Results 1 to 7 of 7
  1. #1
    Untanglit
    Join Date
    Nov 2018
    Posts
    19

    Default I can't figure out the next step - block traffic - custom hours - custom username

    I've searched and I've attempted with various parts of Untangle but I can't quite figure out how to get to the final solution.

    I have a policy with the name "Sleep Hours". I also have a rule within Policy Manager that defines Sunday - Thursday 00:00 - 06:30 and Friday - Saturday 02:00 - 06:30 and username "user1" and have them moved to the Sleep Hours Policy.

    The piece I cannot get to is how to actually enforce the blocking of all internet traffic to the devices in the Sleep Hours policy, namely devices tagged as user1.

    Thanks in advance.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,678

    Default

    First of all, make sure you don't have both time sets in the same rule... because it's never Sunday/Thursday 0-6:30 and Friday/Saturday 2-6:30 at the same time.

    Second, the way I would do this is via the Firewall App. Set a block rule to match ports 80 and 443, maybe also 53. Or if you want to be really evil match on protocol for all TCP/UDP traffic.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  3. #3
    Untanglit
    Join Date
    Nov 2018
    Posts
    19

    Default

    Quote Originally Posted by jcoehoorn View Post
    First of all, make sure you don't have both time sets in the same rule... because it's never Sunday/Thursday 0-6:30 and Friday/Saturday 2-6:30 at the same time.

    Second, the way I would do this is via the Firewall App. Set a block rule to match ports 80 and 443, maybe also 53. Or if you want to be really evil match on protocol for all TCP/UDP traffic.
    Screen Shot 2019-06-28 at 6.35.33 PM.png

    That part I do have correct, (I think).

    So, let me understand. On the Sleep Hours rack, I have the Firewall app installed. Do I create a rule in the Firewall, one that blocks destination port 80 and another for port 443, with the only condition being the port 80 and 443?

    Will doing this only apply to this rack and leave all other racks unaffected?

    If the above question is yes, will the block action then only apply as I have set the rule above, during the sleep hours to that single user?

    I envision trying something like this and then losing access to my whole network because I did something wrong.

  4. #4
    Untanglit
    Join Date
    Nov 2018
    Posts
    19

    Default

    Sorry to bother, but, do I have this right based on the above?

    I guess the main question is does a firewall rule on one rack affect any of the firewall rules on other racks?

  5. #5
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,678

    Default

    That sounds right.

    But first, use the session view to make sure the traffic really is sorted into the correct policy rack.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  6. #6
    Untanglit
    Join Date
    Nov 2018
    Posts
    19

    Default

    Quote Originally Posted by jcoehoorn View Post
    That sounds right.

    But first, use the session view to make sure the traffic really is sorted into the correct policy rack.
    That was going to be a question too. How do I make sure this is working without staying awake then testing with one of her devices?

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,678

    Default

    Quote Originally Posted by glen4cindy@gmail.com View Post
    How do I make sure this is working without staying awake then testing with one of her devices?
    First, let's go over how to check what policy you're using. For this part, it's important you don't activate the block rule right away.

    There's a Session button on the very top right of the main dashboard page. It will open a window to show things moving through the server. The trick is, many sessions -- especially blocked sessions -- last too short a time to get them to show up here easily when you really need them. If you don't load the Session Viewer at just the right time, you could miss them. So what we'll do is start something that will last a little longer: a YouTube video, Netflix stream, file download etc. For this part, we want the traffic to actually flow, so the session lasts and you can find it easily.

    When you do find the session in the list, see what Policy it is using; by default it will be shown in the third column.

    Now that we know how to check the policy, the problem is with the timing. You don't want to be up at 2am to verify things. But you can write a rule that takes effect at 2pm... or just a few minutes after whatever time it is you're working on this. Verify this other rule does what it's supposed to, and play around with it until you're comfortable it works the way you expect. Then adjust the time, and nothing else, to match what you really want.

    While you do this, keep the Block rule off to test the right policy assignment, and turn it on to very the rule actually does what it's supposed to.

    There's one more important thing. Sessions are processed when they're first created. So if you create a long-running session like I suggest, check the rule, and then make a tweak, the session won't be re-categorized. You need to close the session (stop your download or stream) and start a new one to check your change. This applies to both policy sorting and the block rule.

    After you're comfortable traffic is using the right policy at the right times, then you can go turn on the Block rule again.

    Finally, I did think of one other way you might implement the block. You can use a Captive Portal that will capture all traffic. Choose a captive page the requires authentication, but only provide a broken authentication service. If you're really good, you can add CSS styles to the message section that will hide the login form completely (I've done this). Even just the basic login is fine if your sure your kids won't have good credentials. This also makes it easy to bypass the block for them on a case-by-case basis.

    There was a time in the past when Captive Portal let you create time-based rules, like in Policy Manager. It was the only "App" that let you do this, and since it's also one of the free Apps there were some people who used this as a poor-man's policy manager.
    Last edited by jcoehoorn; 06-29-2019 at 08:02 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2