Firewall block Wan during night time but allow Lan

Hi I have set up openwrt with adblock with multiple dnsmasq instances (adults and Kids lan's) with dns over https etc... but im having trouble blocking the kids lan from the internet at night.

I have set up a firewall rule as below but it does not seem to work:

There you go.

1 Like

The solution in the link says to select the Advanced Settings tab specify and specify the source Source MAC address.

Problem is I want to block a whole address range on the second dnsmasq instance on the kids lan with mask 192.168.2.0/24 but it does not seem to work.

I dont want to have to block multiple mac addresses as it could get very long and confusing.

Using mac addresses is better, because it covers the case of ipv6. Anyway...
Post here the output of uci export firewall ; iptables-save -c -t filter

1 Like

it does not matter really what it bocks i want all on the kids lan blocked from acessing the net from 10pm to 7am i dont care if they still have access to the lan as i have a file server with plex running that they could use.
I had it setup with crontab before turning off the kids wifi but for some reason sometimes dhcp would not comeback up and required a router reboot or issue restart from uci

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'Adults_Lan'
        option name 'Adults_Zone'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'Wan Wan6'
        option name 'Wan_Zone'

config forwarding
        option src 'Adults_Zone'
        option dest 'Wan_Zone'

config rule
        option name 'Kids wan disable'
        option enabled '0'
        option src 'Kids_Zone'
        option dest 'Wan_Zone'
        option target 'REJECT'
        option start_time '20:00:00'
        option stop_time '06:30:00'
        list src_ip '192.168.2.0/24'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'Wan_Zone'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'Wan_Zone'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'Wan_Zone'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Wan_Zone'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Wan_Zone'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Wan_Zone'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Wan_Zone'

config rule
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'Adults_Zone'
        option src 'Wan_Zone'

config rule
        option name 'Allow-ISAKMP'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'Adults_Zone'
        option src 'Wan_Zone'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'Kids_Lan'
        option name 'Kids_Zone'

config forwarding
        option src 'Kids_Zone'
        option dest 'Wan_Zone'

config rule
        option name 'Mr_Sparkle_in'
        list dest_ip '192.168.1.10'
        option target 'ACCEPT'
        list proto 'all'
        option src 'Kids_Zone'
        option dest 'Adults_Zone'

config rule
        list proto 'all'
        option name 'Mr_Sparkle_out'
        list src_ip '192.168.1.10'
        option target 'ACCEPT'
        option src 'Adults_Zone'
        option dest 'Kids_Zone'

config redirect
        option target 'DNAT'
        option name 'Adblock_Adult_dns_53'
        option src_dport '53'
        option dest_ip '192.168.1.1'
        option dest 'Adults_Zone'
        option src 'Adults_Zone'

config redirect
        option target 'DNAT'
        option name 'Adblock_Kids_dns_53'
        option src_dport '53'
        option dest 'Kids_Zone'
        option dest_ip '192.168.2.1'
        option src 'Kids_Zone'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

# Generated by iptables-save v1.8.7 on Fri Apr  9 21:00:58 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_Adults_Zone_rule - [0:0]
:forwarding_Kids_Zone_rule - [0:0]
:forwarding_Wan_Zone_rule - [0:0]
:forwarding_rule - [0:0]
:input_Adults_Zone_rule - [0:0]
:input_Kids_Zone_rule - [0:0]
:input_Wan_Zone_rule - [0:0]
:input_rule - [0:0]
:output_Adults_Zone_rule - [0:0]
:output_Kids_Zone_rule - [0:0]
:output_Wan_Zone_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Adults_Zone_dest_ACCEPT - [0:0]
:zone_Adults_Zone_forward - [0:0]
:zone_Adults_Zone_input - [0:0]
:zone_Adults_Zone_output - [0:0]
:zone_Adults_Zone_src_ACCEPT - [0:0]
:zone_Kids_Zone_dest_ACCEPT - [0:0]
:zone_Kids_Zone_forward - [0:0]
:zone_Kids_Zone_input - [0:0]
:zone_Kids_Zone_output - [0:0]
:zone_Kids_Zone_src_ACCEPT - [0:0]
:zone_Wan_Zone_dest_ACCEPT - [0:0]
:zone_Wan_Zone_dest_REJECT - [0:0]
:zone_Wan_Zone_forward - [0:0]
:zone_Wan_Zone_input - [0:0]
:zone_Wan_Zone_output - [0:0]
:zone_Wan_Zone_src_REJECT - [0:0]
[22318:2655253] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[106268:18023956] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[33301:11746899] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[245:13196] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[40620:2261244] -A INPUT -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_input
[420:64351] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_input
[31927:3951462] -A INPUT -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_input
[5904604:9423179154] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[5846114:9417132731] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[25683:3013909] -A FORWARD -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_forward
[32807:3032514] -A FORWARD -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_forward
[3:234] -A FORWARD -m comment --comment "!fw3" -j reject
[22318:2655253] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[159200:49919008] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[85622:16150422] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[77:11557] -A OUTPUT -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_output
[2842:178704] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_output
[70659:33578325] -A OUTPUT -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_output
[0:0] -A MINIUPNPD -d 192.168.2.243/32 -p tcp -m tcp --dport 48341 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.2.243/32 -p udp -m udp --dport 48341 -j ACCEPT
[308:47588] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[114:16693] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[245:13196] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[143:15145] -A zone_Adults_Zone_dest_ACCEPT -o br-Adults_Lan -m comment --comment "!fw3" -j ACCEPT
[25683:3013909] -A zone_Adults_Zone_forward -m comment --comment "!fw3: Custom Adults_Zone forwarding rule chain" -j forwarding_Adults_Zone_rule
[19041:2090223] -A zone_Adults_Zone_forward -s 192.168.1.10/32 -m comment --comment "!fw3: Mr_Sparkle_out" -j zone_Kids_Zone_dest_ACCEPT
[25683:3013909] -A zone_Adults_Zone_forward -m comment --comment "!fw3: Zone Adults_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Adults_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Adults_Zone_forward -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
[40620:2261244] -A zone_Adults_Zone_input -m comment --comment "!fw3: Custom Adults_Zone input rule chain" -j input_Adults_Zone_rule
[206:13658] -A zone_Adults_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[40414:2247586] -A zone_Adults_Zone_input -m comment --comment "!fw3" -j zone_Adults_Zone_src_ACCEPT
[77:11557] -A zone_Adults_Zone_output -m comment --comment "!fw3: Custom Adults_Zone output rule chain" -j output_Adults_Zone_rule
[77:11557] -A zone_Adults_Zone_output -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
[40414:2247586] -A zone_Adults_Zone_src_ACCEPT -i br-Adults_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[70659:33578325] -A zone_Kids_Zone_dest_ACCEPT -o br-Kids_Lan -m comment --comment "!fw3" -j ACCEPT
[32807:3032514] -A zone_Kids_Zone_forward -m comment --comment "!fw3: Custom Kids_Zone forwarding rule chain" -j forwarding_Kids_Zone_rule
[66:3588] -A zone_Kids_Zone_forward -d 192.168.1.10/32 -m comment --comment "!fw3: Mr_Sparkle_in" -j zone_Adults_Zone_dest_ACCEPT
[32741:3028926] -A zone_Kids_Zone_forward -m comment --comment "!fw3: Zone Kids_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Kids_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[3:234] -A zone_Kids_Zone_forward -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
[31927:3951462] -A zone_Kids_Zone_input -m comment --comment "!fw3: Custom Kids_Zone input rule chain" -j input_Kids_Zone_rule
[8491:645931] -A zone_Kids_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[23436:3305531] -A zone_Kids_Zone_input -m comment --comment "!fw3" -j zone_Kids_Zone_src_ACCEPT
[70659:33578325] -A zone_Kids_Zone_output -m comment --comment "!fw3: Custom Kids_Zone output rule chain" -j output_Kids_Zone_rule
[70659:33578325] -A zone_Kids_Zone_output -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
[23436:3305531] -A zone_Kids_Zone_src_ACCEPT -i br-Kids_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1873:120520] -A zone_Wan_Zone_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[59390:6100785] -A zone_Wan_Zone_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Wan_Zone_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Wan_Zone_forward -m comment --comment "!fw3: Custom Wan_Zone forwarding rule chain" -j forwarding_Wan_Zone_rule
[0:0] -A zone_Wan_Zone_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_Adults_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_Adults_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Wan_Zone_forward -j MINIUPNPD
[0:0] -A zone_Wan_Zone_forward -m comment --comment "!fw3" -j zone_Wan_Zone_dest_REJECT
[420:64351] -A zone_Wan_Zone_input -m comment --comment "!fw3: Custom Wan_Zone input rule chain" -j input_Wan_Zone_rule
[1:304] -A zone_Wan_Zone_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[414:62998] -A zone_Wan_Zone_input -j MINIUPNPD
[419:64047] -A zone_Wan_Zone_input -m comment --comment "!fw3" -j zone_Wan_Zone_src_REJECT
[2842:178704] -A zone_Wan_Zone_output -m comment --comment "!fw3: Custom Wan_Zone output rule chain" -j output_Wan_Zone_rule
[2842:178704] -A zone_Wan_Zone_output -m comment --comment "!fw3" -j zone_Wan_Zone_dest_ACCEPT
[419:64047] -A zone_Wan_Zone_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT

Here is the quick and dirty way:
Go to LuCI>Network>Firewall/Custom Rules and insert the following at the end:

iptables -I FORWARD 1 -s 192.168.2.0/24 ! -d 192.168.0.0/16 -m time --timestart 22:00:00 --timestop 07:00:00 --kerneltz -j REJECT

Restart the firewall.
It has been tested with release 19.07.7
I assume, that the devices in other LAN zones use IP addresses in range 192.168.X.X.

2 Likes

For a start the rule is disabled.

Then you don't need to define the source IP.

1 Like

I can't enable it from luci as it has an exclamation mark saying time restrctions for this rule I thaught this was normal.

When I click save it removes the tick saying there are no changes to be made, I can force it from manualy editing from ssh that may be my only problem.

Looks like a known issue:
Luci cannot turn on or off time based FW rules

Try to update LuCI-related packages or set up the rules using CLI.
In any case, you need to use CLI to apply the workarounds mentioned in the wiki.

1 Like

Looks like it has been fixed already ill just have to wait for an update to filter through.

The rule seems to work and block all Lan to Wan traffic by updating from CLI.

luci-base: ui.js: fix UICheckbox widget operation when tooltips are set · openwrt/luci@95b5c6c · GitHub

1 Like

This is informational.