How to Disable Internet Access for a Period of Time Every Day or On a Schedule Using Pfsense
Say you want to disable internet access on a specific computer in your LAN/wifi between 11pm to 2am every day and you have the pfsense (https://pfsense.org) firewall properly setup. Here are the steps:
Assign static IP to the machine
- Login to pfsense dashboard > Status > DHCP Leases
- Find the current IP of the chosen machine
- Give is static IP by clicking on the first plus sign (light one) on the right.
Create schedule
- Log in to your pfSense web interface.
- Navigate to “Firewall” > “Schedules”.
- Click on the “+” button to add a new schedule.
- Define the schedule for blocking internet access from 11pm to 2am. You’ll need to add two times because one schedule does not go past the midnight. Test a few times and hit save.
Create an alias for the computer
- Go to “Firewall” > “Aliases”.
- Click on the “+” button to add a new alias.
- Create an alias for the specific computer’s IP address or MAC address. We’ll need this when setting up the firewall rule.
- You can actually add more than one IP in the alias field. Either separate them with a space or add them one by one by clicking on ‘save’.
Create the firewall rule
- Go to “Firewall” > “Rules”.
- Select the appropriate interface (e.g., LAN) where the computer is connected.
- Click on the “Add” button to create a new firewall rule.
- Set the following parameters: - Action: Block - Interface: LAN (or whichever interface is appropriate) - Protocol: Any (or specific protocols if needed) - Source: Single host or alias (select the alias you created for the computer) - Destination: Any - Description: Provide a description like “Block Internet Access during 11pm to 2am” - Click on “Display advanced” and select the schedule you created earlier under “Schedule”.
Save and Apply Changes
- After configuring the firewall rule, “Save” it.
- Apply the changes by clicking on the “Apply Changes” button at the top of the page.
VERY IMPORTANT - Order of the block rule
- Ensure your block rule is BEFORE “default allow LAN to any rule” also called the “allow everyone” rule. Rules are processed top down so the block rules need to be applied BEFORE the allow rules.
Test
- Test if the rule works. To do a quick test, you can remove the schedule, apply and see if it works. This way, you can check the block rule immediately.
Note: If you’ve installed TailScale (https://tailscale.com) on the client computer to be blocked, the rule explained above might not work.
Notes
- You can copy the rules on the Firewall Rules page, create more aliases and add them separately. This is handy if you want to turn off internet in the Roku devices or smart TVs in the house, separately.
⛱️