Firewall time restrictions time change issue

Hi all,
sorry if i'm posting in wrong place.
I have a firewall traffic rule to allow and disallow a specific station by way of mac address and a time restriction. since the time change here the rule is delayed by 1 hour.
this is me /etc/config/system settings:
option zonename 'America/New York'
option timezone 'EST5EDT,M3.2.0,M11.1.0'

the time is correct both on luci and from command line, so not understanding why it would be delayed.

for example a device should be allowed access starting at 15:00 instead it is not allowed until 16:00

any one else with this issue or any ideas?

thank you
rt

Collect the output redacting the private parts:

ubus call system board; date; date -u; \
iptables-save -c | grep -e timestart; \
uci show system; uci show firewall

Hello vgaetera,

thanks for the response, i appreciate it!

{
        "kernel": "4.14.221",
        "hostname": "XXXXXXXXX",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Linksys EA8500 WiFi Router",
        "board_name": "linksys,ea8500",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "ipq806x/generic",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
Mon Mar 15 19:45:14 EDT 2021
Mon Mar 15 23:45:14 UTC 2021
[77696:7604227] -A zone_lan_forward -m mac --mac-source XX:XX:XX:XX:XX:XX -m time --timestart 15:00:00 --timestop 20:30:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -m comment --comment "!fw3: sta1_limit_mt" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m mac --mac-source XX:XX:XX:XX:XX:XX -m time --timestart 15:00:00 --timestop 21:30:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: sta1_limit_fri" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m mac --mac-source XX:XX:XX:XX:XX:XX -m time --timestart 09:00:00 --timestop 21:30:00 --weekdays Sat --kerneltz -m comment --comment "!fw3: sta1_sat" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m mac --mac-source XX:XX:XX:XX:XX:XX -m time --timestart 09:00:00 --timestop 20:30:00 --weekdays Sun --kerneltz -m comment --comment "!fw3: sta1_limit_sun" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m mac --mac-source YY:YY:YY:YY:YY:YY -m time --timestart 06:00:00 --timestop 23:00:00 --kerneltz -m comment --comment "!fw3: sta2_allow" -j zone_wan_dest_ACCEPT
system.@system[0]=system
system.@system[0].ttylogin='0'
system.@system[0].log_size='64'
system.@system[0].urandom_seed='0'
system.@system[0].hostname='wifirouter'
system.@system[0].zonename='America/New York'
system.@system[0].timezone='EST5EDT,M3.2.0,M11.1.0'
system.@system[0].log_proto='udp'
system.@system[0].conloglevel='8'
system.@system[0].cronloglevel='8'
system.ntp=timeserver
system.ntp.server='0.north-america.pool.ntp.org'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].src='lan'
firewall.@rule[9].name='sta1_limit_mt'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].weekdays='Mon Tue Wed Thu'
firewall.@rule[9].dest='wan'
firewall.@rule[9].start_time='15:00:00'
firewall.@rule[9].src_mac='XX:XX:XX:XX:XX:XX'
firewall.@rule[9].proto='all'
firewall.@rule[9].stop_time='20:30:00'
firewall.@rule[10]=rule
firewall.@rule[10].src='lan'
firewall.@rule[10].name='sta1_limit_fri'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].weekdays='Fri'
firewall.@rule[10].dest='wan'
firewall.@rule[10].proto='all'
firewall.@rule[10].start_time='15:00:00'
firewall.@rule[10].stop_time='21:30:00'
firewall.@rule[10].src_mac='XX:XX:XX:XX:XX:XX'
firewall.@rule[11]=rule
firewall.@rule[11].src='lan'
firewall.@rule[11].name='sta1_sat'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].weekdays='Sat'
firewall.@rule[11].dest='wan'
firewall.@rule[11].proto='all'
firewall.@rule[11].start_time='09:00:00'
firewall.@rule[11].stop_time='21:30:00'
firewall.@rule[11].src_mac='XX:XX:XX:XX:XX:XX'
firewall.@rule[12]=rule
firewall.@rule[12].src='lan'
firewall.@rule[12].name='sta1_mf'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].weekdays='Mon Tue Wed Thu Fri'
firewall.@rule[12].dest='wan'
firewall.@rule[12].proto='all'
firewall.@rule[12].start_time='09:00:00'
firewall.@rule[12].stop_time='21:30:00'
firewall.@rule[12].src_mac='XX:XX:XX:XX:XX:XX'
firewall.@rule[12].enabled='0'
firewall.@rule[13]=rule
firewall.@rule[13].src='lan'
firewall.@rule[13].name='sta1_limit_sun'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].weekdays='Sun'
firewall.@rule[13].dest='wan'
firewall.@rule[13].proto='all'
firewall.@rule[13].start_time='09:00:00'
firewall.@rule[13].stop_time='20:30:00'
firewall.@rule[13].src_mac='XX:XX:XX:XX:XX:XX'
firewall.@rule[14]=rule
firewall.@rule[14].src='lan'
firewall.@rule[14].name='sta1_sun'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].weekdays='Sun'
firewall.@rule[14].dest='wan'
firewall.@rule[14].proto='all'
firewall.@rule[14].start_time='09:00:00'
firewall.@rule[14].stop_time='21:30:00'
firewall.@rule[14].src_mac='XX:XX:XX:XX:XX:XX'
firewall.@rule[14].enabled='0'
firewall.@rule[15]=rule
firewall.@rule[15].src='lan'
firewall.@rule[15].name='sta1_reject'
firewall.@rule[15].target='REJECT'
firewall.@rule[15].dest='wan'
firewall.@rule[15].src_mac='XX:XX:XX:XX:XX:XX'
firewall.@rule[15].proto='all'

firewall.@rule[20]=rule
firewall.@rule[20].target='ACCEPT'
firewall.@rule[20].name='sta2_allow'
firewall.@rule[20].stop_time='23:00:00'
firewall.@rule[20].dest='wan'
firewall.@rule[20].src='lan'
firewall.@rule[20].src_mac='YY:YY:YY:YY:YY:YY'
firewall.@rule[20].start_time='06:00:00'
firewall.@rule[20].proto='all'
firewall.@rule[21]=rule
firewall.@rule[21].src='lan'
firewall.@rule[21].name='sta2_reject'
firewall.@rule[21].target='REJECT'
firewall.@rule[21].dest='wan'
firewall.@rule[21].proto='all'
firewall.@rule[21].src_mac='YY:YY:YY:YY:YY:YY'

firewall.estab=include
firewall.estab.path='/etc/firewall.estab'
firewall.estab.reload='1'

Note above that firewall [16-19] are redacted don't seem relavent. they are target=REJECT with enabled='0'.

thanks again
rt

1 Like

Have you rebooted it after the daylight savings time was applied?

My guess is that the kernel is still running winter time internally, and is one hour behind. And firewall follows that. Or something similar.

Possibly a firewall restart might help, or a full reboot.

1 Like

thanks for the responses
I did reboot it, this did not help right away which is why i posted. it is working now, have to give it time. one more reason to love time changes :crazy_face:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.