OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: jehujehu on June 01, 2018, 01:57:29 pm
-
I'm trying to block internet access from 3 AM to 11:00 AM and it doesn't seem to be working.
I created an Alias with the IP addresses I want to block (they are static IP). Then create a schedule with these times...start time 3 AM and stop time 11 AM.
Then create a firewall block rule on the Vlan he's on and add the alias and schedule.
It doesn't seem to be working...he can't seem to access the internet outside these block times above.
I had this issue with Pfsense and was one of the reason among others why I decided to use Opnsense.
Help what am I doing wrong? :'(
Jehu
-
But he can during the block times or he cannot access the net at any time?
-
Don't use the rule scheduler on my system, but I've just created a rule to block a specific website, created the schedule, it's only a fifteen minute block, but it came in within 60 seconds of when it was supposed to start and ended when I had specified...
Hmm I could really annoy the wife with this. :P
Remove the schedule for now.
First things first then. Does the rule do what it's supposed to do when enabled and does it clear and allow access when disabled?
-
You're right... it worked once.
I'll raise an issue on Github and take a look.
-
Yes it's very flaky I can't have this as hit and miss...I need the schedule for internet access time, I not blocking websites. So how would this be done without schedule?
Thanks
-
That's what it's for amongst other things and I'll get on to it and we'll see if we can get it fixed.. Need to raise an issue first and I'll do that this morning, We'll fix it..
-
Fundamentally, it's easy to double check:
* /tmp/rules.debug during and outside the schedule window
* make sure rules order is correct (scheduled block before normal pass, scheduled pass before normal block)
* Log your schedule rules to be able to inspect the firewall log to see if a schedule is blocking, passing or something else
All of this info is missing, which points to schedules being hard to use, but there also isn't a lot to improve in this regard with the current design.
Cheers,
Franco
-
Yes, doing those things now. I've proved the rule manually.. just waiting for the schedule to kick in and then I'll post.
-
OK, first test this morning - blocking one site to one LAN address worked.. I've now edited the schedule, moving it forward by 15 minutes.. report to follow shortly.
-
Any updates?
-
I checked this again with a specific address and it was working, it was the logging that wasn't. Logging is an issue we are trying to get our heads around. What happens is when the rule is in place, the logs correctly show it, when it's not, the rule is no longer there, so when the log goes to look to find the ID for that rule, it's in a list, the list has changed and the log displays the wrong rule.
I've not tried it with VLAN's or LAN segments, I'll spin up a VM tomorrow and test that.
-
OK... I've checked this on LAN and VLAN, Hosts etc and it does work,
@jehujehu - Try this:
- Delete any block rules you have created on that VLAN - Can he now access the internet?
- Create a block rule for the alias table or whatever you want to block - Are they now blocked?
- If the answer to 1 and 2 is yes, then apply the schedule to that rule.
One other thing. I created a new setup on a test APU to prove all this and scratched my head when it did not work at first. Then I realised I had not set the time correctly... sigh, it started working when I did. :)
-
Sorry was really busy looking at some other firewalls...was about to choose Sophos UTM free version.
I created a block rule for the alias table and it block my phone that I used as an example (after I disconnect/connect to wifi) and it works.
I add the schedule and it doesn't work.
This is driving me mad I left Pfsense for this same reason...at this point I willing to go the way of my friend...cheap router Linksys etc and it works with one click. He keeps telling me your fancy router can't work and mine works >:(
I've attached some screenshots of my setup maybe you can see where I'm going wrong.
Or else it's a cheap router another VLAN and only put him on that access point.
Also will it disconnect him if he's streaming or will he need to disconnect first...this wouldn't be good.
Thanks for your help in advance.
P.S where do I find the log files for this.
-
Here are the others...reached limit.
-
and in the firewall rule itself you have selected the schedule to use?
-
And again
-
Yes I did and then it stops working...see if my time is correct....want to block from 12 AM - 10:30 AM
-
OK... You've proved the rule works...
For now, edit the time in the schedule so it's only active for 15 minutes. In my case it's now 13:35, so create a schedule entry that is active for 13:45 until 14:00, then another from 14:15 to 14:30.
Like this:
(https://preview.ibb.co/gQL9Ny/Capture.png) (https://ibb.co/f0SZpd)
Then see what happens...
-
Thanks for all your help...If I use a rule with the alias it works...add the schedule and it doesn't work.
I can't be bothered with reinstall to see if schedule is broken way too much work, I might as well look at another solution.
Thanks again :(
-
:) :) :) :) Wow what can I say it works!!!
I went through Opnsense line by line after you said it works for you...SMH the time on it was a different timezone from where I live >:( sorry for all your troubles and many, many thanks for all your help.
Now I'm loving my Opnsense again 8)
Thanks again and God Bless!
-
BTW where do you find the logs for this?
-
Glad it's working for you. No need to bless me, a click on the applaud is sufficient thanks.
Logs for what?
-
Logs for the schedule.
-
Ah...No, there are not any I am aware of, doesn't mean there are none though, just I've not seen them. :)
@franco - are there any logs for the scheduler?
-
Well, you can log your scheduled rules...
Cheers,
Franco
-
Sorry how would I do this?