Rules for hosts group to limit access based on time schedule

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I have installed OpenWrt 18 on an archer C50 all is fine for now, but I am missing a feature :

  • Timebase access limitation for kids devices.

I haven't be able to find how to :

  • Create a group of hosts
  • Make a rule to deny internet access to this group on a time based schedule.

I tried using FWBuilder, but importing the rules set from OpenWRT gave so much stuff, I did not try messing with that.

2
  • Create a VLAN for those users
  • Create a wireless SSID
  • Create a deny firewall rule with a time schedule
  • Alternatively, you can reserve IPs via DHCP for their devices on the same LAN, and then apply the firewall rules per IP (or block of IPs)
  • Done!
3

Well, In the meantime I found another post explaining how build a forward rule deny access for a single host at specific times.

I think that what will work for me is :

  • fixed ip addresses in the dhcp range for every known device
  • subnetting these ips to be able to group them in a rule
  • make a block rule for ips in target subnet
  • make allow rule for each different time slice I need for the given target

This should to the job, but will only allow simple ip groups and limited time schedules, otherwise it will be hell to manage (wihtout making errors). manually grouping IPs in subnet is clumsy (imho).

My point with this topic was that making a rule is not complicated. Making one rule for each IP/time slice combination will quickly be a mess, and was wondering if there was not a smart way of doing this.

Regards and thank you for the feed back,

PS : link to the single host / time deny rule : [https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls](http://Deny host at specific time)

4

Hi,

A little feed back on the "parental control" configuration for OpenWRT:

  • Subnetting dhcp preset ips works to group hosts
  • Time auth rules for the subnet followed by a block subnet works to keep things flexible and manageable

However has pointed out in the orginal post, established connexion do not get closed when the end of authorized time is reached.

Is there a technical reason for not inserting the custom foward rules before the standard openwrt rules? Or an gui way of setting the rules orders in chains would be great ?

Regards,

5

You can use an ipset to match any of the IP addresses you are filtering with just one rule.

Also the whole thing will be problematic with ipv6. For that a separate vlan would be best

6

What is an IPSet? How do you define one? How do you reference it from the forward rule GUI ?

7

Hopefully this will help https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_ipset

8

:+1: This is the exact feature, I was looking for. I wish it was in the standard build.

However the availability of ip_set will not change the fact that connected streams will not get disconnected when the allowed time window expires.

9

True. If you put the devices on their own VLAN you could have Cron shut down the whole vlan, or if a blip in connectivity is ok, you could just have Cron restart networking for the whole device