Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: PWCDC on February 21, 2021, 05:52:58 PM

Title: Schedule Based Firewall Rules
Post by: PWCDC on February 21, 2021, 05:52:58 PM
What is the current recommended way to set up scheduled firewall rules for blocking specific clients from internet?

I've found a few threads on this forum, but they are quite old and trying the recommendations doesn't work entirely. For instance, simply setting a scheduled block rule in the floating rules is effective, but won't kill existing connections.

I have the schedule and the alias' set up the way I want them, and they appear to work. The only quirk is terminating existing connections. Is there a trick I'm missing?
Title: Re: Schedule Based Firewall Rules
Post by: chemlud on February 21, 2021, 06:12:58 PM
Strange enough we had a thread quite recently, which I can't find anymore (and not my posts either...).

I use scheduled block rules and run cron jobs to kill all (!) states the minute after the block becomes effective. In the recent thread a user described scheduled allow rules, which apparently worked iirc, but no way to confirm. :-(
Title: Re: Schedule Based Firewall Rules
Post by: PWCDC on February 23, 2021, 05:57:20 PM
Hmm.

I don't see that as an option in the Cron dropdown.

Is there a way to invert schedules? I had thought about using two rules: one to allow, based on a schedule, and then another to block based on the same schedule. The problem is I would have to create redundant schedules for each block and pas rule. Seems awkward.
Title: Re: Schedule Based Firewall Rules
Post by: chemlud on February 23, 2021, 06:07:25 PM
It's a little more complicated.

https://forum.opnsense.org/index.php?topic=10740.msg49334#msg49334

:-)

Still don't understand why the thread from December 2020 (or so) is not there anymore...

only found this one

https://forum.opnsense.org/index.php?topic=13256.0
Title: Re: Schedule Based Firewall Rules
Post by: Atomical on March 03, 2021, 12:11:27 PM
Hi PWCDC,

I have set mine up to block the kids internet access at certain times..

Create a schedule to allow times that you want to allow internet traffic.
(Here's mine currently)
https://ibb.co/Jz1z3Q1 (https://ibb.co/Jz1z3Q1)

Now go to your LAN firewall rules and create a block internet rule for the IP addresses you want to restrict.. Then add an allow rule for the same IP addresses and add the schedule for this..
Make sure you add this to the Lan Net
https://ibb.co/SBqH9CX (https://ibb.co/SBqH9CX)
Make sure you add your schedule to this (not shown in the screenshot)

https://ibb.co/6rKHpNX (https://ibb.co/6rKHpNX)

As chemlud say's its a stated firewall so the rule doesn't kick in dead on the time you allow but the minute later.

So if you have a cut off say 21:59hrs it will stop at 22:00hrs

@chemlud, i think it was my post you was talking about but it didn't work correctly the way I originally had it as the connections stayed active slightly until I changed it to this method. Now connections drop and dont access or ping any internet connections at all.


Text only | Text with Images