Scheduled Rule does not work..

[tryllz]

I have created a schedule for internet access for a VM, the rule is implemented on a WAN interface but does not seem to be working. The internet access is to be allowed between 21:30 - 21:45 every Mon, Thu, and Sun yet the VM has internet access all the time.

Schedule




Schedule Failure

[Fright]

such a rule will never be applied imho
you can see which rule is actually applied in the firewall logs

[Greelan]

Yeh, that rule will have no effect. It needs to be implemented on the relevant LAN/VLAN interface for the network that the VM is in. And the destination is not WAN_net, but any (or any except RFC1918 private networks)

[tryllz]

Sorry but I'm not able to understand how the schedule rule works.

I want to block internet access all day except between 21:30 - 21:45, how do I implement this rule.

I changed the rule to Block All Day except the times mentioned above, it still did not work. Currently as the rule is implemented internet should work but its not. The default deny rule is being applied.

My understanding of the rule is as follows (From let to Right):

Block packets if the source is 4_server and destination is any where and the Gateway is 2_WAN_DHCP but only at the schedule set (Block from 00:00 to 20:30, then again from 21:45 to 23:59). Can someone correct my understanding.

[Greelan]

Haven’t used the schedule myself but I would have thought you would want a pass rule that the schedule then determines when it operates. Outside those times the rule won’t apply and so presumably the default deny applies (unless there is another specific rule that allows it). Remember traffic is denied by default unless specifically allowed. At the moment you appear to be blocking on scheduled times and then blocking at all other times too

The alternative would be to have two rules - a block rule first that operates on a schedule, and then allow rule that has no schedule below it. The block rule would apply when the schedule says it does, and otherwise the allow rule applies. But try the simpler scheduled pass rule first

[Fright]

Block packets if the source is 4_server and destination is any where and the Gateway is 2_WAN_DHCP but only at the schedule set (Block from 00:00 to 20:30, then again from 21:45 to 23:59). Can someone correct my understanding.

the schedule does not trigger the rule action. if the schedule does not match the rule is simply absent.
according to your settings, during the schedule period packets will be blocked according to the deny rule. outside the schedule, packets will be blocked by the default rule because there are no allowing rules.

and I do not know about the gateway in the rule. why not use a system routing table?

[tryllz]

the schedule does not trigger the rule action. if the schedule does not match the rule is simply absent.
according to your settings, during the schedule period packets will be blocked according to the deny rule. outside the schedule, packets will be blocked by the default rule because there are no allowing rules.

and I do not know about the gateway in the rule. why not use a system routing table?

Thanks for the input, sorry I'm new to firewalls..

Also I had set the rule last night to allow internet to server and DNS Server access to client and it was working fine. Today morning I'm getting a whole lot of udp default deny rule for the client and it cannot access DNS server on an interface where I have allowed all protocols. The ICMP from Client to Server only works if I initiate an ICMP from Server to Client first.

Any specific reason this is happening.

[Fright]

you have only outgoing enable rule on 1_dell interface (and  autogenerated inbound anti-lockout rule).
so (except SSH and GUI) no incoming sessions allowed on 1_dell.

The ICMP from Client to Server only works if I initiate an ICMP from Server to Client first

because first outbound icmp packet from server creates state in states table

maybe this will help to understand the basics
https://docs.opnsense.org/manual/firewall.html#overview
https://learningnetwork.cisco.com/s/question/0D53i00000Ksup8/stateful-firewall-overview
https://docs.oracle.com/cd/E53394_01/html/E54829/pfovw-proc.html#scrolltoc
https://forum.opnsense.org/index.php?topic=20219.0

[tryllz]

Thanks for the links, and clarificationI got it working now..

[Fright]

glad to know 

[tryllz]

I'm having a hard time understanding In and Out in relation to Source and Destination. What's the best way to understand it.

Also sorry only part of the scheduled rule is effective now, the network 192.168.28.0 has a scheduled internet access and works fine. The network 10.0.64.0 does not seem to be effective.

The whole network with internet route for client VM - https://i.ibb.co/9gHG3y3/Dell-Network.png

Tracert from client (192.168.1.21 is the 1_dell interface and 192.168.47.2 is the NAT network in VMware Workstation)


Schedule


Server with No Internet as in Schedule


Alias for RFC1918 networks


Internet Rule for 10.0.64.32 /27


Internet still accessible


WAN Rule

[chemlud]

IN  and OUT are always relative to the INTERFACE. For WAN the IN traffic comes from your provider. For the LAN interface IN is everything from your local machines. OUT is the direction to the OPNsense/target interface of your traffic...

Use IN as the direction for rules, it's the standard.

[tryllz]

Thanks for clearing that up.

So in my case when I apply a rule with an IN on the WAN with a destination of 10.0.64.43 through Gateway 192.168.1.31 and a schedule (no internet access except between 21:30 - 21:45), the rules does not take effect. The client still has internet access at 16:15.

And to my understanding the rule above is the same as an IN on LAN destined for any non-RFC1918 networks through WAN Gateway with the same schedule as above.

I tried both the rules as mentioned above, am I missing something as with both the rules separately implemented the client still has internet access. Interestingly if I apply a block or reject the rule works and no internet access for client.

[Fright]

It seems to me that you should continue to enbale logging on created rules and observe what rules actually apply to the allowed and blocked traffic.

All inbound traffic allowed on the WAN interface is a very bad idea.

you can try to proceed from the following general principle: if you need to allow traffic from a certain subnet only at a certain time, then first on the interface that will receive requests from this subnet you need to create such a set of rules so that traffic for "non-RFC1918 addresses" is blocked and only then create an allowing rule with a schedule and place it above blocking rule(s) if any

[tryllz]

It seems to me that you should continue to enbale logging on created rules and observe what rules actually apply to the allowed and blocked traffic.

Thanks, I'll continue to log and see what's going on.

All inbound traffic allowed on the WAN interface is a very bad idea.

I agree, all inbound allowed was to test if traffic is coming through (internet connectivity).

I will implement the schedule on blocked as blocking works, so I can have it blocked from 00:00 to 21:30 and 21:45 to 23:59 and hope it works.