Text only | Text with Images

OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: valsaraj on August 22, 2016, 01:25:21 PM

Title: Allow Facebook and Youtube from 14.00 to 16.00 hours daily, block all other time
Post by: valsaraj on August 22, 2016, 01:25:21 PM
Hello

I wanted to allow all users to access facebook and youtube between 14.00 hrs to 16.00 hrs daily, but all other times to be blocked.

I have set firewall rules to block , its working.

To pass both sites, the following steps are made:

1) Defined schedule  FreeHours_14_16_PM on all dates for 14.00 to 16.00 hrs.
2) Defined an alias - SocialSitesRestricted and added hosts www.youtube.com , www.facebook.com
3) Created a firewall rule
    Action - Pass  ,     Interface - LAN  , TCP/IP version - IPV4 , Protocol - TCP/UDP , Source - LAN Net
    Destination - SocialSitesRestricted   , Destination Port Range - Any - Any  ,  Category - social_networks
    Schedule - FreeHours_14_16_PM,  gateway - default

I also have firewall rule for " Block HTTP bypass ", "Block HTTPS bypass " , "Default allow LAN to any rule" (IPV4) ,  Default allow LAN IPv6 to any rule , "NAT redirect traffic to proxy " (IPV4 and IPV6)

Unfortunately, opnsense blocks facebook and youtube between 14-16 hrs. I am on a test server.  I also get https certificate error for facebook, though I have other https sites working correctly.

Please request your help...

Valsaraj



Title: Re: Allow Facebook and Youtube from 14.00 to 16.00 hours daily, block all other time
Post by: franco on August 23, 2016, 10:03:18 AM
Hi there,

Make sure you're not running into an alias DNS ambiguity issue: www.facebook.com and www.youtube.com have many IP addresses your alias likely won't catch.

Start fresh with a single known IP to confirm the schedule works. If it does, the alias needs to be extended to include all youtube/facebook IPs.


Cheers,
Franco
Title: Re: Allow Facebook and Youtube from 14.00 to 16.00 hours daily, block all other time
Post by: valsaraj on August 23, 2016, 11:15:37 AM
Hi Franco

Tried with single IP destination, but could not succeed...Removed schedule and tried, still failed !

Other than defining alias and rule, is there any other step ?

Thanks

Valsaraj
Title: Re: Allow Facebook and Youtube from 14.00 to 16.00 hours daily, block all other time
Post by: franco on August 23, 2016, 11:45:55 AM
When using scheduled rules, the firewall actually reloads only every 15 minutes in the background. Can you take a look at your console file /tmp/rules.debug to see if the pass rule is properly injected?
Title: Re: Allow Facebook and Youtube from 14.00 to 16.00 hours daily, block all other time
Post by: valsaraj on August 23, 2016, 12:40:22 PM
I removed the existing rule, added a new rule with schedule. It reflected immediately.
Title: Re: Allow Facebook and Youtube from 14.00 to 16.00 hours daily, block all other time
Post by: valsaraj on August 23, 2016, 12:52:28 PM
Just wondering, none of the firewall rules defined by me is not executing...
I tried to pass an  alias with single host youtube.com, not working...
tried to block an alias, with single host not working !

Anything wrong from my setup side !
Text only | Text with Images