Time-based firewall rules not working

Hi All ! I am very new to OpenWrt. Earlier this week, I installed OpenWrt and below is my config.

Model:Netgear Nighthawk X4 R7500
Architecture:ARMv7 Processor rev 0 (v7l)
Firmware Version:OpenWrt 18.06.5 r7897-9d401013fc / LuCI openwrt-18.06 branch (git-19.309.48729-bc17ef6)
Kernel Version:4.14.151

Everything is working fine but I wanted to restrict internet from 10 pm ET to 11 PM. So, I created below traffic rule with Time in UTC checked. (Tried without checking the checkbox and provided 22:00:00 and 23:00:00 as start and end time)

config rule
        option src '*'
        option proto 'all'
        option start_date '2019-12-27'
        option target 'REJECT'
        option start_time '03:00:00'
        option stop_time '04:00:01'
        option name 'All days'
        option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
        option dest '*'
        option monthdays '1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31'

Somehow this wont stop the internet at specified time. Am I doing anything wrong?

Additionally, I see below error message on system log, several times every minute. May not be related and I read the other thread about the same error but could not find any solution over there. I did not install anything other than the base firmware.

Sun Dec 29 11:38:09 2019 kern.err kernel: [126594.149932] cpufreq: __target_index: Failed to change cpu frequency: -22
Sun Dec 29 11:38:09 2019 kern.err kernel: [126594.197826] cpu cpu1: _set_opp_voltage: failed to set voltage (995000 995000 995000 mV): -22

Appreciate any kind of help to make this work.

Which package have you installed for 'Access Control'?

Did not install anything. Just did the factory install. And created a new traffic rule which seems to have worked for a while though.

Am I supposed to install something?

Instead of blocking traffic using a rule, I disabled forwarding completely, then enabled it temporarily using a rule:

config rule
        option target 'ACCEPT'
        option src 'kid'
        option name 'KID semana'
        option weekdays 'Mon Tue Wed Thu Fri'
        option start_time '17:00:00'
        option dest 'wan'
        option stop_time '21:55:00'

config rule
        option target 'ACCEPT'
        option src 'kid'
        option name 'KID fin semana'
        option weekdays 'Sun Sat'
        option stop_time '22:55:00'
        option dest 'wan'
        option start_time '10:00:00'

Thank you eduperez ! I will try this. How to disable forwarding completely? Also what is src 'kid' in your rule?

Same behaviour here, and I'm trying to pinpoint the problem for months - I confess that I'm not working that hard on that thought... Here are my hypothesis for now on that I have on this situation:

• Might have to do with the way the conversation was started (e.g. from inbound or from outbound). In this case maybe we need 2 rules, one to block in-to-out, and another one from out-to-in
• Might be linked to Upnp. Maybe that helps evades restrictions. My router has it enabled for these pesky Xbox...
• Already started connection seems not to be dropped. So something like a tunnel would not close immediately.
• I'm using specific MAC devices to inject the curfew surgically, so this might also be a factor.

The moment I hit "Restart firewall" whenever I observe this inconsistency, my kids run downs from their bedroom asking if the Internet is down; nope, it's just time for meal!

Beware of smart kids like mines who connects on the guest WiFi, when you forget it open after a party, to bypass these restrictions .

Edit: OpenWrt 18.06.4 r7808-ef686b7292

Edit 2: (Removed, misleading)

Edit 3: This is not UPnP. This is how the rules are ordered that prevent this and there is a brief explanation in this OpenWrt wiki. You actually need to kill the active connections because they are not dropped but new ones are blocked.

Using the Scheduled Tasks, this is how I kill the WiFi connection from the clients, by MAC, that I want the rules to be enforced (restarting the firewall is too intrusive as it resets the connections for everybody):

# Enforce curfew for Kid1
00 12,18,21 * * * ubus call hostapd.wlan0 del_client "{'addr':'AA:BB:CC:DD:EE:FF', 'reason':5, 'deauth':true, 'ban_time':60000}"
00 12,18,21 * * * ubus call hostapd.wlan1 del_client "{'addr':'AA:BB:CC:DD:EE:FF', 'reason':5, 'deauth':true, 'ban_time':60000}"

In my installation, the "kid" network is the one that has restrictions applied.

DjiPi, Thank you for the detailed hypothesis. You are right, I think I may have multiple rules that may be conflicting each other. My internet is behaviour super weird in the last 24 hours. It goes off for some devices and not for others and coming back after a while. I never created any rules based on mac address.

I am not a n/w expert and it is taking lot of time to go through each option and understand. There are just so many options that came with the factory installation.

So I deleted the only forward rule I created and internet seems to be stable at the moment.

Like your trick restarting the firewall lol !!

Will try eduperez's method and see if that works. Will keep you all posted.

Quick update. I kind of made it work but is not consistent. Works roughly 8 out of 10 times.

First off, I had UTC as system time (silly me) and hence it was working sometimes when I set the start and end times in UTC. Then I changed the system time to ET and it is working at expected interval but not always. Still trying to understand if there is a conflicting rule.

Tried creating 2 rules 1 for Accept and other for Reject, still no luck. Will provide an update when I figure it out.

I have 2 questions.

1)Sometimes the computer from where I setup the firewall blocking rule (wireless, not connected via RJ45) is still able to access internet while all other devices couldn't. Is this expected behavior?

2)Do I need to reboot the router every-time I create a new rule or change an existing one?

@bluspider, welcome to the community!

/etc/init.d/firewall reload

There's also a button on the web GUI. You must reapply/reload the firewall before the rules take affect.

Thank you ! I will try to reload and let you know.

update: I see below. Should I be worried about the warning about ipset?

root@SPERIKAL:~# /etc/init.d/firewall reload
Warning: Unable to locate ipset utility, disabling ipset support
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Block AFT930PM'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Block AFT930PM'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on

Did you install ipset?

https://openwrt.org/packages/pkgdata/ipset

Just installed ipset. Now I don't see the warning when I reloaded the firewall.

After installing ipset everything is working perfect. Thank ya all !

Can you share your rules?

Here you go..

config rule
        option target 'REJECT'
        option proto 'all'
        option src 'lan'
        option name 'SP Block WKNDs'
        option weekdays 'Sun Sat'
        option dest 'wan'
        option start_time '22:00:00'
        option stop_time '22:30:00'

config rule
        option src 'lan'
        option target 'REJECT'
        option proto 'all'
        option name 'Block WK Dys AFT930PM'
        option weekdays 'Mon Tue Wed Thu Fri'
        option dest 'wan'
        option start_time '21:30:00'
        option stop_time '22:00:03'

config rule
        option src 'lan'
        option proto 'all'
        option target 'REJECT'
        option weekdays 'Sun Sat'
        option start_time '16:00:00'
        option name 'WKNDs-II'
        option dest 'wan'
        option stop_time '17:45:00'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.