Blocking internet access through scheduling

jehujehu · June 01, 2018, 01:57:29 PM

I'm trying to block internet access from 3 AM to 11:00 AM and it doesn't seem to be working.
I created an Alias with the IP addresses I want to block (they are static IP). Then create a schedule with these times...start time 3 AM and stop time 11 AM.
Then create a firewall block rule on the Vlan he's on and add the alias and schedule.
It doesn't seem to be working...he can't seem to access the internet outside these block times above.
I had this issue with Pfsense and was one of the reason among others why I decided to use Opnsense.
Help what am I doing wrong? :'(

Jehu

marjohn56 · June 01, 2018, 10:56:34 PM

But he can during the block times or he cannot access the net at any time?

marjohn56 · June 01, 2018, 11:34:29 PM

Don't use the rule scheduler on my system, but I've just created a rule to block a specific website, created the schedule, it's only a fifteen minute block, but it came in within 60 seconds of when it was supposed to start and ended when I had specified...

Hmm I could really annoy the wife with this. :P

Remove the schedule for now.

First things first then. Does the rule do what it's supposed to do when enabled and does it clear and allow access when disabled?

marjohn56 · June 02, 2018, 12:19:52 AM

You're right... it worked once.

I'll raise an issue on Github and take a look.

jehujehu · June 02, 2018, 02:03:20 AM

Yes it's very flaky I can't have this as hit and miss...I need the schedule for internet access time, I not blocking websites. So how would this be done without schedule?

Thanks

marjohn56 · June 02, 2018, 09:00:40 AM

That's what it's for amongst other things and I'll get on to it and we'll see if we can get it fixed.. Need to raise an issue first and I'll do that this morning, We'll fix it..

franco · June 02, 2018, 09:52:14 AM

Fundamentally, it's easy to double check:

* /tmp/rules.debug during and outside the schedule window
* make sure rules order is correct (scheduled block before normal pass, scheduled pass before normal block)
* Log your schedule rules to be able to inspect the firewall log to see if a schedule is blocking, passing or something else

All of this info is missing, which points to schedules being hard to use, but there also isn't a lot to improve in this regard with the current design.

Cheers,
Franco

marjohn56 · June 02, 2018, 10:52:50 AM

Yes, doing those things now. I've proved the rule manually.. just waiting for the schedule to kick in and then I'll post.

marjohn56 · June 02, 2018, 11:06:08 AM

OK, first test this morning - blocking one site to one LAN address worked.. I've now edited the schedule, moving it forward by 15 minutes.. report to follow shortly.

jehujehu · June 07, 2018, 02:21:28 PM

Any updates?

marjohn56 · June 07, 2018, 07:19:31 PM

I checked this again with a specific address and it was working, it was the logging that wasn't. Logging is an issue we are trying to get our heads around. What happens is when the rule is in place, the logs correctly show it, when it's not, the rule is no longer there, so when the log goes to look to find the ID for that rule, it's in a list, the list has changed and the log displays the wrong rule.

I've not tried it with VLAN's or LAN segments, I'll spin up a VM tomorrow and test that.

marjohn56 · June 08, 2018, 12:49:31 PM

OK... I've checked this on LAN and VLAN, Hosts etc and it does work,

@jehujehu - Try this:

Delete any block rules you have created on that VLAN - Can he now access the internet?
Create a block rule for the alias table or whatever you want to block - Are they now blocked?
If the answer to 1 and 2 is yes, then apply the schedule to that rule.

One other thing. I created a new setup on a test APU to prove all this and scratched my head when it did not work at first. Then I realised I had not set the time correctly... sigh, it started working when I did. :)

jehujehu · June 14, 2018, 01:59:45 PM

Sorry was really busy looking at some other firewalls...was about to choose Sophos UTM free version.
I created a block rule for the alias table and it block my phone that I used as an example (after I disconnect/connect to wifi) and it works.
I add the schedule and it doesn't work.
This is driving me mad I left Pfsense for this same reason...at this point I willing to go the way of my friend...cheap router Linksys etc and it works with one click. He keeps telling me your fancy router can't work and mine works >:(
I've attached some screenshots of my setup maybe you can see where I'm going wrong.
Or else it's a cheap router another VLAN and only put him on that access point.
Also will it disconnect him if he's streaming or will he need to disconnect first...this wouldn't be good.

Thanks for your help in advance.
P.S where do I find the log files for this.

jehujehu · June 14, 2018, 02:04:24 PM

Here are the others...reached limit.

marjohn56 · June 14, 2018, 02:09:43 PM

and in the firewall rule itself you have selected the schedule to use?

Blocking internet access through scheduling

jehujehu

June 01, 2018, 01:57:29 PM

marjohn56

June 01, 2018, 10:56:34 PM #1

marjohn56

June 01, 2018, 11:34:29 PM #2

marjohn56

June 02, 2018, 12:19:52 AM #3

jehujehu

June 02, 2018, 02:03:20 AM #4

marjohn56

June 02, 2018, 09:00:40 AM #5

franco

June 02, 2018, 09:52:14 AM #6

marjohn56

June 02, 2018, 10:52:50 AM #7

marjohn56

June 02, 2018, 11:06:08 AM #8 Last Edit: June 02, 2018, 11:20:06 AM by marjohn56

jehujehu

June 07, 2018, 02:21:28 PM #9

marjohn56

June 07, 2018, 07:19:31 PM #10

marjohn56

June 08, 2018, 12:49:31 PM #11 Last Edit: June 08, 2018, 12:52:23 PM by marjohn56

jehujehu

June 14, 2018, 01:59:45 PM #12

jehujehu

June 14, 2018, 02:04:24 PM #13

marjohn56

June 14, 2018, 02:09:43 PM #14