I have made firewall rules that allow me to (in theory) limit my kid's access to the internet to some specific times. For example:
config rule
option name 'Kids-SchoolDayEvening2Midnight'
option weekdays 'Sun Mon Tue Wed Thu'
option src 'lan'
option stop_time '23:59:59'
option dest 'wan'
option target 'REJECT'
list src_mac '***'
list src_mac '***'
>>>etc for all kid's devices
option start_time '21:00:00'
and
config rule
option name 'Kids-EveryDayMidnight2Morning'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option weekdays 'Mon Tue Wed Thu Fri'
option start_time '00:00:00'
list src_mac '***'
list src_mac '***'
>>>etc for all kid's devices
option stop_time '07:15:00'
My son has found that he can continue a session (Usually a Slack chat to his mates) well after the restrictions apply. My guess is that once a session is established there's some tunnel that means the comms don't trigger the MAC based REJECT rule. Is there anything I can do to make the internet stop for him when it's meant to?
I did toy with the idea of shutting down the WAN for an hour at bed-time, using ifup/ifdown from crontab but I believe my ISP has optimisations running and frequent restarts would adverseley affect performance/QoS
Long ago I found that I had to reorder rules for this to work and software offloading requires to be off, otherwise once a connection gets established the firewall rules don't break it when your rules trigger. For starters I would check if offloading is off.
Your son has an already open tcp connection to Slack. In general the firewall rules apply to new connections as they are created. On the command line cat /proc/net/nf_conntrack will show you which connections are listed as already open.
Is your son on WiFi? If so then an option may be to very briefly turn off WiFi and then turn it back on. This will break the existing connection, and the firewall rule will then prevent reconnection.
I would tend to focus on LAN interventions, and leave your WAN connection running.
echo f > /proc/net/nf_conntrack (OpenWrt specific extension) should have the same effect as conntrack --flush, without the need to install an additional package.
A somewhat more blunt /etc/init.d/firewall restart (not reload) should have a similar effect. All established conntrack session will get flushed.
If you happen to know the current IPv4 addresses of your kids devices you could also selectively flush just their conntrack streams using echo 1.2.3.4 > /proc/net/nf_conntrack, where 1.2.3.4 is the IP address in question.
The idea was to move them on a dedicated 'kids' WLAN, most wireless (radio-) hardware does support 4 concurrent (V)AP interfaces (sharing the same channels, of course). That would allow you to move all restricted devices into the dedicated firewall zone, using a different ESSID/ PSK.
What @vgaetera pointed out and is reflected in the Wiki is the way to go. Reordering the rules plus disabling Software Offloading works. This is how it works fine for me. As long as your time-based DROP/REJECT rules are before these ones: