Blocking local ip's on a schedule with pfSense problem

Hammer · July 21, 2021, 12:41pm

Hi, I’m using pfSense at home and would like to stop internet connection on my kids PC’s on a schedule. I’ve followed several forum posts and youtube videos and all say to add a firewall rule based on that schedule using the Action BLOCK with Source as my Kids PC ip’s (I’ve set up an Alias). Protocol is IP4 and I’ve selected LAN and WAN. Direction is IN, Quick is Checked and Gateway is WAN_DHCP Gateway. I’ve tried this as a LAN rule and the above is my current Floating Rule setting. However, neither seems to stop the internet access on time. So for example, if I set the schedule to stop at 8:00 pm, the kids are able to keep playing until 8:30 - 9:00 pm. And I know they still have internet access because they continue to voice chat with their online friends.

One thing to note is I am using pi-hole instead of phSense to block certain sites and so their pc’s point to the pi-hole ip address for DNS calls. But I have included the address of the pi-hole in the Alias above.

Any ideas will be greatly appreciated!

Thank you!

neogrid · July 21, 2021, 1:18pm

Much easier to setup vlans then controls the WAN connection on the vlan rules with the schedule you want.

If not you can probably combine an alias with the IP addresses with a rule and schedule.

Hammer · July 21, 2021, 2:26pm

Thanks - I was trying to avoid that since I’ve never used vlans. Is there a solution that does not require vlans? The schedule method eventually works so I just don’t know why access is not blocked “on time.”

neogrid · July 21, 2021, 3:46pm

My guess is your schedule doesn’t work or packets continue to be transmitted once started. If I put a schedule on my vlan, the traffic stops precisely.

Hammer · July 21, 2021, 4:15pm

Thanks. I think the schedule is working correctly since I see the “clock” sign next to the schedule and a red X on the rule which I think means it’s currently blocking. And so I’m struggling to figure out why the packets continue to get through.

neogrid · July 21, 2021, 4:57pm

This is stated in the manual:

By default, states are cleared for active connections permitted by a scheduled rule when the schedule expires. This shuts down access for anyone allowed by the rule while it was active. To allow these connections to remain open, check Do not kill connections when schedule expires under System > Advanced on the Miscellaneous tab.

Try setting the opposite.

Hammer · July 21, 2021, 5:18pm

That is currently unchecked so I think it means states are not saved which is what I want…and yet, traffic continues. Thanks again for helping me with this!

neogrid · July 21, 2021, 5:58pm

hmmm…

perhaps it might be related to the state tables. Diagnostics > States then Reset States

Doing that will force all clients to reconnect, after that it may follow the rule precisely.

Hammer · July 21, 2021, 9:24pm

Thanks…flushed and rebooted. Will report back after the schedule kicks in at 8 pm tonight to see if it works!

Hammer · July 27, 2021, 2:10am

Hi, tried a few more things and traffic is still getting through. It’s weird that when the schedule kicks in, I cannot google from the pc (and so somethings are blocked, but their game still works and they can talk to their friends. I’m guessing the game is able to circumvent the block, but how?!

neogrid · July 27, 2021, 8:32am

The other thing you can do is implement vlans, then apply the rules etc. to the vlan which will stop all traffic.

Barrow · July 29, 2021, 8:43am

Ensure on the block rule that it’s any traffic. Think it defaults to TCP. I think games tend to use UDP so the connect will still be active