Firewall Time Restrictions/Parental Controls Problems

Hi folks,

I hope someone can help me. I'm having a real headache trying to get time restrictions working correcrtly on OpenWRT (RT3200 router). I really don't understand where I'm going wrong here.

Note that the times in this are for testing and they will be changed. Basically when I create these rules, they simply don't work on the intended devices, or any for that matter. The only way I thought it was working was when I go in to startup and stop/start the firewall, but this seems to block everything. Only when I toggle one of these parental control settings off will it start working again.

You will noticed I don't have any IP addresses entered, I used MAC address blocking in Advanced instead, though I have tried both. I should also point out that the WiFi on my router is disabled and I am using a mesh system, but I don't see how this would be a problem if the actuall router is the one blocking the WAN traffic. I should also add that I have AdGuard Home installed and it seems to be running ok, though it has taken over DNS (I think), so not sure if that is causing any issues.

Does anyone know what I am doing wrong? Is there perhaps another parental control pluging I could install? Really appreciate any help. Thank you!

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like

Android devices usualy use a random MAC address each time they connect to an AP unless you disable it (anyone with access to that devices can happy enable it again).

You probably want to use the MACs you allow to access internet and not the reverse.

Galaxy Tab is what made me write those lines.


pretty sure this only works for new connections, already open/established connections aren't cut.

this might be useful Parental control - session continues after rule applied


Thanks. There's an awful lot of information in there that would take me a while to filter out, but for now, here is the basic info. I can now confirm that the rules seem to mess up if I apply any weekdays to the restrictions. If I leave the weekdays to 'Any', the rule works fine and so does the actual time restriction.

If I apply the same rule and add weekdays, such as Sun, Mon, Tue, Wed and Thu, the restriction rule doesn't work. I assume that I am supposed to select the weekdays that I want to apply the restrictions to, but again, the rule does not work if I select anything other than 'Any'.

        "kernel": "5.10.108",
        "hostname": "G-RT3200",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r19282-09f6200198",
                "target": "mediatek/mt7622",
                "description": "OpenWrt SNAPSHOT r19282-09f6200198"

Never heard of that. Surely it can't use a random MAC address? That is hard coded to the NIC. It can certainly use a random IP address, but I've never heard of a random MAC address.
A-side from this, the reject rule did apply to the Android tablet I tested it on, but the rule does not work witrh any device if I try to add weekdays.


Just to add to this. It seems that if i create a reject rule without touching the days, it will work just fine, but as soon as I add days, it doesn't take the change, until I reboot. This seems to be even worse though, because my entire network will be disabled from WAN access, until I uncheck and save the rule which should only a apply to one single laptop. I don't know what is going on here but seems like a bug of some kind?

After applying days Mon, Tue, Wed, Thu, it doesn't look like the change took, despite saving and showing in the GUI. The selected days are not listed.

config rule
        option src 'lan'
        list src_mac 'AA:AA:AA:AA:AA:AA'
        option dest 'wan'
        option target 'REJECT'
        option name 'Child-Schooldays'
        option start_time '12:00:00'
        option stop_time '14:00:00'
        list proto 'all'

New Rule did not appear on logs, until after reboot. The rule was enabled and appeared to block every device on my network from WAN access, despite thre being only a single laptop in the source MAC address block list. Note that the time also did not change until after reboot.

config rule
        option name 'Child-Schooldays'
        option src 'lan'
        list src_mac 'AA:AA:AA:AA:AA:AA'
        option dest 'wan'
        option target 'REJECT'
        option start_time '21:10:00'
        option stop_time '08:00:00'
        list proto 'all'
        option weekdays 'Sun Mon Tue Wed Thu'
        option enabled '0'

Thank you for that. I don't think mine is the same issue but even still, this post was very useful. It mentions that the rules may not work if software offloading is enabled. I do indeed have software loading enabled, so I'm going to try disabling that and see what happens. Thank you!

Interesting. I tried to restart the firewall from SSH and I am getting a parsing error for Day of the week. This is probably the issue, but I have no clue how to fix it.

root@*********:~# /etc/init.d/firewall restart

/proc/self/fd/0:79:92-99: Error: Could not parse Day of week of packet reception

Once again, as soon as I set the weekdays to 'Any' the rule works just fine, even with a specific time applied.

I tried disabling software offloading and it didn't make any difference. I'm sort of glad actually, because it would be a shame to disable this feature.

On my 21.02.2 works fine:

root@whale:[~]#uci show firewall.@rule[-1]
firewall.cfg1192bd.weekdays='Mon Tue Wed'

root@whale:[~]#iptables-save -c | grep test-time
[4:336] -A zone_lan_forward -m time --timestart 10:00:00 --timestop 22:00:00 --weekdays Mon,Tue,Wed --datestop 2038-01-19T03:14:07 --kerneltz -m comment --comment "!fw3: test-time" -j zone_docker_dest_ACCEPT
1 Like

Thanks. Interesting that you use an 'ACCEPT' rule whereas I use a 'REJECT' rule. Or is this simply just a test and I am overthinking it lol. What I've done now is deleted the rules and set them up correctly from the start, whereas before I would set the weekdays to 'Any', then edit afterwards. I won't know if this works properly until later on when the rules kick in. Everything looks like it will from the config anyway.

So in a nutshell, it seems that editing the weekdays after the rule is created screws everything up. I don't know why it is behaving in this way but it would be great to get to the bottom of it. Below is a rule that I have set which I will test later to confirm it works:

uci show firewall.@rule[-5]
firewall.cfg1092bd.src_mac='AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA'
firewall.cfg1092bd.weekdays='Sun Mon Tue Wed Thu'

Can I ask, do you have a link to the exact firmware you are using, assuming it's the same router? The latest one I could find was a snapshot from sometime in March 2022 I think, but I can't remember where exactly I got it from. Thank you!

The second.

I don't have the same router. Unfortunately your router still doesn't have a stable version to install. You could try a newer snapshot in case it got fixed, or try to pass the day/time arguments in the custom option field of the firewall rule.

1 Like

Your version uses iptables, while snapshots are on nftables

This is not possible with nftables anymore


The OP actually spotted a bug in nftables which I'll work around in the fw4 rule generator while submitting a separate nftables patch upstream.


Thank you @jow !

Great to know that it's going to be fixed. If there's anything I can do to test this further, or test an update then please let me know where I can contribute.

I think it could just be around editing an entry rather than a new rule, but I am not totally sure on that yet. I set restricton rules to apply later this evening which have not been edited and according to the config at least, these rules should be in place.

OpenWrt/fw4 workaround here:;a=commitdiff;h=9972f7dca635392832810d2d43b663f08466b088


Thank you!

Apologies but what exact file is it I need to edit? I've been trying via SSH, but failing. Sorry!