Parental Controls on BT Home Hub

Hi
I have a BT Home Hub 5a running OpenWRT 19.07.3.

I have setup the parental control using the firewall rule, with time restrictions.
Values are below, however, its not working and access is NOT restricted.
I used Luci to enter the values and the guide below

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls


Forwarded IPv4 and IPv6
From lan, IP 192.168.1.170, fd55:6d8:7a1e:0:64e:afff:fe1a:4ea8

To wan

Reject forward

General Settings are below

Protocol = Any
Source zone = Lan
Source address = 192.168.1.170 ( LGTV.lan ); fd55:6d8:7a1e:0:64e:afff:fe1a:4ea8 ( LGTV.lan )

Destination zone = Wan
Destination address = -- add IP --
Action = Reject

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi

Output below with passwords and MACs replaced with XXXXXXXXXXXXXXXXXXXXXXXXXX


----Network----

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ' xxxxxxxxxxxxxxxxxxxxxxxx'

config dsl 'dsl'
        option ds_snr_offset '0'
        option xfer_mode 'ptm'
        option line_mode 'vdsl'
        option tone 'a'
        option annex 'b'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr ' xxxxxxxxxxxxxxxxxxxxxxxx'

config interface 'wan'
        option proto 'pppoe'
        option ipv6 '1'
        option username ' xxxxxxxxxxxxxxxxxxxxxxxx'
        option password 'BT'
        option ifname 'dsl0.101'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr ' xxxxxxxxxxxxxxxxxxxxxxxx'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'


------------------------------------------------------------------------------------------

----Wireless----

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key ' xxxxxxxxxxxxxxxxxxxxxxxx'
        option encryption 'psk2'
        option ssid ' xxxxxxxxxxxxxxxxxxxxxxxx'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key ' xxxxxxxxxxxxxxxxxxxxxxxx'
        option encryption 'psk2'
        option ssid ' xxxxxxxxxxxxxxxxxxxxxxxx'

----------------------------------------------------------------------------------------

----DHCP----

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac ' xxxxxxxxxxxxxxxxxxxxxxxx'
        option name 'YCC-Camera'
        option dns '1'
        option ip '192.168.1.243'

config host
        option mac ' xxxxxxxxxxxxxxxxxxxxxxxx'
        option name 'Front-Camera'
        option dns '1'
        option ip '192.168.1.217'

config host
        option mac ' xxxxxxxxxxxxxxxxxxxxxxxx'
        option name 'LGTV'
        option dns '1'
        option ip '192.168.1.170'

config host
        option mac ' xxxxxxxxxxxxxxxxxxxxxxxx'
        option name 'AppleTV'
        option dns '1'
        option ip '192.168.1.180'

--------------------------------------------------------------------------------

----Firewall----

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'LG TV'
        option target 'REJECT'
        option dest 'wan'
        option src 'lan'
        option start_time '09:00:00'
        option utc_time '1'
        option stop_time '21:00:00'
        option weekdays 'Sun Mon'
        list proto 'all'
        list src_ip '192.168.1.170'
        list src_ip 'fd55:6d8:7a1e:0:64e:afff:fe1a:4ea8'

config rule
        option name 'Apple TV'
        option target 'REJECT'
        option dest 'wan'
        option src 'lan'
        option weekdays 'Sun'
        option stop_time '20:00:00'
        option start_time '19:00:00'
        option stop_date '2020-06-14'
        option start_date '2020-06-14'
        list src_ip '192.168.1.180'
        list src_ip 'fd55:6d8:7a1e:0:34a3:91b9:665b:c5c'

config rule
        option name 'Onleplustest'
        option stop_date '2020-06-14'
        option start_date '2020-06-14'
        list proto 'all'
        option dest 'wan'
        option src 'lan'
        option target 'DROP'
        option start_time '23:05:00'
        option stop_time '23:07:00'
        list src_ip '192.168.1.241'
        option weekdays 'Sun'
        option utc_time '1'



Unless you are doing NAT6, the ULA address will never be used to access the internet. If you have IPv6 you'll need to block the GUA, so it is better if you block the mac address instead.
Also, did you reorder the rules as mentioned at the bottom of the page?

1 Like

Hi

I chose the ip addresses from the drop down menu, when you click ADD IP address in the firewall rule.
The IP address is shown with the MAC address, however ONLY the IP address is shown after selected.
There is NO way to select the MAC address and it is not accepted when entered in the Custom field.
Note, all the configuration is done in LUCI.

I have not reordered the rules..

The MAC address drop down list is in the advanced settings tab.
image
You'll also need to use ssh to connect to the device and reorder the rules, otherwise you'll be only blocking new connections.

Hi Trendy

Thanks for your help !
Adding the MAC address in the advanced settings and reordering the rules, resolved my problem.
curious, as to why the MAC address option was not mentioned in the instructions or maybe I didn't read it properly ?
I presume that reordering the rules is a one time action ?

Thanks and regards

Step 6

Select Source MAC address or Source address

Correct.

Hi Trendy

Yes, MAC address was there, however, as the instructions were a bit old the gui options are different.
I didn't want to mess with the advanced section as I didn't want to cause any other problems. Your pointer helped to correct that.

One other query, I have setup a new rule using the instructions and your pointers, however the internet is still available. I have rebooted the router, but no joy. Do I have to run the reorder script again, after adding a new rule or modifying an existing rule ?
Can it be rerun more than once without any adverse affect.

Thanks & Regards

Hi Trendy

FYI, I reran the reorder script and get the following output, incase it helps ...
seems to be an error ! Skipping due to different family of ip address..

root@BTHH5a:~# cat << "EOF" > /etc/firewall.estab
> for IPT in iptables ip6tables
> do
| sed -e "/FORWARD.*ESTABLISHED/d;
> ${IPT}-save -c -t filter \
> | sed -e "/FORWARD.*ESTABLISHED/d;
> /FORWARD.*reject/i $(${IPT}-save -c -t filter \
> | sed -n -e "/FORWARD.*ESTABLISHED/p")" \
> | ${IPT}-restore -c -T filter
> done
> EOF
root@BTHH5a:~#
root@BTHH5a:~# uci -q delete firewall.estab
root@BTHH5a:~# uci set firewall.estab="include"
root@BTHH5a:~# uci set firewall.estab.path="/etc/firewall.estab"
root@BTHH5a:~# uci set firewall.estab.reload="1"
root@BTHH5a:~# uci commit firewall
root@BTHH5a:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[10] (Apple TV - Morninig) does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'LG TV'
   * Rule 'Apple TV - Morninig'
   * Rule 'AppleTV-PM'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'LG TV'
     ! Skipping due to different family of ip address
   * Rule 'Apple TV - Morninig'
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
   * Rule 'AppleTV-PM'
     ! Skipping due to different family of ip address
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/etc/firewall.estab'
root@BTHH5a:~#
root@BTHH5a:~# echo /etc/firewall.estab >>/etc/sysupgrade.conf

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Please edit your post accordingly. Thank you! :slight_smile:

Hard to say without seeing the rule.

No, the script is saved in /etc/firewall.estab and is run on every restart of the firewall.

This is normal because you have an IPv4 address which won't work in ip6tables. That is why I told you to better use mac address instead of IP address.

Hi Trendy

My firewall config file is below, ONEPLUSTEST is working but i have it disabled and only use it for testing.
APPLT TV PM is the one that is not working, let me know if you need any other config files or logs

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'LG TV'
        option target 'REJECT'
        option dest 'wan'
        option src 'lan'
        option start_time '09:00:00'
        option utc_time '1'
        list proto 'all'
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        list src_ip '192.168.1.170'
        option stop_time '11:00:00'
        list src_mac 'XXXXXXXXXXXX'

config rule
        option target 'REJECT'
        option dest 'wan'
        option src 'lan'
        option utc_time '1'
        list src_mac ''XXXXXXXXXXXX''
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        list src_ip '192.168.1.180'
        option start_time '08:00:00'
        option stop_time '11:00:00'
        option name 'Apple TV - Morninig'

config rule
        list proto 'all'
        option stop_time '23:00:00'
        option src 'wan'
        list src_ip '192.168.1.180'
        option dest 'lan'
        option start_time '11:01:00'
        option target 'DROP'
        list src_mac ''XXXXXXXXXXXX''
        option name 'AppleTV-PM'
        option utc_time '1'

config rule
        option name 'Onleplustest'
        list proto 'all'
        option dest 'wan'
        option src 'lan'
        option target 'DROP'
        option utc_time '1'
        option start_time '00:00:00'
        list src_mac ''XXXXXXXXXXXX''
        list src_ip '192.168.1.234'
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        option stop_time '23:59:00'
        option enabled '0'

config rule
        list proto 'all'
        option name 'Mini Galaxy Tab'
        list src_ip '192.168.1.213'
        option dest 'lan'
        option target 'DROP'
        option src 'lan'
        list src_mac ''XXXXXXXXXXXX''
        option enabled '0'
        option utc_time '1'

config rule
        list proto 'all'
        option name 'S7 Edge'
        list src_ip '192.168.1.246'
        option dest 'lan'
        option src 'lan'
        list src_mac ''XXXXXXXXXXXX''
        option target 'DROP'
        option enabled '0'
        option utc_time '1'

config include 'estab'
        option path '/etc/firewall.estab'
        option reload '1'

The source and destination zones are vice versa.

Hi Trendy

That's strange as ther were showing correctly in the GUI. Anyway I have redone the rule and listed the config below, becuase its still not working. Also uploaded a screenshot of the rules

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'LG TV'
        option dest 'wan'
        option src 'lan'
        option start_time '09:00:00'
        option utc_time '1'
        list proto 'all'
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        list src_ip '192.168.1.170'
        option stop_time '11:00:00'
        list src_mac 'xxxxxxxxxxxxxxxxxxxx'
        option target 'DROP'

config rule
        option target 'REJECT'
        option dest 'wan'
        option src 'lan'
        option utc_time '1'
        list src_mac  'xxxxxxxxxxxxxxxxxxxx'
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        list src_ip '192.168.1.180'
        option start_time '08:00:00'
        option stop_time '11:00:00'
        option name 'Apple TV - Morninig'

config rule
        list proto 'all'
        option stop_time '23:00:00'
        list src_ip '192.168.1.180'
        option start_time '11:01:00'
        option target 'DROP'
        list src_mac 'xxxxxxxxxxxxxxxxxxxx'
        option name 'AppleTV-PM'
        option utc_time '1'
        option dest 'wan'
        option src 'lan'

config rule
        option name 'Onleplustest'
        list proto 'all'
        option dest 'wan'
        option src 'lan'
        option target 'DROP'
        option utc_time '1'
        option start_time '00:00:00'
        list src_mac 'xxxxxxxxxxxxxxxxxxxx'
        list src_ip '192.168.1.234'
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        option stop_time '23:59:00'
        option enabled '0'

config rule
        list proto 'all'
        option name 'Mini Galaxy Tab'
        list src_ip '192.168.1.213'
        option target 'DROP'
        option src 'lan'
        list src_mac 'xxxxxxxxxxxxxxxxxxxx'
        option enabled '0'
        option utc_time '1'
        option dest 'wan'

config rule
        list proto 'all'
        option name 'S7 Edge'
        list src_ip '192.168.1.246'
        option src 'lan'
        list src_mac'xxxxxxxxxxxxxxxxxxxx'
        option target 'DROP'
        option enabled '0'
        option utc_time '1'
        option dest 'wan'

config include 'estab'
        option path '/etc/firewall.estab'
        option reload '1'

The weekdays are missing. Also there is no point to use IPv6 family in a rule that uses IPv4 address.
Use only mac address and assign it to both families.

Hi Trendy

I will restrict the IP family to IP4 onlyy, however, the strange thing is that the firewall config is not reporting the correct details, because I had the weekdays checked, please see the screenshots below

Yesterday when you said the LAN & WAN choices needed to be reversed, they were, however, were NOT showing correctly in the firewall config..

I haven't changed the config since sending you the firewall config and the screenshots below are showing the weekdays.

Thanks for your support

I was only allowed to upload ONE image

I tried it myself and whether you tick all weekdays or leave them unticked with "Any Day" has the same result in the actual iptables rule.
Regarding the representation of the options on the Luci, it reads the configuration from the same file that uci reads to extract the data. So I am not sure that there is doubt that one represents the configuration correctly and the other not.
Anyway, post here the low level rules to see what might be the issue:
iptables-save -c

Hi Trendy

I agree with you that luci reads the same config file, but its strange...
Anyway, below is the output file you requested and thanks for your support !

# Generated by iptables-save v1.8.3 on Wed Jun 17 21:51:20 2020
*nat
:PREROUTING ACCEPT [55552:5007767]
:INPUT ACCEPT [4662:526653]
:OUTPUT ACCEPT [12570:895532]
:POSTROUTING ACCEPT [288:44630]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[55552:5007767] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[52523:4845803] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[3029:161964] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[20449:1396971] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[243:41950] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[20161:1352341] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[243:41950] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[52523:4845803] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[20161:1352341] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[20161:1352341] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[3029:161964] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Jun 17 21:51:20 2020
# Generated by iptables-save v1.8.3 on Wed Jun 17 21:51:20 2020
*mangle
:PREROUTING ACCEPT [7631251:7306625520]
:INPUT ACCEPT [29651:3403310]
:FORWARD ACCEPT [7590707:7299839583]
:OUTPUT ACCEPT [27226:3407960]
:POSTROUTING ACCEPT [7585191:7300994457]
[22066:1390643] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Jun 17 21:51:20 2020
# Generated by iptables-save v1.8.3 on Wed Jun 17 21:51:20 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[755:67222] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[28898:3336168] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[15974:2281900] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2797:116308] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[7644:802160] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[5280:252108] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[7590707:7299839583] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2571260:168340338] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[5019447:7131499245] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[5019444:7131498273] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[755:67222] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[26475:3342178] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[13649:2415445] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[487:70705] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[12339:856028] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[4740:194324] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[273:48166] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2797:116308] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[490:71677] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[2571260:168340338] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -s 192.168.1.170/32 -m mac --mac-source 04:4E:AF:1A:4E:A8 -m time --timestart 09:00:00 --timestop 11:00:00 -m comment --comment "!fw3: LG TV" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -s 192.168.1.180/32 -p tcp -m mac --mac-source 90:DD:5D:C4:4D:55 -m time --timestart 08:00:00 --timestop 11:00:00 -m comment --comment "!fw3: Apple TV - Morninig" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -s 192.168.1.180/32 -p udp -m mac --mac-source 90:DD:5D:C4:4D:55 -m time --timestart 08:00:00 --timestop 11:00:00 -m comment --comment "!fw3: Apple TV - Morninig" -j zone_wan_dest_REJECT
[32566:2273116] -A zone_lan_forward -s 192.168.1.180/32 -m mac --mac-source 90:DD:5D:C4:4D:55 -m time --timestart 11:01:00 --timestop 23:00:00 -m comment --comment "!fw3: AppleTV-PM" -j zone_wan_dest_DROP
[2538694:166067222] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7644:802160] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[7644:802160] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[487:70705] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[487:70705] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7644:802160] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[608:34217] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2550425:166889033] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[32566:2273116] -A zone_wan_dest_DROP -o pppoe-wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[5019447:7131499245] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[3:972] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[5019444:7131498273] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[5280:252108] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[14:510] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[253:9108] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[5013:242490] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[12339:856028] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[12339:856028] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[5013:242490] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Jun 17 21:51:20 2020

I don't see anything wrong here. The rule which forwards established connections is after the rule which matches traffic to be forwarded from lan to wan, which is correct.
The AppleTV-PM rule has hits, the other 3 rules don't have any hits, so either there was no connection attempt between 8:00 and 11:00 or the IP/MAC is wrong for the LG TV rule.