Luci-access-control: Why not available in LEDE?

@tmomas
You could look into LuCI pull requests...

https://github.com/openwrt/luci/pull/802

The PR author never finalised the changes requested.

And like @fantom-x says, the time based restriction functionality is already available in firewall both in master and 17.01. Even in Luci. Just edit a traffic rule and you see this:

Ah yes, thanks for the info!

Just remember that the time needs to be in UTC

It's kind of awkward to enter times in UTC.

https://wiki.openwrt.org/doc/uci/firewall#block_access_to_the_internet_for_specific_ip_on_certain_times states

times are specified in UTC unless the –kerneltz switch is used

How and where is the –kerneltz switch is used?

@hnyman Where would I add a rule in LuCI?
Open ports on router - No, I don't want to open a port.
New forward rule - No, I don't want to forward a port either.
Source NAT - that's the only one remaining.

-> Enter: Name / To source IP: IP to be restricted -> Add + Edit

Would that be correct so far?

The OpenWrt wiki states further:

Using firewall v3 and later the example becomes

How do I know the version of the firewall?
LuCI -> Software -> filter for firewall -> 2017-01-13-37cb4cb4-1
That's not exactly looking like v3, nor like any other version.

Reason for asking: https://lede-project.org/docs/howto/parental-controls is non-existent so far, and I would like to fill it, or at least start the page.

Firewall v3 has been in use since some 4 years, I think. Based on git, since 2013...
https://git.lede-project.org/?p=project/firewall3.git;a=shortlog

To be exact, firewall3 has been the default firewall since June 2013: https://git.lede-project.org/?p=source.git;a=commit;h=b721c9222110f0bbf2203da602f60ac0ec6f32ff

So LEDE has always used firewall3.

(Openwrt has used it since BB14.07 release)

"New forward rule" is not about forwarding ports: it is about forwarding from one zone (lan, guest) to another (wan, or some other zone). This is where your parental rule should live.

config rule                                
        option src 'guest'                 
        option dest 'wan'                  
        option name 'XXXXX'               
        option src_mac 'XX:XX:XX:XX:XX:' 
        option target 'DROP'               
        option stop_time '11:00:00'        
        option utc_time '1'                
        option start_time '02:00:00'

Yes, you want to forward (or actually, prevent) traffic between lan and wan.
Not just one port, but all traffic from a source IP.

Forwarding is the general term in iptables lingo for traffic between firewall zones.

Add a new forwarding rule, from lan to wan

I haven't tried that time-based blocking for ages, but let's try. It will likely take a few minutes to figure out the exact parameter to the details page.
Basic outline is to

  • select the MAC of the host to be blocked
  • set the forbidden time limit
    • Or alternatively add two rules: first one to allow lan-wan forward during time X-Y for host Z, then a second rule to block all lan-wan forwarding for host Z that takes care of the other times.

Will edit this, once I get it right.

from https://wiki.openwrt.org/doc/uci/firewall#block_access_to_the_internet_for_specific_ip_on_certain_times

config rule
        option src              lan
        option dest             wan
        option src_ip           192.168.1.27
        option proto            all
        option start_time       21:00
        option stop_time        09:00
        option weekdays         'mon tue wed thu fri'
        option target           REJECT

What is the difference between option target 'DROP' and option target REJECT ?

Basic iptables stuff.

DROP drops traffic quietly without response.
REJECT tell the sender that traffic is blocked.

OK, then reject would be the prefered way, and in terms of parental control the message would be: Kids, you're out of your allowed time.

Brief guide how to do it in LuCI:

  • Go to Network / Firewall / Traffic Rules tab
  • Add new rule with "New forward rule"
    • name the rule
    • source zone: lan
    • destination zone: wan
    • press "Add and edit..." button
  • On details page:
    • Select the "Source MAC address" of the host to be blocked.

    • Set "Action" to be "Reject"

    • Select the weekdays / month days when block is active

    • set the blocked "start time" and "end time" in 24-hours format like "21:30:00"

    • With firewall 2017-05-09 and later: If you want UTC time, use the field "Time in UTC"

    • With older firewall than 2017-05-09: Above weekdays / month days selection is "Extra arguments" field. Enter there "--kerneltz" to be able to set the time limits in local time instead of UTC

The final result is a rule like this in /etc/config/firewall:

config rule
        option enabled '1'
        option src 'lan'
        option dest 'wan'
        option name 'time block test'
        option src_mac '78:BB:AA:3A:88:14'
        option weekdays 'Sun'
        option target 'REJECT'
        option start_time '21:30:00'
        option stop_time '22:00:00'

With an older firewall than 2017-05-09 you need also this:

        option extra '--kerneltz'

The previous rule blocks traffic for host '78:BB:AA:3A:88:14' during 21:30-22:00 on Sundays. It gives "reject" action which makes most browsers to return an "Unable to connect" error for the user.

Note that you can enable/disable the rule on the Firewall "Traffic Rules" page.


In that sense the whole functionality of that "Internet Access Control" packages is already here, expect that it provides a global switch for toggling all this kind of time block rules that have been created by it. (The package also created the time limits and weekday entries in format that conflicted with the firewall's own implementation, so rules created by it would look invalid to the "Traffic rules" page editing functions, and vice versa. That was at least the situation when I last looked at the PR to import that package)

I created the page https://lede-project.org/docs/howto/parental-controls.
Review / additions / modifications are welcome!

Maybe this should link to that page?

Better to put the new example also into that general firewall config advice page.
(and in LEDE we only have firewall3, so the previous example is quite outdated.)

link added + outdated example removed.

I know "--contiguous" was required for the old example when the time period for the block crossed midnight. Is this also required for the new example?

From the iptables man:

Matching across days might not do what is expected. For instance,

-m time --weekdays Mo --timestart 23:00 --timestop 01:00 Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Montay 23:00 onwards' you need to also specify the --contiguous option in the example above.

I notified @jow by email about the details the "UTC time" option handling. Looks like it is not a LuCI bug, but a bug in the options handling in the firewall3 itself, as the option fails also when manually applied to /etc/config/firewall.

Firewall has been fixed in such a way that it always automatically adds the kerneltz argument to time fields, unless you specifically want UTC in firewall (by using that UTC time option).

However, iptables chokes on having several kerneltz parameters on the same line, so having it also in the "extra argument" field will break things.

So, old rules that include kerneltz extra argument will need to be checked and possibly changed.

The change was made on firewall version 2017-05-09. Both LEDE master and 17.01 branch have the update, so it will also get into the 17.01.2 release.

Any interest in a vastly superior parental controls integrated across all devices, apps and services? About to launch opensource apis/sdks to connect to a centralized powerful platform for “parental freedom”.

Let me know if anyone would be interested in helping integrate? Check out https://Allow2.github.io and let me know if interested.

@tmomas

luci-app-access-control

i have tried this on openwrt 22.03.2 everything works fine. can this be added in openwrt. thank you