedule then directly below there is a block rule for her alias. The same is the setup for the alias Paige.

KOM

Perhaps post your schedule settings just to confirm them?

armss001

@KOM:

Perhaps post your schedule settings just to confirm them?

Below are 2 images one showing that the schedule allow rule expires are the correct time, the second showing that the states are still active even though the time has expired.

I have attached a third photo of the rules with all the descriptions filled in to make it easier to understand.

I am so confused right now. Any other info you need let me know.

Edit: sorry the range for alias "Rahne" is 10.1.103.0/24

KOM

Hmm.  I don't suppose you've checked the Schedule States box under Setup - Advanced - Miscellaneous - Schedules?  Just for laughs I would also reboot the box and then test it again.  If I have time tonight, I'll see if I can reproduce it.

armss001

This issue has been persistent now for over 3 weeks with various reinstalls, reboots and countless hours of screaming.
I assume this, is the option you mean, yes its unchecked.

KOM

I tried it on a 2.2.5 VM and it seems to work.  I created a schedule for only today, 20:30-20:45.  Then I created one firewall rule to allow access for my Lubuntu VM linked to my schedule, and another rule below it to block access.  I could go anywhere until 20:45 when everything died, exactly as expected.  Upgrade and maybe your problem will disappear.

awebster

@armss001, this is practically the same setup I use at home for controlling kids access, netflix access and so on, and it works flawlessly.
I would suspect that you have a situation where traffic is leaking around the firewall.
Please post details of how the network is setup, draw a diagram on a napkin and take a picture if you have to.

My setup is as follows:
Each kid has their own VLAN interface and subnet.
LAN port on pfSense has VLAN interfaces tagged for each kid, plugs into managed switch.
Enterprise grade wireless APs dole out one SSID per kid per VLAN, and roaming works too.
Active directory controls who can login to wireless and PCs, and when, and GPO controls what devices get what wireless settings.
DHCP hands out static leases to known devices.
pfSense controls what can access Internet and when, forces use of squid proxy + dansguardian, and in-house mailserver (all running on another box, I prefer not to add "heavy" packages to pfSense)
pfSense also has a VLAN for guest access with a captive portal, which is also fed to wireless APs via managed switch.  They don't know the password, and their devices are blacklisted from the guest SSID.
etc…etc...etc...
<mad scientist="" laugh="">Their "tech savvy" friends have given up trying to work around the controls...</mad>

armss001

@awebster:

@armss001, this is practically the same setup I use at home for controlling kids access, netflix access and so on, and it works flawlessly.
I would suspect that you have a situation where traffic is leaking around the firewall.
Please post details of how the network is setup, draw a diagram on a napkin and take a picture if you have to.

I have set them up using ubiquiti as there main network as they are in a large house and I have used them in the past in larger projects, but the down side is that the Unifi Security gateway has very limited functionality, So my network is as follow's

Internet Modem (192.168.0.1/24)
pfSense (10.0.0.1/8)
TP-Link Unmanaged Gb Switch
4 UAP's - Shared SSID  (UAPS have 4 SSID's)

So its a simple Setup, all data to the internet must be going through the pf box to access the internet, A dedicated SSID would not work as hard wired connections would not be limited. All devices that are known are give static IP's within their respective alias and then the firewall should take affect, which it does, for new connections only. I am looking for how to fix the states issue, if I manually run "pfctl -k 10.1.103.0/24" this removes the active states and they are then blocked until the schedule allows them full access again. However trying to run this as a cron seems to fail.

armss001

@KOM:

I tried it on a 2.2.5 VM and it seems to work.  I created a schedule for only today, 20:30-20:45.  Then I created one firewall rule to allow access for my Lubuntu VM linked to my schedule, and another rule below it to block access.  I could go anywhere until 20:45 when everything died, exactly as expected.  Upgrade and maybe your problem will disappear.

Could you post a screen shot of the rules and there contents so I can look for anything I may have differently. Also is 2.2.5 stable as I am on 2.2.4 and when I search for an update it says I am on the latest version.

Edit: So Version 2.2.5 just came available and still have the same issue. going to try a clean install with the new version.

Thanks for all your help so far.

armss001

Okay so I haven't got time today to look into reinstalling but I shall test that tomorrow, I have however looked at the states table and noticed that while the schedule now clears states originating from LAN, it seems to miss them on the WAN. I don't know if this is an issue as this is not my area at all, I normally work on show control networks. But here is screenshot to give examples of what my state table looks like, 10.1.100.4 been the laptop I have been testing with and 192.168.0.23 been the IP address given from the modem.

When you tested did you use Skype or a game that keeps active states, schedules work for me for blocking internet and stopping NEW Skype calls after the time, However If the call was initiated before the cut off it will stay connected even after the schedule expires.

Thanks again.

KOM

Could you post a screen shot of the rules

Sorry, it was just a test config and I've already blown it away.  The rules were basically like yours.

awebster

@armss001:

Internet Modem (192.168.0.1/24)
pfSense (10.0.0.1/8)
TP-Link Unmanaged Gb Switch
4 UAP's - Shared SSID  (UAPS have 4 SSID's)

So its a simple Setup, all data to the internet must be going through the pf box to access the internet, A dedicated SSID would not work as hard wired connections would not be limited. All devices that are known are give static IP's within their respective alias and then the firewall should take affect, which it does, for new connections only. I am looking for how to fix the states issue, if I manually run "pfctl -k 10.1.103.0/24" this removes the active states and they are then blocked until the schedule allows them full access again. However trying to run this as a cron seems to fail.

There is an inconsistency…
You said your pfSense is on 10.0.0.1/8
But in several other screenshots and messages you are referring to 10.1.103.0/24.

Subnet masks MUST match for all devices on the same network.

armss001

@awebster:

There is an inconsistency…
You said your pfSense is on 10.0.0.1/8
But in several other screenshots and messages you are referring to 10.1.103.0/24.

Subnet masks MUST match for all devices on the same network.

Sorry for the miss understanding there is no actual difference in the subnet, I was just specifying the range of the alias, all devices are on the subnet of 10.0.0.0/8 it's just easier for the end user if they have a range of IP's they can assign to each child.

awebster

If it is of any help, this is the ruleset on of one of my interfaces:
I use only aliases for everything to keep it clean.

Rules are as follows:

• Block OUT is just a list of blacklisted destinations

• Allow access to internal DNS Server

• Allow access to internal AD Server

• Allow access to printers

• "Disabled" Rule controlled via automation with in-house Asterisk PBX to enable/disable Internet via a code dialed from any phone… very much wife approved :D

• Rule to allow access to in-house mail + proxy server, can also be put on a schedule, but not for this child.

• There is a block to net_internal so there is no way other subnets can be accessed unless specifically allowed above this rule

• There is a block to RFC1918 (non-routables) so that if ever I add other testing networks (and didn't specify it in net_internal), there is implicitly no access

• The "Allow the rest" rule is on a schedule which decides when it it is open.  In this case, this child does not have to use the proxy, so the subnet is allowed out for anything.

• ICMP is always allowed (they haven't figured out how to use an ICMP tunnel to bypass my ruleset yet), but as 2 rules because for some reason it doesn't work properly with IPv4 and IPv6 specified in the same rule.

• Lastly block everything else.

Also using DHCP to specify location of wpad.dat so PCs pickup proxy server (again, per-subnet).

armss001

Thanks, I am still concerned that nothing is actually fixing the problem, I have the allow rule scheduled and I have everything set up the same, I am just unable to get the states on the wan interface to drop along with those on the LAN. Is there a setting I may have missed. Should I place an allow/deny rule on the wan side? Should I rule running a proxy? Could I use squid to block internet access??

Also should I be changing any advanced settings on the block rule, i.e changing the state option?? Are there any comments about the way the states table looked? I am curious as to why the ip of the machine is in brackets and the interface ip as the main destination.

awebster

In my experience, when the schedule closes, any outbound open connections are dropped.
Inbound connections are implicitly dropped because nothing can reply to them, but they might still show in connection table.
You can try ping, skype, google hangout, etc; anything generating continuous traffic when the schedule closes; access should stop at that point.
I also use a schedule to control Roku with Netflix.  The Roku player buffers about 3 minutes of video, so when the schedule closes, the video continues to play, and then an error is reported once the buffer runs dry.

doktornotor

Why don't you just run cron to flush the states (search this forum). I cannot see how's Squid a solution.

armss001

@doktornotor:

Why don't you just run cron to flush the states (search this forum). I cannot see how's Squid a solution.

The reason for this is that once this setup is in place I won't be managing it. So the end user won't be wanting to change cron times every time the make a edit the schedule.

It sounds like a fresh install maybe needed.