Pfsense Schedules - Have I got this right?

So I’ve read/watched a number of blogs and videos where parents are looking for a way for locking down the internet out of hours on kids devices.
I recently moved from an old Draytek DSL router, to a UDM Pro (wanted high throughput firewall) and that’s soon to be ditched due to the lack of features I thought were “basic”. So experimenting with pfsense right now.

The blogs and videos I’ve seen tend to suggest:

  • Create static IP addresses for specific “kids” devices
  • Allocate kids devices to an Alias (group)
  • Create a block rule to block traffic from late evening until early morning.

Reading the pfsense docs, it states that at the END of a schedule it will clear states. So if understand this correctly any and all existing connections will continue to work, but new connections will be blocked.

Am I right in thinking a more robust/reliable approach would be to invert the schedule:

  • Creating a daytime period
  • Create a firewall rule allowing traffic through for a group of devices (via Alias) until the end of the schedule.
  • Updating the Default allow LAN to any rule to add an “invert match” on the kids devices group, so that it the general alow rule won’t apply to them.

I think this should result in out of ours being blocked and existing sessions being dropped at the end of the schedule.

I know there are ways of working around this (i.e. Kids assigning their own (different) static IP. The draytek I had allowed MAC addresses to be used, which made is very slightly harder as you had to know where to go to change/spoof a MAC, pfsense seems to lack this capability.

Is this better, or have I got it wrong, and the block rule would work the same (and is slightly easier to understand)?


That method seems simple enough and should work.

Well it all depends, to me your approach looks like it will work until a new device enters the network :slight_smile:
It also looks like way too much effort to maintain.

If you buy a switch and a multi-ssid access point, then it’s far easier to create a vlan and apply rules to that vlan. Block adult material etc for that vlan, when their mates rock up they just join that vlan. The adults can stick to the full glory of the unfiltered internet.

Once you suss out vlans, then you’ll see it’s very easy to setup a Guest vlan which keeps your network secure etc.

Children always find a way to circumvent the controls to get up to no good :wink:

BTW would definitely recommend pfBlocker it keeps out a lot of crap.

The above is all doable especially if you are about to buy some kit, do invest in a managed switch.

Thanks, I have managed switch, APs with multiple SSIDs and VLANs setup. Kids devices are a mixture of wired and wireless.
I’m aware that there are ways around things. In fact all the mobile devices are kept out of their rooms at night. However, you’re right kids are smart and I quite like it if they learn something to get around what I put place. For examples Windows Family Saftey logs them out, however if they have discord chat already running then they can continue to chat with friends. I’ve currently taken to manually disabling the interface on the switch. Once I move from UDM-Pro to pfsense, (which will be deployed this weekend) I can do what I did with the Draytek and schedule traffic to be blocked, and existing connections dropped.

Regardless of the futility. The question/point was more related to using an accept rule rather than a block rule due to the way the schedules work with active connections. Which I think I’ve got it right and will test to confirm.

Obviously there are several ways to crack any problem, though it sounds like you have the setup you need, use what works best. I’ve not used the schedule feature but I can easily see that it can be applied to a vlan and then it will cut off internet access regardless of what’s running.