OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: cableguy187 on August 18, 2017, 02:20:26 pm

Title: Op sense any better at blocking steam on schedule?
Post by: cableguy187 on August 18, 2017, 02:20:26 pm

I am currently using pfsense and can't get the scheduled blocks to work reliably..

The scheduled block leaves the UDP state intact, even with a scheduled cron task to manually kill the state for the associated host.

The only way to fix is manually clearing the states or reboot the reputed, which both are not ideal.

Has anyone successfully blocked Steam gaming on a schedule with opnsense?

Title: Re: Op sense any better at blocking steam on schedule?
Post by: fabian on August 18, 2017, 09:37:02 pm

This is how pf works. Packets which belong to an active connection are not evaluated and are passed directly (for performance reasons), for new connections the rules are evaluated. If you really want to avoid this behaviour, you have to disable state tracking for this rule but this will make pf a simple packet filter (you will loose all the advantages of a stateful firewall). Note that this is discouraged.

Title: Re: Op sense any better at blocking steam on schedule?
Post by: cableguy187 on August 28, 2017, 01:37:43 pm

So, if you were to implement a schedule to drop/block all traffic to a specific host, what method would work reliably with opnsense?

Could you reroute DNS to a bogus address?

Title: Re: Op sense any better at blocking steam on schedule?
Post by: franco on August 28, 2017, 01:42:31 pm

Under Firewall: Settings: Advanced there is a checkbox "Schedule States" which states "By default schedules clear the states of existing connections when the expiration time has come. This option overrides that behavior by not clearing states for existing connections."

Does that not work as intended in a particular circumstance? If so, which version would be helpful.


Cheers,
Franco

Title: Re: Op sense any better at blocking steam on schedule?
Post by: cableguy187 on August 28, 2017, 02:12:36 pm

It does not work reliably on pfsense. Before I switch to opnsense, I was hoping to confirm this feature to be operational or find another working solution to block all internet access (and kill all current connections when schedule is in effect).

Title: Re: Op sense any better at blocking steam on schedule?
Post by: franco on August 28, 2017, 02:30:44 pm

We do have FreeBSD 11.0 and no bug report in that area in 2017. I would expect it to work, unless you found an edge case that pf(4) doesn't know how to clear in which case FreeBSD would be affected in general. Either way, not sure if you'll find out without trying it.

There is a live mode in our images so you don't have to fear wiping your install... :)


Cheers,
Franco

Title: Re: Op sense any better at blocking steam on schedule?
Post by: cableguy187 on September 02, 2017, 03:49:06 am

Thanks, I have a PC Engines APU2. Is this well supported for Opnsense?

Also, is Cron an available plugin?

Title: Re: Op sense any better at blocking steam on schedule?
Post by: fabian on September 02, 2017, 08:01:58 am

Quote from: cableguy187 on September 02, 2017, 03:49:06 am

Also, is Cron an available plugin?

No, it's in core.

Title: Re: Op sense any better at blocking steam on schedule?
Post by: franco on September 02, 2017, 11:15:08 am

With the caveat of cron not being fully editable (arbitrary commands from the GUI), you need to add your services to the backend:

https://docs.opnsense.org/development/backend/configd.html

When you have added your own commands to configd, and use the "description:" label, they will show up in the cron GUI.


Cheers,
Franco