I'm trying to do something rather complicated, and I'm not sure how.
The image below created to reduce the complexity in explaining what I'm trying to do:
Any help is deeply appreciated.
What are you going to parent?
Sites or internet?
I'm trying to limit access to the internet, based on for example, on times indicated in the image.
Then bring down the wan interface using cron.
@frollic good and thanks.
but, and this is my fault, the restrictions must apply to only certain clients, hence the parental control. this is partly possible with Traffic Firewall Rules, but those rules can only be applied once per day, not multiple rules based on the same day, as I need in my image.
Use the dhcp to provide the clients two different DNSes.
The ones not to be blocked could use 1.1.1.1, while the other ones would use the routers dns.
Then stop the router dns during off hours.
@ thanks a lot for this. novice as I'm I really don't know how to deploy this ingenious idea.
Here's what I'm used to and have done before, for example. That's just a test today that did work. But then I realized the multiple on/off/on on the same day cannot be deployed with what you see below:
1 Like
Option 6 is DNS IP.
Use two separate allow rules for the periods that you want to allow. Or you can use multiple deny rules for the times that you want to deny. Your chart shows only one deny period, but actually the middle of the night is also to be denied. That will probably require two rules for the times before and after 0:00.
1 Like
@mk24 Mike, thanks a lot! You picked up on a very important point, between 21:30 and 07:20, access should be denied. How did I miss that!? 
Now, coming to your solution, could be the time of day, but do you have a sample solution you could please show me? I was also thinking of having a blanket deny rule for the entire day, and then allow certain times of day. But that can only be done once in a day.
You will need to define two separate rules with one time period in each rule. When either of the allow rules passes its conditions, access will be allowed. Otherwise it will reach the default which is to deny. To make the default deny, remove the unconditional lan->wan forward. Specific forwards like the time-based rules will still apply.
The order in which firewall rules appear is important. Starting from the top of the list, each one will be considered until one is found that applies to the packet being considered. Then that action will be taken, and the rest of the list is not processed. This is why there are up and down buttons on LuCI.
How I do it is put the device MAC and name as a static lease but it doesn't have to be a static IP:
Create a firewall traffic rule. I have this device to not have access from 12AM-6AM (I only have an IPV4 network so that's why it's IPV4 only):
Tying firewall rules to a MAC address or IP address is not good security as addresses are easily spoofed on the endpoint device. Also that iPhone has generated a random MAC for privacy, and it may change.
It will work a lot better to set up an entirely separate limited-access network for kids, using the same process as a guest network. Only give kids the password to the kids wifi.
1 Like
You're right, I would do things differently in an enterprise network.
On kids iPhones, I've captured both MAC address so if they toggle the private address button the time restriction rule still applies. I'll also know they did it from the lease times.
1 Like
@frollic Mike, but using MAC is the option that's in the Firewall Traffic Rule, a standard method. Though you're right, does that now mean that open should be removed from the firmware?
Concerning the kid's network, would that be a better way than the firewall rule option. And if I may, why do you think so?
I think we may have arrived at a spot where a feature request could be filed? Perhaps based on my original post?
1 Like