OK I feel like an idiot because I'm definitely missing something obvious.
I'm trying to set up an SSID for my kids to use that disables the internet at bedtime.
I keep seeing over and over again "make sure you reorder the firewall rules" and a link to this stub of instructions that I can't make heads or tails of. https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset#established_connections
How do I determine in what order my Firewall rules should be in?
What comes first?
What needs to come after the time restriction?
Am I supposed to take the text in that little amputated instruction and put in the command line? (which I can only infer from the "CAT" command.)
The first line is creating a file named "/etc/nftables.d/estab.sh" and then does all of it end up in the file?
I've been bashing my head into one roadblock or another for hours trying to set up a simple "hey it's after 8 pm no internet on the SSID "Kids"".
Feel free to call me an idiot for missing something very basic, I sure as "crap" feel like an idiot.
In a nutshell, firewall by default allows responses to already allowed packets, or keeps allowing all packets which belong to an established connection.
That means that if a kid connects to youtube at 21:59, keeps the connection open at all times, and the parental rule starts at 22:00, then the firewall would allow it by default.
But if we re-order the rules, then the parental rule will be evaluated first, then the RELATED/ESTABLISHED.
Thank you for your responses. I think I get it now, but I'm at work away from my router. Should I just move the time rule to be the first rule in the firewall stack? Or will that break other things?
I tried running that script and it still wasn't blocking new connections so I assumed I did something wrong. How can I tell if it reordered anything? What should I make sure it is above?
iptables-save -c; ip6tables-save -c; nft list ruleset
-ash: iptables-save: not found
-ash: ip6tables-save: not found
I did about 30 minutes of searching and found out that you accounted for that eventuality because the third command is for NFtables. This also explains why the error shows up so often in the forum and everyone ignores it. LOL I'm a useless noob
So my time restrictions rule still isn't working yet, but I should go to bed.
Thanks again for your assistance.
I'm back. I was chasing down a whole other issue where my Kindle would just stop connecting, I think I've fixed it.
Anywho here are the results sanitized to the best of my ability
Is there an easier way than manually redacting in notepad?
Darn it. The firewall rules for time (Ma_timeSchool) would normally be enabled on Sunday and Monday but I was troubleshooting the connectivity issues above and forgot to reinstate them before grabbing the NFT LIST.
Well thanks again for all of your help but my solution was in another castle. Apparently I'm an idiot and I had two LAN bridges running which was causing all sorts of havoc on my router. Including but not limited to the firewall rules intermittently working and not working.
Again this was a self inflicted injury from following an outdated tutorial and the incomplete update to the tutorial for OpenWRT 21. https://youtu.be/4t_S2oWsBpE?t=234 https://youtu.be/qeuZqRqH-ug?t=698
I really wish someone could write a software package to set up VLANs for separate SSIDs there are an awful lot of "go here, click this, then this, type this, don't do this" it seems fairly formulaic and repeatable. But that's a topic for another day.