Device: Xiaomi Redmi AC 2100
OpenWRT 24.10.4
I am trying to block all internet certain times using the Firewall rules
Firewall rules
config rule
option src 'lan'
option dest 'wan'
option name 'Downtime Sorelle'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '15:45:00'
option stop_time '18:15:00'
list src_mac '20:88:10:75:82:73'
list proto 'all'
config rule
option src 'lan'
option dest 'wan'
option name 'Downtime Sorelle'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '23:15:00'
option stop_time '03:00:00'
list src_mac '20:88:10:75:82:73'
list proto 'all'
config rule
option src 'lan'
option dest 'wan'
option name 'Downtime everyone else'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '23:15:00'
option stop_time '03:00:00'
list proto 'all'
It seems at the downtime new connections are rejected but existing connections do not get dropped. The computers are often used with proxies/VPN (on the device not router), as a result of this if the proxy/VPN was started before the downtime internet continues working when it should be rejected.
I tried adding cron jobs to restart the network service a few seconds after the firewall rules take affect, this did drop active connections so blocked computers which were connected to VPNs, and prevented them from reconnecting however the next morning internet did not restart. I tried restarting the network service manually and by power cycling but both times this enabled browsing for about 5 seconds then blocked it until I removed the cron commands. The time and time zone on the router status page was correct even when blocked.
I have 2 WAN connections and use PBR to control which device goes to which, not sure if this affects the firewall rules.
Complete config (There is some baggage from previously used mwan3 with OpenWRT 23, I no longer need those features so in 24 build included PBR instead but didn’t delete config for fear of breaking a working system).
Complete config - UCI Export
package attendedsysupgrade
config server 'server'
option url 'https://sysupgrade.openwrt.org'
config client 'client'
option upgrade_packages '1'
option auto_search '0'
option advanced_mode '0'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
config host
option name 'OBi212'
option ip '192.168.1.3'
option mac '9C:AD:EF:07:11:AF'
config host
option mac '20:88:10:75:82:73'
option ip '192.168.1.4'
config host
option mac 'A4:D7:3C:17:5C:13'
option ip '192.168.1.5'
config host
option mac '54:48:E6:56:45:D2'
option ip '192.168.1.2'
package dropbear
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'pppoegt'
list network 'pppoenf'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'lan'
option dest 'wan'
option name 'Phone'
list src_ip '192.168.1.3'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'wan'
option name 'Downtime Sorelle'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '15:45:00'
option stop_time '18:15:00'
list src_mac '20:88:10:75:82:73'
list proto 'all'
option enabled '0'
config rule
option src 'lan'
option dest 'wan'
option name 'Downtime Sorelle'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '23:15:00'
option stop_time '03:00:00'
list src_mac '20:88:10:75:82:73'
list proto 'all'
option enabled '0'
config rule
option src 'lan'
option dest 'wan'
option name 'Downtime everyone else'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '23:15:00'
option stop_time '03:00:00'
list proto 'all'
option enabled '0'
package luci
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/bootstrap'
option resourcebase '/luci-static/resources'
option ubuspath '/ubus/'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
option Bootstrap '/luci-static/bootstrap'
option BootstrapDark '/luci-static/bootstrap-dark'
option BootstrapLight '/luci-static/bootstrap-light'
config internal 'apply'
option rollback '90'
option holdoff '4'
option timeout '5'
option display '1.5'
config internal 'diag'
option dns 'openwrt.org'
option ping 'openwrt.org'
option route 'openwrt.org'
package luci-opkg
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/bootstrap'
option resourcebase '/luci-static/resources'
option ubuspath '/ubus/'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
config internal 'apply'
option rollback '90'
option holdoff '4'
option timeout '5'
option display '1.5'
package mwan3
config globals 'globals'
option mmx_mask '0x3F00'
config interface 'pppoenf'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config interface 'pppoegt'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config member 'Netfree'
option interface 'pppoenf'
config member 'GT'
option interface 'pppoegt'
config policy 'Filtered'
option last_resort 'unreachable'
list use_member 'Netfree'
config policy 'Unfiltered'
list use_member 'GT'
option last_resort 'unreachable'
config rule 'UnfilteredIP'
option proto 'all'
option src_ip '192.168.1.0/29'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Techloq1'
option proto 'all'
option dest_ip '185.182.70.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Techloq2'
option proto 'all'
option dest_ip '185.182.71.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Techloq3'
option proto 'all'
option dest_ip '204.128.182.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Techloq4'
option proto 'all'
option dest_ip '52.239.136.101'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Techloq5'
option proto 'all'
option dest_ip '52.142.81.160'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark1'
option proto 'all'
option dest_ip '37.60.47.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark2'
option proto 'all'
option dest_ip '38.86.33.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark3'
option proto 'all'
option dest_ip '38.123.230.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark4'
option proto 'all'
option dest_ip '38.125.100.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark5'
option proto 'all'
option dest_ip '52.63.135.140/30'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark6'
option proto 'all'
option dest_ip '81.2.149.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark7'
option proto 'all'
option dest_ip '141.226.232.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark8'
option proto 'all'
option dest_ip '154.59.96.0/25'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark9'
option proto 'all'
option dest_ip '15.184.78.151/32'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark10'
option proto 'all'
option dest_ip '15.184.68.145/32'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark11'
option proto 'all'
option dest_ip '80.178.157.0/25'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark12'
option proto 'all'
option dest_ip '212.76.127.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'Netspark13'
option proto 'all'
option dest_ip '213.151.32.0/22'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechUK1'
option proto 'all'
option dest_ip '51.89.201.66'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechUK2'
option proto 'all'
option dest_ip '51.89.201.67'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechAU1'
option proto 'all'
option dest_ip '139.99.235.28'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechAU2'
option proto 'all'
option dest_ip '139.99.210.166'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechIL1'
option proto 'all'
option dest_ip '185.162.124.89'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechIL2'
option proto 'all'
option dest_ip '185.162.124.192'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechUS1'
option proto 'all'
option dest_ip '167.114.13.2/29'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechUS2'
option proto 'all'
option dest_ip '108.61.94.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechUS3'
option proto 'all'
option dest_ip '192.157.84.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechUS4'
option proto 'all'
option dest_ip '192.157.90.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'GentechUS5'
option proto 'all'
option dest_ip '192.157.92.0/24'
option sticky '0'
option use_policy 'Unfiltered'
config rule 'FilteredIP'
option proto 'all'
option dest_ip '0.0.0.0/0'
option sticky '0'
option use_policy 'Filtered'
package mwan3-opkg
config globals 'globals'
option mmx_mask '0x3F00'
config interface 'wan'
option enabled '1'
list track_ip '1.0.0.1'
list track_ip '1.1.1.1'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
config interface 'wan6'
option enabled '0'
list track_ip '2606:4700:4700::1001'
list track_ip '2606:4700:4700::1111'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '2'
config interface 'wanb'
option enabled '0'
list track_ip '1.0.0.1'
list track_ip '1.1.1.1'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '1'
config interface 'wanb6'
option enabled '0'
list track_ip '2606:4700:4700::1001'
list track_ip '2606:4700:4700::1111'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '1'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wan_m2_w3'
option interface 'wan'
option metric '2'
option weight '3'
config member 'wanb_m1_w2'
option interface 'wanb'
option metric '1'
option weight '2'
config member 'wanb_m1_w3'
option interface 'wanb'
option metric '1'
option weight '3'
config member 'wanb_m2_w2'
option interface 'wanb'
option metric '2'
option weight '2'
config member 'wan6_m1_w3'
option interface 'wan6'
option metric '1'
option weight '3'
config member 'wan6_m2_w3'
option interface 'wan6'
option metric '2'
option weight '3'
config member 'wanb6_m1_w2'
option interface 'wanb6'
option metric '1'
option weight '2'
config member 'wanb6_m1_w3'
option interface 'wanb6'
option metric '1'
option weight '3'
config member 'wanb6_m2_w2'
option interface 'wanb6'
option metric '2'
option weight '2'
config policy 'wan_only'
list use_member 'wan_m1_w3'
list use_member 'wan6_m1_w3'
config policy 'wanb_only'
list use_member 'wanb_m1_w2'
list use_member 'wanb6_m1_w2'
config policy 'balanced'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w3'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m1_w3'
config policy 'wan_wanb'
list use_member 'wan_m1_w3'
list use_member 'wanb_m2_w2'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m2_w2'
config policy 'wanb_wan'
list use_member 'wan_m2_w3'
list use_member 'wanb_m1_w2'
list use_member 'wan6_m2_w3'
list use_member 'wanb6_m1_w2'
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'balanced'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'
option family 'ipv4'
config rule 'default_rule_v6'
option dest_ip '::/0'
option use_policy 'balanced'
option family 'ipv6'
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7a:4281:ba59::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option type 'macvlan'
option ifname 'wan'
option mode 'vepa'
option name 'wanmac0'
option macaddr '00:15:E9:DE:A0:14'
option mtu '1500'
config interface 'pppoegt'
option proto 'pppoe'
option device 'wan'
option username '***@GT'
option password '***'
option ipv6 '0'
option metric '20'
config interface 'pppoenf'
option proto 'pppoe'
option device 'wanmac0'
option username '***@w019'
option password '***'
option ipv6 '0'
option metric '10'
option keepalive '10 10'
config device
option name 'pppoe-pppoenf'
option macaddr '00:15:E9:DE:A0:14'
option multicast '1'
option acceptlocal '1'
option dadtransmits '5'
config device
option name 'pppoe-pppoegt'
option promisc '1'
package pbr
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option rule_create_option 'add'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list supported_interface 'pppoegt'
list supported_interface 'pppoenf'
option uplink_interface 'pppoenf'
config policy
option name 'sorelle_work'
option src_addr '20:88:10:75:82:73'
option interface 'pppoegt'
config policy
option name 'phone'
option src_addr '9C:AD:EF:07:11:AF'
option interface 'pppoegt'
config policy
option name 'else'
option dest_addr '0.0.0.0/0'
option interface 'pppoenf'
package rpcd
config rpcd
option socket '/var/run/ubus/ubus.sock'
option timeout '30'
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
package system
config system
option hostname 'OpenWrt'
option timezone 'IST-2IDT,M3.4.4/26,M10.5.0'
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
option compat_version '1.1'
option zonename 'Asia/Jerusalem'
option log_proto 'udp'
option conloglevel '8'
option cronloglevel '5'
config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
config led 'led_wan'
option name 'wan'
option sysfs 'white:wan'
option trigger 'netdev'
option mode 'link tx rx'
option dev 'wan'
package ubihealthd
config ubi-device 'ubi0'
option device '/dev/ubi0'
option enable '1'
package ubootenv
config ubootenv
option dev '/dev/mtd1'
option offset '0x0'
option envsize '0x1000'
option secsize '0x20000'
config ubootsys
option dev '/dev/mtd2'
option offset '0x0'
option envsize '0x4000'
option secsize '0x20000'
package ucitrack
config network
option init 'network'
list affects 'dhcp'
config wireless
list affects 'network'
config firewall
option init 'firewall'
list affects 'luci-splash'
list affects 'qos'
list affects 'miniupnpd'
config olsr
option init 'olsrd'
config dhcp
option init 'dnsmasq'
list affects 'odhcpd'
config odhcpd
option init 'odhcpd'
config dropbear
option init 'dropbear'
config httpd
option init 'httpd'
config fstab
option exec '/sbin/block mount'
config qos
option init 'qos'
config system
option init 'led'
option exec '/etc/init.d/log reload'
list affects 'luci_statistics'
list affects 'dhcp'
config luci_splash
option init 'luci_splash'
config upnpd
option init 'miniupnpd'
config ntpclient
option init 'ntpclient'
config samba
option init 'samba'
config tinyproxy
option init 'tinyproxy'
package uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
list ucode_prefix '/cgi-bin/luci=/usr/share/ucode/luci/uhttpd.uc'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'IL'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Redmi'
option encryption 'psk2'
option key 'alex5513'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '44'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option country 'IL'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Redmi'
option encryption 'psk2'
option key 'alex5513'
option disabled '1'
Many thanks