Scheduled states not working

Started by rungekutta, June 19, 2019, 09:41:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 19, 2019, 09:41:09 PM Last Edit: June 19, 2019, 09:43:33 PM by rungekutta
Hi,

This seems to be a long standing issue in pfsense as well and since several years back:
https://forum.netgate.com/topic/69331/scheduled-blocks-won-t-work-without-manual-states-reset/2

Long and the short of it; in order to restrict kids' access to Internet at certain times of the day I've got the following rules:

Alias: kids' devices (KD)

Enable kids' devices to any, source KD, on schedule
Block kids' devices to any (source KD)
Default allow any other LAN to any (source !KD)

This almost works... except that states are not killed when the scheduled pass rule expires. So any new connection is blocked as expected, but already open ones are kept alive, which means the kids continue to play... until they have to switch page or whatever and suddenly find themselves locked out.

Firewall -> Advanced -> Schedule States is UNchecked (somewhat non-intuitively, but that's what everyone says)

As mentioned and as per the link above this seems to be an old issue and inherited into opnsense..?

Any ideas...?
June 19, 2019, 09:42:39 PM #1
(to add - I note the workarounds to start hacking around with cron scripts and pfctl but I really want to avoid that if possible)
June 25, 2019, 07:23:55 PM #2
Bumping this thread. No ideas of similar experience? How do I raise a bug for this?
June 26, 2019, 09:26:50 AM #3
I doubt if it is a bug, but I am no expert. When I read the pfsense documentation, you can interpret in two ways:
Quote
By default schedules clear the states of existing connections when the expiration time is reached. That behavior may be changed to not clear states for existing connections by checking Schedule States under System > Advanced on the Miscellaneous tab.

My interpretation: After your scheduled rule has become effective, you still need to wait until the connection lifetime is expired. The connection is killed/not renewed after the expiration time of the connection is expired. Ticking the box (in my interpretation) would mean that the rule is only applicable on new connections, but does not touch old connections.

Don't know about lifetime of a connection. Maybe you can limit this time somewhere.

You can log bugs on GitHub, by providing a bug report on https://github.com/opnsense/core/issues
June 27, 2019, 02:35:58 PM #4
I think the documentation is pretty clear. Re the wording "schedules clear the states of existing connections when the expiration time is reached" - is your point that "expiration time" could refer to something else than expiration of said schedule? I'm not aware of any other type of expiration time that it could possibly refer to including on connections or whatever. I'm pretty sure the intention here is to automatically pfctl kill all states created by the scheduled rule as soon as it expires, but this is not working and as mentioned there are many reports on the Internet of people having had problems with this in pfsense too in the past.

I'll create a bug report for it.
June 27, 2019, 02:46:00 PM #5
PS listing all the states using pfctl you can see they are tagged according to the rule that created them. There could be several reasons for this but I think at least one of them is to find all the relevant states and kill them when a given rule expires. Alas this part is not working. As mentioned I could probably hack around it with cron and my own pfctl commands but would prefer to avoid that.
June 27, 2019, 03:31:49 PM #6
There is a difference between scheduled ALLOW and BLOCK rules.

I use the Cron script to clear (all) states, after BLOCK rules kick in at late night. I never found a way around that.

It's not rocket science, I described it in a thread here some years ago and it is still working here...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
June 27, 2019, 04:14:17 PM #7
Thanks. Yes I understand that a workaround is to clear states yourself through pfctl commands and cron scripts, however I would rather see the functionality works properly in the product itself. And to your particular solution - I don't want to clear *all* states but only those affected. I.e. I would need to write scripts that only clear the relevant states, according to their tags, and I believe this is exactly the functionality that is already supposedly built-in but is not working.
June 27, 2019, 04:37:33 PM #8
Killing states for specific hosts didn't work reliably (for me) at pfsense, see posts in their forum (if you can still find them, they at first blocked me indefinitely from loggin in as "2chemlud" and then some months ago they deleted this user, kind of polishing up the forum cashing in on pfsense ;-) ). So I used the kill all and it's not that much a problem to me (in the night...).

Do you have scheduled BLOCK or ALLOW rules? That's key to your "supposed functionality" statement...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
June 27, 2019, 06:08:10 PM #9
Yeah I've done it as I understand it you're supposed to... a scheduled allow rule above a permanent block rule. Description at the top. So when the allow rule expires (and should kill all its states with it) then the block rule immediately below ensures nothing new gets through until the schedule revives the allow rule again.

Except the states are left intact when the allow rule expires.

Sounds like I'm in the same place as you were...
I think it would be nice to get this fixed in opnsense.
Print
Go Up Pages1
User actions