Blocking access to internet for some particular devices during some hours/days based on MAC is almost useless alone. You basicaly need to put some restrictions to the devices that connect (if we talk about a laptop/pc it goes up to not allow it to boot from usb, dvd, etc.).
Allow only specific MAC and block everything else is a bit better... But even this is not perfect...
Basicaly taking down the interface during some hours/days is kinda the only way I see it working in a way that can't be bypass.
I'm trying to restrict WAN access at certain times of the day for children so they will go to bloody bed haha
How is it useless? It actually works on every device that I have tested on, except when I add specific weekdays, but this has been confirmed as a bug and will hopefully be fixed soon. I guess I'll just have to keep an eye on things to see how they operate once the rules are successfully in place. I already have restrictions set on the device side too, but kids always seem to get around them.
Allowing specific MACs requires a lot more administrative work and I honestly don't see how that would be better.
If things don't work out, then this is likely the best solution. I'll have to add an extra SSID with all the other stuff and put the restricted devices on a separate SSID.
You have the AP having also a MAC white list. In that white list devices A1, A2, A3 and A4 are allowed to connect.
Now for devices A2, A3 and A4 you decide to block access between let's say 22:00 and 7:00.
The only thing that one of the devices A2, A3 or A4 have to do is to use the MAC of A1 before A1 is connected to the AP and everything has become useless.
Figuring out the MAC of A1 when they live in same house is relative easy. Also connecting before A1 is relative easy cause the kids might just poweroff/unplug the device A1.
Now you need to block somehow devices A2, A3 and A4 from being able to change the MAC.
Entire idea is not to underestimate what the kids will do when you try to stop them.
Now let's look at another way.
We have AP1 for device A1 and AP2 for devices A2, A3, A4. If you disable AP2 during specific hours kids will notice it, if you cut access to internet to AP2 during specific hours kids will also notice it.
If they see AP1 when AP2 is not on, not working they might easily figure it out it's in same house (there are smartphone applications that show the signal power of APs and AP1 and AP2 will be close value even if it's separate devices).
Now the kids will just try to figure out how to connect to AP1 and if they can put their hands on A1 they will get the info needed.
L.E. 2: There is also another problem. If the kids have access to smartphones they might just use the data plan, make a hotspot with the smartphone and happy go on using the internet from their smartphone. You risk to end up with a not so nice bill cause of this.
So if they have smartphones you will have to deal with this problem too.
There's a parental response to that. If they start messing with MAC address cloning. They loose their device. And it wont take long to spot it either, because while they may clone the mac? I bet they forget to change the device name and a mac with "daughters iphone" when it should be dads iphone is easy to grep from log files.
ah well that makes it even easier. Check out the client config section and you can lock their net access down more with parental controls and then its just a "disobey and loose your devices" to enforce
If you use AGH's dns service as your upstream you can set the kids to use the filtered DNS service while letting the adults use the unfiltered dns with just adblocking.
as i understand its just a matter of tagging the clients and then setting what rules you want applying to them. I've never done it as i dont have the need for it. but if you try it and get it sorted? I'd love if you added your experience / thoughts to my AGH manual install thread for others to see. (and then i can throw it into the AGH wiki for others.)
(edit) - Also there is some tips on dns hijacking and other pitfalls i highlight which may be of help for you. Enforcing all DNS queries to go via AGH stops those pesky hardcoded IOT and Smart TV's from leaking out your data.
https://github.com/anudeepND/whitelist also worth using as some blocklists screw things up. This whitelists common domains to avoid issues. He also has a referral link version if the wife likes shopping sites to get coupons etc.
Thanks. I've yet to make the change to fix it but I think it looks correct as it is? Like I say, things only seem to go wrong if I create the rule with 'Any' day, then edit the days thereafter. I'll see if I can get the fix put in shortly and then provide the output again.