Block LAN hosts by schedule on pfSense.

It is a fairly straight forward process to block specific LAN hosts based on a schedule
using pfSense. To block a specific set of LAN hosts you will need to add a Rule, an
Alias and a Schedule.

A scenario where it might be useful to block a specific set of LAN hosts on schedule in
your office may be during known closed hours. This can help prevent the use of
practice computers for personal use and thereby increase the security vulnerability
footprints. If you have a practice with satellite offices keeping the workstations locked
down when the satellite office is closed to patients will keep unauthorized user from
accessing information.

For easier management of workstations, their location and their access to the network,
workstation should either have fixed ip or preferable use pfSense to assign static
mappings.

To add a block for LAN computers start by defining a schedule. For my example I will
be blocking four machines from 1P.M. to 7P.M.

Start by logging in to your pfSense firewall and browse to :

Firewall->Schedule

Click the Plus Icon on the far right column. this will open the Schedules:Edit screen.
Give the schedule a name. It can not contain any special characters including spaces.
You can, however, be more detailed in the description field. To select the days you
would like the schedule to be active click on either the weekday headings or specific
days of the month. These selections are recurring, even though the seem to be
specific dates. Select your time range using 24 hour format, add a time description
and click add. You can add multiple time ranges as well. When you are finished click
the Save button.

Next add an Alias for the Workstations you want to block.

Firewall->Aliases
Click the Plus Icon on the far right column. this will open the Firewall:Aliases:Edit
screen.

Enter the appropriate name and description. To block LAN hosts we will be using the
Host(s) type. In the hosts detail section add one IP Address per line. You can add
additional hosts by clicking the Plus icon. When you have added all the hosts click the
save button
After saving the alias it will appear in the alias list. You must click the "apply changes"
button to activate these changes.

Finally add a rule

Firewall->rule

Click the Plus Icon on the far right column. this will open the Firewall:Rules:Edit screen.
 Start by changing the action to "Block". Select TCP/UDP for Protocol ( Just block it all.
) Next, select "Single host or alias" for source. Start typing the alias name you created
earlier and it will appear in a drop-down list. Finally add a description. don't click save
yet you still need to select the schedule.

Click the "Advanced" button next to Schedule in the advanced section. Select the
schedule you created earlier. Now click the save button when everything is correct.
Finally check to make sure that the rule is in the right position. In the above picture the
rule will not apply because it is superseded by the "LAN Net" rule that allows all.

To move the rule click the check-box to the left the select the "Move Selected Rule
before this one icon" pictured above. Click apply changes and you are done.

Additional you can see which schedule is currently in effect by browsing to the
Firewall->Schedules screen. Active schedules will have a clock next to the name.