pfSense Gold Subscription

Author Topic: Scheduled Firewall Rule for LAN  (Read 163 times)

0 Members and 1 Guest are viewing this topic.

Offline Presbuteros

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +4/-0
    • View Profile
Scheduled Firewall Rule for LAN
« on: December 19, 2017, 03:36:58 am »
The goal is to block a host on the LAN from both LAN and WAN during a 1 hour period from 0830-0930 every day.

I have configured a range in Firewall>Schedules the following.

Schedule Name: 1hrBlock
Mon-Sun  0830-0930

I have configured in Firewall>Rules>LAN the following:

Interface:        LAN
Adress Family: IPv4
Protocol:         ANY
Source: Single Host > 192.168.4.120
Destination:     ANY
Advanced Options > Schedule: 1hrBlock

However, when that time period (0830-0930) comes, the host still has access to WAN and LAN.

I see in Firewall>Rules>LAN under Advanced Options both State timeout and State type. Do either of these need to be configured so that the States of the host are dropped at 0830 for the schedule rule?

Thanks for your help.


Offline GoldFish

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +2/-0
    • View Profile
Re: Scheduled Firewall Rule for LAN
« Reply #1 on: January 07, 2018, 12:10:02 pm »
what Is the rule order. The rules on an interface are applied from top down first. If there is a rule on top of this block rule which allows all Lan traffic, the packets would never hit this rule

Secondly, afaik, active states from this machine will not be dropped until they expire. State timeout should help. When you apply a block rule that means no new session will be created but the existing ones will still go through.

On the other side letís say you allow access for a 1 hour window. States are dropped automatically after the 1 hour window which were created in that time period.
* pfSense Enthusiast *

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9591
  • Karma: +1089/-309
    • View Profile
Re: Scheduled Firewall Rule for LAN
« Reply #2 on: January 07, 2018, 12:18:01 pm »
You cannot use a firewall rule to block a LAN host from accessing another LAN host.

They are on the same subnet so that traffic doesn't go through the firewall at all.

For access out WAN you want to use scheduled pass rules followed by an unscheduled block all rule.

When a scheduled pass rule expires all states created BY THAT RULE will be killed.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +2/-0
    • View Profile
Re: Scheduled Firewall Rule for LAN
« Reply #3 on: January 07, 2018, 12:25:42 pm »
You cannot use a firewall rule to block a LAN host from accessing another LAN host.

If itís absolutely necessary to block Lan then I would put this machine on a different subnet provided routing table is on pfsense and not a switch but then you will have to configure other rules for traffic flow
* pfSense Enthusiast *