[Solved] Block internet from *all*

Reading on parental controls and I know how to set up a rule to block on a per IP or MAC basis. What I want to do is basically turn off the WAN on a time basis. I sleep at night but my kids do not want to and have no will power to change it. I've tried many things with no positive results. I want to be able to turn all the internet (wan) access off automatically at midnight and back on at 5. My one kid knows how to spoof a MAC, so MAC blocking or IP blocking does not work.
Also, many new phones do MAC spoofing as part of their normal operation (Android 9+, maybe. I know Android 10 does for sure).

I went in to the General Settings -> Zones and there are no time based rules that can be added. Is there another way to do this other than unplugging the cable?

Thanks,

Keith

ifdown (interface), and ifup in the morning, using cron.

Ok, I tried this and it seems to only half work.

# crontab -l
1 0 * * 0-4 ifconfig eth0.2 down
0 5 * * 0-4 ifconfig eth0.2 up

Like it says in the wiki, the space on the last line is important.
What I get it this, in the log:
I get no lines notifying that it takes the intenet down and since it is not down, there are no DHCP messages where it gets the IP back from the router.
Mon Nov 29 05:00:00 2021 cron.err crond[1796]: USER root pid 20686 cmd ifconfig eth0.2 up

Why did it not take it down at midnight and why does it say "cron.err"?

This is what I expect in the log at midnight and at 5am, but after the cron lines but I do not see it (this is me taking it down and up from the cli):

Mon Nov 29 06:15:12 2021 daemon.notice netifd: VLAN 'eth0.2' link is down
Mon Nov 29 06:15:12 2021 daemon.notice netifd: Interface 'wan' has link connectivity loss
Mon Nov 29 06:15:12 2021 daemon.notice netifd: Interface 'wan6' has link connectivity loss
Mon Nov 29 06:15:12 2021 daemon.err odhcp6c[2096]: Failed to send RS (Permission denied)
Mon Nov 29 06:15:12 2021 daemon.err odhcp6c[2096]: Failed to send RELEASE message to ff02::1:2 (Permission denied)
Mon Nov 29 06:15:12 2021 daemon.notice netifd: wan6 (2096): Command failed: Permission denied
Mon Nov 29 06:15:12 2021 daemon.notice netifd: wan (2088): udhcpc: received SIGTERM
Mon Nov 29 06:15:12 2021 daemon.notice netifd: wan (2088): udhcpc: unicasting a release of xxx.xxx.xxx.xxx to 192.168.x.254
Mon Nov 29 06:15:12 2021 daemon.notice netifd: wan (2088): udhcpc: sending release
Mon Nov 29 06:15:12 2021 daemon.notice netifd: wan (2088): udhcpc: connect: Network unreachable
Mon Nov 29 06:15:12 2021 daemon.notice netifd: wan (2088): udhcpc: entering released state
Mon Nov 29 06:15:12 2021 daemon.notice netifd: wan (2088): Command failed: Permission denied
Mon Nov 29 06:15:12 2021 daemon.notice netifd: Interface 'wan' is now down
Mon Nov 29 06:15:13 2021 daemon.notice netifd: Interface 'wan6' is now down
...
Mon Nov 29 06:15:35 2021 daemon.notice netifd: VLAN 'eth0.2' link is up
Mon Nov 29 06:15:35 2021 daemon.notice netifd: Interface 'wan' has link connectivity
Mon Nov 29 06:15:35 2021 daemon.notice netifd: Interface 'wan' is setting up now
Mon Nov 29 06:15:35 2021 daemon.notice netifd: Interface 'wan6' has link connectivity
Mon Nov 29 06:15:35 2021 daemon.notice netifd: Interface 'wan6' is setting up now
Mon Nov 29 06:15:35 2021 kern.info kernel: [22306.330511] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.2: link becomes ready
Mon Nov 29 06:15:35 2021 daemon.err odhcp6c[25516]: Failed to send RS (Address not available)
Mon Nov 29 06:15:35 2021 daemon.notice netifd: wan (25519): udhcpc: started, v1.33.1
Mon Nov 29 06:15:35 2021 daemon.notice netifd: wan (25519): udhcpc: sending discover
Mon Nov 29 06:15:35 2021 daemon.err odhcp6c[25516]: Failed to send SOLICIT message to ff02::1:2 (Address not available)
Mon Nov 29 06:15:36 2021 daemon.notice netifd: wan (25519): udhcpc: sending select for xxx.xxx.xxx.xxx
Mon Nov 29 06:15:37 2021 daemon.notice netifd: wan (25519): udhcpc: lease of xxx.xxx.xxx.xxx obtained, lease time 600
Mon Nov 29 06:15:37 2021 daemon.notice netifd: Interface 'wan' is now up

Why are you not using the commands suggested by @frollic? i.e ifdown and ifup with the appropriate interface name?

As an alternative, you can get the same result inserting this simple iptables rule in /etc/firewall.user.

iptables -A forwarding_rule -m time --timestart 00:01:00 --timestop 05:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -j REJECT

Well, I have not used ifup/down but have used ifconfig. I can try it with that and see if it is acts differently. I thought they would behave the same.

Basically "ifdown eth0.2" and "ifup eth0.2"

I'll try tonight and see how it goes.

I'll look at this next.

You must use the logical interface name, eg ifdown wan, ifup wan.
Using the physical interface name will return an error message.

I tried this last night and it does not seem to work either.

# crontab -l
1 0 * * 0-4 ifdown wan; ifdown wan6
0 5 * * 0-4 ifup wan; ifup wan6

I was up at 3 and the internet was still on . I sent it down and expected it to be back up at 5am, but it was up way before that. This does not seem to work for some reason. Any pointers appreciated.
I will try the iptables command next.

try separating the two ifdowns & ups, even though command stacking is supported in cron,
I'm not sure it is in busybox.

there is a page in the wiki about parental controls, you can do this to disable internet access (don't put MAC address and it should work on all MAC) https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls#time_restriction_of_internet_access
this is done through firewall rules

Although you say you did not find this, maybe you looked in the wrong place

Not sure if it will help, but i personally use traffic rules tab in firewall using LUCI to block access to all the clients with timed restrictions. The main point is restarting firewall after changing the rules. And it works fine.

Do your kids have physical access to the router? Are you sure they don't restart it (cutting the power for example) as soon as they see that the internet has stopped.

Were the any entries in the system log at the times you expected the cron jobs to run?

@bobafetthotmail I saw this, but did not know that not specifying any MAC would make it for all MAC. This should be in the docs. I may try that. It would be cool if you could put a (-)MAC somehow to get it to enforce for all MAC except the ones listed in case there is something running that benefits from 24/7 internet access.
@pavelgl You may be on to it. It was restarted at 1:45AM. Those little trolls restarted it.
Setting a firewall rule should make it enforce no matter if the router was rebooted, right? I put your rule suggestion in the Firewall -> Custom Rule page and will see how it goes tonight. I hate fighting this with them, but they cannot walk away from the computer even for sleep. It is a sickness. I am trying to get them to get a reasonable amount of sleep and down time away from the keyboard.

Keith

You might want to check out luci-app-wifi-schedule and see if that works for you. Turns on and off wifi on a schedule you set. It might work!

edit: I just saw that you want to cut off all internet, sorry.

How about this: remove lan-to-wan forwarding. Create a script that looks for a successful ntp sync and evaluates the time. If the sync has been successful and the time is in the allowed range, add a forwarding rule to enable lan > wan. Else, delete the forwarding rule.

In worst case scenario, you can run the ifdown in cron every min during the internet down hours, then the internet will stay up for 1 min, before it gets shut down again, even if they reboot the router.

If you want to mess with them, run the ifdown every 5 or 10 mins, give them some time to start gaming, before you cut of the access again.

I just hope they don't have infinite data on their cell phone subscriptions, that would be the next step, if the regular internet goes down.

all firewall rules can have any kind of limit to MAC or source or destination, if you leave the field empty it's assumed "all" or "no limit" for that specific thing.
Will make this more clear in the wiki.

Rebooting will reset system clock (router has no battery to keep clock state when powered off like a PC does) but one of the first things done on boot is network time sync so it will read time from internet servers, and after that is set, the time-based firewall rule will be activated.

If the kids want to screw with this setup they need to add another router/firewall between WAN port and modem (or get into modem web interface and use its own firewall), that blocks access to ntp servers.

Just leaving this here, because if you want to play this game you need to be one step ahead.

Adding network limitations is a great way to train them to get into an IT job I guess, or at least that's what happened with me.
I even started using Linux because of limitations imposed on my home PC.

It worked. The little urchins tried to reboot the router at midnight and then gave up as it did not pass any data. This AM it was all back. Perfect. Also nice and easy as if I want to disable it for whatever reason, I can just unselect the rule and save in Luci. Very nice and thanks for all the hints!