Please help for customize firewall rules - time restrictive (fw4, opewrt 23.05.1)

I have already tried all the options for blocking Internet access by time for some network clients: I looked at the documentation, Time restriction of internet access, asked ChatPT, Gemini, etc. But I can't force you to block access to the Internet for network clients by time. There is one working version of luci-app-accesscontrol, but it uses iptables, and I would not like to see a message about using two options on the routing page (nftables+iptables). Here are my settings, if someone will figure it out and help you win :
network (port 53 is for AGH)


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'eth1'
	option macaddr 'xx:xx:xx:xx:xx:x1'

config device
	option name 'eth2'
	option macaddr 'xx:xx:xx:xx:xx:x2'

config device
	option name 'eth0'
	option macaddr 'xx:xx:xx:xx:xx:x3'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username 'xxxxxxxx'
	option password 'xxxxxxxxxx'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.2'
	list dns '76.76.2.1'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option disabled '1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option auto '0'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan2'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config device
	option type 'bridge'
	option name 'br-lan2'
	list ports 'eth2'
	option igmp_snooping '1'
	option ipv6 '0'


firewall
I moved these settings up and down in the firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option fullcone '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP-lan2'
	list proto 'esp'
	option src 'wan'
	option dest 'lan2'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan2'
	option dest 'wan'

config rule
	option name 'Allow-ISAKMP-lan2'
	list proto 'udp'
	option src 'wan'
	option dest 'lan2'
	option dest_port '500'
	option target 'ACCEPT'

config rule
	option name 'printer-for-lan2-to'
	option src 'lan2'
	option dest 'lan'
	list dest_ip '192.168.2.44'
	option target 'ACCEPT'

config rule
	option name 'printer-for-lan2-from'
	option src 'lan'
	list src_ip '192.168.2.44'
	option dest 'lan2'
	option target 'ACCEPT'

config rule
	option name 'lan-to-pc'
	option src 'lan'
	option dest 'lan2'
	list dest_ip '192.168.22.22'
	option target 'ACCEPT'

config rule
	option name 'no-lan-to-lan2'
	option src 'lan'
	option dest 'lan2'
	option target 'REJECT'

config rule
	option name 'no-lan2-to-lan'
	option src 'lan2'
	option dest 'lan'
	option target 'REJECT'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '3074'
	option dest_ip '192.168.22.21'
	option dest_port '3074'
	option name 'XB_001_TCP+UDP-3074'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'udp'
	option src_dport '3544'
	option dest_ip '192.168.22.21'
	option dest_port '3544'
	option name 'XB_002_UDP-3544'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'udp'
	option src_dport '4500'
	option dest_ip '192.168.22.21'
	option dest_port '4500'
	option name 'XB_003_UDP-4500'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '5222'
	option dest_ip '192.168.22.21'
	option dest_port '5222'
	option name 'XB_004_TCP+UDP-5222'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '49256'
	option dest_ip '192.168.22.21'
	option dest_port '49256'
	option name 'XB_005_TCP+UDP-49256'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '51867'
	option dest_ip '192.168.22.21'
	option dest_port '51867'
	option name 'XB_006_TCP+UDP-51867'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '52635'
	option dest_ip '192.168.22.21'
	option dest_port '52635'
	option name 'XB_007_TCP+UDP-52635'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '53044'
	option dest_ip '192.168.22.21'
	option dest_port '53044'
	option name 'XB_008_TCP+UDP-53044'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '53453'
	option dest_ip '192.168.22.21'
	option dest_port '53453'
	option name 'XB_009_TCP+UDP-53453'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '53862'
	option dest_ip '192.168.22.21'
	option dest_port '53862'
	option name 'XB_010_TCP+UDP-53862'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '54271'
	option dest_ip '192.168.22.21'
	option dest_port '54271'
	option name 'XB_011_TCP+UDP-54271'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '54478'
	option dest_ip '192.168.22.21'
	option dest_port '54478'
	option name 'XB_012_TCP+UDP-54478'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '54680'
	option dest_ip '192.168.22.21'
	option dest_port '54680'
	option name 'XB_013_TCP+UDP-54680'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '54837'
	option dest_ip '192.168.22.21'
	option dest_port '54837'
	option name 'XB_014_TCP+UDP-54837'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '57089'
	option dest_ip '192.168.22.21'
	option dest_port '57089'
	option name 'XB_015_TCP+UDP-57089'

config rule
	option name 'Allow-IPTV-IGMPPROXY-LAN'
	option src 'wan'
	option proto 'udp'
	option dest 'lan'
	option dest_ip '224.0.0.0/4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPTV-IGMPPROXY-LAN2'
	option src 'wan'
	option proto 'udp'
	option dest 'lan2'
	option dest_ip '224.0.0.0/4'
	option target 'ACCEPT'

config include 'homeproxy_pre'
	option type 'nftables'
	option path '/var/run/homeproxy/fw4_pre.nft'
	option position 'table-pre'

config include 'homeproxy_post'
	option type 'nftables'
	option path '/var/run/homeproxy/fw4_post.nft'
	option position 'table-post'

config rule
	option name 'xbox-time-shed'
	option src '*'
	list src_ip '192.168.22.21'
	option dest 'wan'
	option target 'REJECT'
	option start_time '21:00:00'
	option stop_time '23:59:59'

config rule
	option name 'pc-time-shed'
	list src_ip '192.168.22.22'
	option dest 'wan'
	option target 'REJECT'
	option start_time '21:30:00'
	option stop_time '23:59:59'
	option src '*'

config rule
	option name 'phone-time-shed'
	option src '*'
	list src_ip '192.168.2.209'
	option dest 'wan'
	option target 'REJECT'
	option start_time '22:00:00'
	option stop_time '23:59:59'

config rule
	option name 'Filter-Parental-Controls'
	option src 'lan'
	list src_mac 'xx:xx:xx:xx:xx:x4'
	option dest 'wan'
	option target 'REJECT'
	option start_time '18:30:00'
	option stop_time '23:00:00'
	list proto 'all'
	option weekdays 'Sun'

dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option port '54'
	option ednspacket_max '1232'
	option nonegcache '1'

config dhcp 'lan'
	option interface 'lan'
	option start '1'
	option limit '255'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.2.1'
	list dhcp_option 'tag:noagh,6,77.88.8.88,1.1.1.2'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option interface 'lan2'
	option start '1'
	option limit '255'
	option leasetime '12h'
	list dhcp_option '6,192.168.22.1'
	list dhcp_option 'tag:noagh,6,77.88.8.88,1.1.1.2'

config host
	option name 'xbox'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.22.21'

config host
	option name 'pc'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.22.22'

config host
	option name 'prin'
	option ip '192.168.2.44'
	list mac 'xx:xx:xx:xx:xx:xx'
	list tag 'noagh'

config host
	option name 'phone'
	option ip '192.168.2.209'
	list mac 'xx:xx:xx:xx:xx:xx'

config host
	option name 'test-pro'
	option ip '192.168.2.223'
	list mac 'xx:xx:xx:xx:xx:x4'

and my packages

6in4
attendedsysupgrade-common
autocore
automount
base-files
bind-dig
bind-libs
block-mount
busybox
ca-bundle
cfdisk
cgi-io
chinadns-ng
coreutils
coreutils-sort
coreutils-timeout
curl
default-settings
dnsmasq-full
dropbear
e2fsprogs
fdisk
firewall4
fstools
fwtool
gawk
getrandom
grep
internet-detector
internet-detector-mod-email
ipv6helper
jansson4
jshn
jsonfilter
kernel
kmod-asn1-decoder
kmod-crypto-aead
kmod-crypto-arc4
kmod-crypto-authenc
kmod-crypto-crc32c
kmod-crypto-ecb
kmod-crypto-hash
kmod-crypto-manager
kmod-crypto-null
kmod-crypto-sha1
kmod-crypto-user
kmod-cryptodev
kmod-fs-exfat
kmod-fs-ext4
kmod-fs-ntfs3
kmod-fs-vfat
kmod-gpio-button-hotplug
kmod-inet-diag
kmod-iptunnel
kmod-iptunnel4
kmod-lib-crc-ccitt
kmod-lib-crc16
kmod-lib-crc32c
kmod-lib-textsearch
kmod-libphy
kmod-macvlan
kmod-mdio-devres
kmod-mii
kmod-mppe
kmod-netlink-diag
kmod-nf-conntrack
kmod-nf-conntrack-netlink
kmod-nf-conntrack6
kmod-nf-flow
kmod-nf-ipt
kmod-nf-log
kmod-nf-log6
kmod-nf-nat
kmod-nf-nathelper
kmod-nf-nathelper-extra
kmod-nf-reject
kmod-nf-reject6
kmod-nf-tproxy
kmod-nfnetlink
kmod-nft-compat
kmod-nft-core
kmod-nft-fib
kmod-nft-fullcone
kmod-nft-nat
kmod-nft-offload
kmod-nft-tproxy
kmod-nls-base
kmod-nls-cp437
kmod-nls-iso8859-1
kmod-nls-utf8
kmod-phy-realtek
kmod-ppp
kmod-pppoe
kmod-pppox
kmod-r8125
kmod-r8169
kmod-scsi-core
kmod-sit
kmod-slhc
kmod-tcp-bbr
kmod-tun
kmod-usb-core
kmod-usb-storage
kmod-usb-storage-extras
kmod-usb-storage-uas
libatomic1
libblkid1
libblobmsg-json20230523
libc
libcomerr0
libcurl4
libext2fs2
libf2fs6
libfdisk1
libgcc1
libgmp10
libiptext-nft0
libiptext0
libiptext6-0
libiwinfo-data
libiwinfo20230701
libjson-c5
libjson-script20230523
liblua5.1.5
liblucihttp-lua
liblucihttp-ucode
liblucihttp0
libmnl0
libmount1
libncurses6
libnetfilter-conntrack3
libnettle8
libnfnetlink0
libnftnl11
libnghttp2-14
libnl-tiny1
libopenssl3
libpcre2
libpthread
libreadline8
librt
libsmartcols1
libss2
libtirpc
libubox20230523
libubus-lua
libubus20230605
libuci-lua
libuci20130104
libuclient20201210
libucode20230711
libustream-openssl20201210
libuuid1
libuv1
libxtables12
logd
losetup
lsof
lua
lua-bit32
luaposix
luci
luci-app-attendedsysupgrade
luci-app-firewall
luci-app-homeproxy
luci-app-internet-detector
luci-app-log-viewer
luci-app-opkg
luci-base
luci-compat
luci-i18n-attendedsysupgrade-ru
luci-i18n-base-ru
luci-i18n-firewall-ru
luci-i18n-internet-detector-ru
luci-i18n-log-viewer-ru
luci-i18n-opkg-ru
luci-lib-base
luci-lib-fs
luci-lib-ip
luci-lib-ipkg
luci-lib-jsonc
luci-lib-nixio
luci-light
luci-lua-runtime
luci-mod-admin-full
luci-mod-network
luci-mod-status
luci-mod-system
luci-proto-ipv6
luci-proto-ppp
luci-theme-bootstrap
mailsend
mkf2fs
mtd
nano
netifd
nftables-json
ntfs3-mount
odhcp6c
odhcpd-ipv6only
openssh-sftp-server
openwrt-keyring
opkg
partx-utils
ppp
ppp-mod-pppoe
procd
procd-seccomp
procd-ujail
r8169-firmware
resize2fs
rpcd
rpcd-mod-file
rpcd-mod-iwinfo
rpcd-mod-luci
rpcd-mod-rpcsys
rpcd-mod-rrdns
rpcd-mod-ucode
sed
shellsync
sing-box
terminfo
uboot-envtools
ubox
ubus
ubusd
uci
uclient-fetch
ucode
ucode-mod-fs
ucode-mod-html
ucode-mod-lua
ucode-mod-math
ucode-mod-ubus
ucode-mod-uci
uhttpd
uhttpd-mod-ubus
urandom-seed
urngd
usign
vsftpd-tls
xtables-nft
zlib
zoneinfo-core
zoneinfo-europe

You did not specify the protocol, so rules will be created for tcp and udp.
If you're using ping (icmp) for the tests, that would explain why (you think) it's not working.
Better add option proto 'all' to the rules to block everything.

Also note that this will not work for already established connections. Here's a workaround.

This is the second time I've seen this. Could you please confirm that this is a valid option for 23.05.1, because it is not for 23.05.0.

1 Like

Aside from the direct technical suggestions/questions above...

Are you really running 23.05.1??

I ask because this version had some major bug that was discovered while the build process was occuring (I don't remember what it was, though), and it was actually never officially announced. Yes, the files are there and it can be downloaded and installed, but for all practical purposes, this version was skipped... 23.05.2 was tagged and released almost immediately after the bug was discovered.

You should be running 23.05.2, and if you wait a short time, 23.05.3 is currently building may be released quite soon (but please wait for the announcement).

1 Like

I tried it too, and every time I rebooted the router
Yes. 23.05.1. And I also tried snapshot. And also tried immortals 23.05 snapshot

I don't know how to check if it works or not, but I have this option enabled and I haven't seen any errors.

I tried with all proto, tcp, tcp udp.

As I said before, I don't recall what the bug was, but it was a show-stopper. Please install 23.05.2.

config rule
	option name 'xbox_time-shed'
	option src 'lan2'
	list src_mac 'xx:xx:xx:xx:xx:xx'
	option target 'DROP'
	option start_time '21:00:00'
	option stop_time '23:59:59'
	list proto 'all'

it is working now

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.