Hi
I updated to 19.7 to 21.02 from my own fork repo for a non supported target and it seems time controlled rules for the firewall seem to not work.
The rules work if I remove the time component but setting a time component fails to make the rules work.
There was no regressions in the documentation about this so I don't know if this is a known bug.
Here is my repo it only has patches for my target and custom config to suit my device.
Can you post the fw3 rules and the iptables rules generated?
uci export firewall; iptables-save -c
Here is the output of the above command.
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'Adults_Lan'
option name 'Adults_Zone'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'Wan Wan6'
option name 'Wan_Zone'
config forwarding
option src 'Adults_Zone'
option dest 'Wan_Zone'
config rule
option src 'Kids_Zone'
option target 'REJECT'
option name 'kids block weekdays'
option dest 'Wan_Zone'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '22:30:00'
option stop_time '08:00:00'
list proto 'all'
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src 'Wan_Zone'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-IGMP'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-IPSec-ESP'
option proto 'esp'
option target 'ACCEPT'
option dest 'Adults_Zone'
option src 'Wan_Zone'
config rule
option name 'Allow-ISAKMP'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'Adults_Zone'
option src 'Wan_Zone'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'Kids_Lan'
option name 'Kids_Zone'
config forwarding
option src 'Kids_Zone'
option dest 'Wan_Zone'
config rule
option name 'Mr_Sparkle_in'
list dest_ip '192.168.1.10'
option target 'ACCEPT'
option src 'Kids_Zone'
option dest 'Adults_Zone'
list proto 'all'
option weekdays 'Sun Mon Tue Wed Thu'
option start_time '06:00:00'
option stop_time '22:30:00'
config rule
list proto 'all'
option name 'Mr_Sparkle_out'
list src_ip '192.168.1.10'
option target 'ACCEPT'
option src 'Adults_Zone'
option dest 'Kids_Zone'
config redirect
option target 'DNAT'
option name 'Adblock_Adult_dns_53'
option src_dport '53'
option dest_ip '192.168.1.1'
option dest 'Adults_Zone'
option src 'Adults_Zone'
config redirect
option target 'DNAT'
option name 'Adblock_Kids_dns_53'
option src_dport '53'
option dest 'Kids_Zone'
option dest_ip '192.168.2.1'
option src 'Kids_Zone'
config rule
option name 'Block open vpn 1194'
option src 'Wan_Zone'
option dest 'Kids_Zone'
option dest_port '1194'
option target 'REJECT'
config rule
option name 'Block openvpn 443'
option src 'Wan_Zone'
option dest 'Kids_Zone'
option dest_port '443'
option target 'REJECT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
# Generated by iptables-save v1.8.7 on Fri Jun 25 21:26:45 2021
*nat
:PREROUTING ACCEPT [345:50883]
:INPUT ACCEPT [274:27126]
:OUTPUT ACCEPT [112:7349]
:POSTROUTING ACCEPT [86:5665]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_Adults_Zone_rule - [0:0]
:postrouting_Kids_Zone_rule - [0:0]
:postrouting_Wan_Zone_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_Adults_Zone_rule - [0:0]
:prerouting_Kids_Zone_rule - [0:0]
:prerouting_Wan_Zone_rule - [0:0]
:prerouting_rule - [0:0]
:zone_Adults_Zone_postrouting - [0:0]
:zone_Adults_Zone_prerouting - [0:0]
:zone_Kids_Zone_postrouting - [0:0]
:zone_Kids_Zone_prerouting - [0:0]
:zone_Wan_Zone_postrouting - [0:0]
:zone_Wan_Zone_prerouting - [0:0]
[494:60903] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[328:32942] -A PREROUTING -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_prerouting
[9:1242] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_prerouting
[157:26719] -A PREROUTING -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_prerouting
[264:30212] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_postrouting
[178:24547] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_postrouting
[0:0] -A POSTROUTING -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_postrouting
[0:0] -A MINIUPNPD -p tcp -m tcp --dport 53573 -j DNAT --to-destination 192.168.1.10:53573
[0:0] -A MINIUPNPD -p udp -m udp --dport 53573 -j DNAT --to-destination 192.168.1.10:53573
[0:0] -A MINIUPNPD-POSTROUTING -s 192.168.1.10/32 -p tcp -m tcp --sport 53573 -j MASQUERADE --to-ports 53573
[191:19323] -A MINIUPNPD-POSTROUTING -s 192.168.1.10/32 -p udp -m udp --sport 53573 -j MASQUERADE --to-ports 53573
[0:0] -A zone_Adults_Zone_postrouting -m comment --comment "!fw3: Custom Adults_Zone postrouting rule chain" -j postrouting_Adults_Zone_rule
[328:32942] -A zone_Adults_Zone_prerouting -m comment --comment "!fw3: Custom Adults_Zone prerouting rule chain" -j prerouting_Adults_Zone_rule
[0:0] -A zone_Adults_Zone_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock_Adult_dns_53" -j DNAT --to-destination 192.168.1.1:53
[62:4049] -A zone_Adults_Zone_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock_Adult_dns_53" -j DNAT --to-destination 192.168.1.1:53
[0:0] -A zone_Kids_Zone_postrouting -m comment --comment "!fw3: Custom Kids_Zone postrouting rule chain" -j postrouting_Kids_Zone_rule
[157:26719] -A zone_Kids_Zone_prerouting -m comment --comment "!fw3: Custom Kids_Zone prerouting rule chain" -j prerouting_Kids_Zone_rule
[0:0] -A zone_Kids_Zone_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock_Kids_dns_53" -j DNAT --to-destination 192.168.2.1:53
[87:5971] -A zone_Kids_Zone_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock_Kids_dns_53" -j DNAT --to-destination 192.168.2.1:53
[178:24547] -A zone_Wan_Zone_postrouting -m comment --comment "!fw3: Custom Wan_Zone postrouting rule chain" -j postrouting_Wan_Zone_rule
[178:24547] -A zone_Wan_Zone_postrouting -j MINIUPNPD-POSTROUTING
[141:20014] -A zone_Wan_Zone_postrouting -m comment --comment "!fw3" -j MASQUERADE
[9:1242] -A zone_Wan_Zone_prerouting -m comment --comment "!fw3: Custom Wan_Zone prerouting rule chain" -j prerouting_Wan_Zone_rule
[9:1242] -A zone_Wan_Zone_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Jun 25 21:26:45 2021
# Generated by iptables-save v1.8.7 on Fri Jun 25 21:26:45 2021
*raw
:PREROUTING ACCEPT [46499:50619740]
:OUTPUT ACCEPT [3445:2308741]
:zone_Adults_Zone_helper - [0:0]
:zone_Kids_Zone_helper - [0:0]
[6648:973946] -A PREROUTING -i br-Adults_Lan -m comment --comment "!fw3: Adults_Zone CT helper assignment" -j zone_Adults_Zone_helper
[10135:1253720] -A PREROUTING -i br-Kids_Lan -m comment --comment "!fw3: Kids_Zone CT helper assignment" -j zone_Kids_Zone_helper
COMMIT
# Completed on Fri Jun 25 21:26:45 2021
# Generated by iptables-save v1.8.7 on Fri Jun 25 21:26:45 2021
*mangle
:PREROUTING ACCEPT [46501:50619820]
:INPUT ACCEPT [3024:462594]
:FORWARD ACCEPT [43409:50146312]
:OUTPUT ACCEPT [3447:2309141]
:POSTROUTING ACCEPT [46801:52452593]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
[104:5784] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[104:5696] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
[0:0] -A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Fri Jun 25 21:26:45 2021
# Generated by iptables-save v1.8.7 on Fri Jun 25 21:26:45 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_Adults_Zone_rule - [0:0]
:forwarding_Kids_Zone_rule - [0:0]
:forwarding_Wan_Zone_rule - [0:0]
:forwarding_rule - [0:0]
:input_Adults_Zone_rule - [0:0]
:input_Kids_Zone_rule - [0:0]
:input_Wan_Zone_rule - [0:0]
:input_rule - [0:0]
:output_Adults_Zone_rule - [0:0]
:output_Kids_Zone_rule - [0:0]
:output_Wan_Zone_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Adults_Zone_dest_ACCEPT - [0:0]
:zone_Adults_Zone_forward - [0:0]
:zone_Adults_Zone_input - [0:0]
:zone_Adults_Zone_output - [0:0]
:zone_Adults_Zone_src_ACCEPT - [0:0]
:zone_Kids_Zone_dest_ACCEPT - [0:0]
:zone_Kids_Zone_dest_REJECT - [0:0]
:zone_Kids_Zone_forward - [0:0]
:zone_Kids_Zone_input - [0:0]
:zone_Kids_Zone_output - [0:0]
:zone_Kids_Zone_src_ACCEPT - [0:0]
:zone_Wan_Zone_dest_ACCEPT - [0:0]
:zone_Wan_Zone_dest_REJECT - [0:0]
:zone_Wan_Zone_forward - [0:0]
:zone_Wan_Zone_input - [0:0]
:zone_Wan_Zone_output - [0:0]
:zone_Wan_Zone_src_REJECT - [0:0]
[213:25660] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2817:437174] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2403:392441] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[113:6636] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[310:29102] -A INPUT -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_input
[0:0] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_input
[104:15631] -A INPUT -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_input
[43409:50146312] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[43195:50120030] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[101:11919] -A FORWARD -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_forward
[113:14363] -A FORWARD -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[213:25660] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3247:2287249] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2684:2112740] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[173:80247] -A OUTPUT -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_output
[236:21406] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_output
[154:72856] -A OUTPUT -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_output
[0:0] -A MINIUPNPD -d 192.168.1.10/32 -p tcp -m tcp --dport 53573 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.1.10/32 -p udp -m udp --dport 53573 -j ACCEPT
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[113:6636] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[173:80247] -A zone_Adults_Zone_dest_ACCEPT -o br-Adults_Lan -m comment --comment "!fw3" -j ACCEPT
[101:11919] -A zone_Adults_Zone_forward -m comment --comment "!fw3: Custom Adults_Zone forwarding rule chain" -j forwarding_Adults_Zone_rule
[96:10253] -A zone_Adults_Zone_forward -s 192.168.1.10/32 -m comment --comment "!fw3: Mr_Sparkle_out" -j zone_Kids_Zone_dest_ACCEPT
[101:11919] -A zone_Adults_Zone_forward -m comment --comment "!fw3: Zone Adults_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Adults_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Adults_Zone_forward -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
[310:29102] -A zone_Adults_Zone_input -m comment --comment "!fw3: Custom Adults_Zone input rule chain" -j input_Adults_Zone_rule
[0:0] -A zone_Adults_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[310:29102] -A zone_Adults_Zone_input -m comment --comment "!fw3" -j zone_Adults_Zone_src_ACCEPT
[173:80247] -A zone_Adults_Zone_output -m comment --comment "!fw3: Custom Adults_Zone output rule chain" -j output_Adults_Zone_rule
[173:80247] -A zone_Adults_Zone_output -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
[310:29102] -A zone_Adults_Zone_src_ACCEPT -i br-Adults_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[154:72856] -A zone_Kids_Zone_dest_ACCEPT -o br-Kids_Lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Kids_Zone_dest_REJECT -o br-Kids_Lan -m comment --comment "!fw3" -j reject
[113:14363] -A zone_Kids_Zone_forward -m comment --comment "!fw3: Custom Kids_Zone forwarding rule chain" -j forwarding_Kids_Zone_rule
[0:0] -A zone_Kids_Zone_forward -m time --timestart 22:30:00 --timestop 08:00:00 --kerneltz -m comment --comment "!fw3: kids block weekdays" -j zone_Wan_Zone_dest_REJECT
[0:0] -A zone_Kids_Zone_forward -d 192.168.1.10/32 -m time --timestart 06:00:00 --timestop 22:30:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Mr_Sparkle_in" -j zone_Adults_Zone_dest_ACCEPT
[113:14363] -A zone_Kids_Zone_forward -m comment --comment "!fw3: Zone Kids_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Kids_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Kids_Zone_forward -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
[104:15631] -A zone_Kids_Zone_input -m comment --comment "!fw3: Custom Kids_Zone input rule chain" -j input_Kids_Zone_rule
[0:0] -A zone_Kids_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[104:15631] -A zone_Kids_Zone_input -m comment --comment "!fw3" -j zone_Kids_Zone_src_ACCEPT
[154:72856] -A zone_Kids_Zone_output -m comment --comment "!fw3: Custom Kids_Zone output rule chain" -j output_Kids_Zone_rule
[154:72856] -A zone_Kids_Zone_output -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
[104:15631] -A zone_Kids_Zone_src_ACCEPT -i br-Kids_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[55:2860] -A zone_Wan_Zone_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[395:44828] -A zone_Wan_Zone_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Wan_Zone_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Wan_Zone_forward -m comment --comment "!fw3: Custom Wan_Zone forwarding rule chain" -j forwarding_Wan_Zone_rule
[0:0] -A zone_Wan_Zone_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_Adults_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_Adults_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_forward -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Block open vpn 1194" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -p udp -m udp --dport 1194 -m comment --comment "!fw3: Block open vpn 1194" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Block openvpn 443" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -p udp -m udp --dport 443 -m comment --comment "!fw3: Block openvpn 443" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Wan_Zone_forward -j MINIUPNPD
[0:0] -A zone_Wan_Zone_forward -m comment --comment "!fw3" -j zone_Wan_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_input -m comment --comment "!fw3: Custom Wan_Zone input rule chain" -j input_Wan_Zone_rule
[0:0] -A zone_Wan_Zone_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -j MINIUPNPD
[0:0] -A zone_Wan_Zone_input -m comment --comment "!fw3" -j zone_Wan_Zone_src_REJECT
[236:21406] -A zone_Wan_Zone_output -m comment --comment "!fw3: Custom Wan_Zone output rule chain" -j output_Wan_Zone_rule
[236:21406] -A zone_Wan_Zone_output -m comment --comment "!fw3" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jun 25 21:26:45 2021
As there don't seem to be any hits on the firewall, could you verify that the date/time/timezone on the router is correct? date
Can you try to start a new connection after 22:30 and verify if the rule counter will grow?
iptables-save -c | grep kerneltz
This is the output of the above command.
i have checked the time and country settings etc and all is correct.
[0:0] -A zone_Kids_Zone_forward -m time --timestart 22:30:00 --timestop 06:00:00 --kerneltz -m comment --comment "!fw3: kids block weekdays" -j zone_Wan_Zone_dest_REJECT
[0:0] -A zone_Kids_Zone_forward -d 192.168.1.10/32 -m time --timestart 06:00:00 --timestop 23:30:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Mr_Sparkle_in" -j zone_Adults_Zone_dest_ACCEPT
and the output of the first comand at this time too:
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'Adults_Lan'
option name 'Adults_Zone'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'Wan Wan6'
option name 'Wan_Zone'
config forwarding
option src 'Adults_Zone'
option dest 'Wan_Zone'
config rule
option src 'Kids_Zone'
option name 'kids block weekdays'
option dest 'Wan_Zone'
option start_time '22:30:00'
option stop_time '06:00:00'
list proto 'all'
option target 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src 'Wan_Zone'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-IGMP'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'Wan_Zone'
config rule
option name 'Allow-IPSec-ESP'
option proto 'esp'
option target 'ACCEPT'
option dest 'Adults_Zone'
option src 'Wan_Zone'
config rule
option name 'Allow-ISAKMP'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'Adults_Zone'
option src 'Wan_Zone'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'Kids_Lan'
option name 'Kids_Zone'
config forwarding
option src 'Kids_Zone'
option dest 'Wan_Zone'
config rule
option name 'Mr_Sparkle_in'
list dest_ip '192.168.1.10'
option src 'Kids_Zone'
option dest 'Adults_Zone'
option weekdays 'Sun Mon Tue Wed Thu'
list proto 'all'
option target 'ACCEPT'
option start_time '06:00:00'
option stop_time '23:30:00'
config rule
list proto 'all'
option name 'Mr_Sparkle_out'
list src_ip '192.168.1.10'
option target 'ACCEPT'
option src 'Adults_Zone'
option dest 'Kids_Zone'
config redirect
option target 'DNAT'
option name 'Adblock_Adult_dns_53'
option src_dport '53'
option dest_ip '192.168.1.1'
option dest 'Adults_Zone'
option src 'Adults_Zone'
config redirect
option target 'DNAT'
option name 'Adblock_Kids_dns_53'
option src_dport '53'
option dest 'Kids_Zone'
option dest_ip '192.168.2.1'
option src 'Kids_Zone'
config rule
option name 'Block open vpn 1194'
option src 'Wan_Zone'
option dest 'Kids_Zone'
option dest_port '1194'
option target 'REJECT'
config rule
option name 'Block openvpn 443'
option src 'Wan_Zone'
option dest 'Kids_Zone'
option dest_port '443'
option target 'REJECT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
# Generated by iptables-save v1.8.7 on Sun Jun 27 12:09:11 2021
*nat
:PREROUTING ACCEPT [653:153480]
:INPUT ACCEPT [397:27405]
:OUTPUT ACCEPT [104:8596]
:POSTROUTING ACCEPT [87:7456]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_Adults_Zone_rule - [0:0]
:postrouting_Kids_Zone_rule - [0:0]
:postrouting_Wan_Zone_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_Adults_Zone_rule - [0:0]
:prerouting_Kids_Zone_rule - [0:0]
:prerouting_Wan_Zone_rule - [0:0]
:prerouting_rule - [0:0]
:zone_Adults_Zone_postrouting - [0:0]
:zone_Adults_Zone_prerouting - [0:0]
:zone_Kids_Zone_postrouting - [0:0]
:zone_Kids_Zone_prerouting - [0:0]
:zone_Wan_Zone_postrouting - [0:0]
:zone_Wan_Zone_prerouting - [0:0]
[910:170411] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[432:49620] -A PREROUTING -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_prerouting
[6:568] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_prerouting
[472:120223] -A PREROUTING -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_prerouting
[493:133853] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_postrouting
[406:126397] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_postrouting
[6:1960] -A POSTROUTING -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_postrouting
[0:0] -A MINIUPNPD -p tcp -m tcp --dport 49781 -j DNAT --to-destination 192.168.1.10:49781
[0:0] -A MINIUPNPD -p udp -m udp --dport 49781 -j DNAT --to-destination 192.168.1.10:49781
[0:0] -A MINIUPNPD-POSTROUTING -s 192.168.1.10/32 -p tcp -m tcp --sport 49781 -j MASQUERADE --to-ports 49781
[546:66277] -A MINIUPNPD-POSTROUTING -s 192.168.1.10/32 -p udp -m udp --sport 49781 -j MASQUERADE --to-ports 49781
[0:0] -A zone_Adults_Zone_postrouting -m comment --comment "!fw3: Custom Adults_Zone postrouting rule chain" -j postrouting_Adults_Zone_rule
[432:49620] -A zone_Adults_Zone_prerouting -m comment --comment "!fw3: Custom Adults_Zone prerouting rule chain" -j prerouting_Adults_Zone_rule
[0:0] -A zone_Adults_Zone_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock_Adult_dns_53" -j DNAT --to-destination 192.168.1.1:53
[19:1226] -A zone_Adults_Zone_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock_Adult_dns_53" -j DNAT --to-destination 192.168.1.1:53
[6:1960] -A zone_Kids_Zone_postrouting -m comment --comment "!fw3: Custom Kids_Zone postrouting rule chain" -j postrouting_Kids_Zone_rule
[472:120223] -A zone_Kids_Zone_prerouting -m comment --comment "!fw3: Custom Kids_Zone prerouting rule chain" -j prerouting_Kids_Zone_rule
[3:120] -A zone_Kids_Zone_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock_Kids_dns_53" -j DNAT --to-destination 192.168.2.1:53
[235:15585] -A zone_Kids_Zone_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock_Kids_dns_53" -j DNAT --to-destination 192.168.2.1:53
[406:126397] -A zone_Wan_Zone_postrouting -m comment --comment "!fw3: Custom Wan_Zone postrouting rule chain" -j postrouting_Wan_Zone_rule
[406:126397] -A zone_Wan_Zone_postrouting -j MINIUPNPD-POSTROUTING
[230:103766] -A zone_Wan_Zone_postrouting -m comment --comment "!fw3" -j MASQUERADE
[6:568] -A zone_Wan_Zone_prerouting -m comment --comment "!fw3: Custom Wan_Zone prerouting rule chain" -j prerouting_Wan_Zone_rule
[6:568] -A zone_Wan_Zone_prerouting -j MINIUPNPD
COMMIT
# Completed on Sun Jun 27 12:09:11 2021
# Generated by iptables-save v1.8.7 on Sun Jun 27 12:09:11 2021
*raw
:PREROUTING ACCEPT [109578:117602660]
:OUTPUT ACCEPT [2695:1237350]
:zone_Adults_Zone_helper - [0:0]
:zone_Kids_Zone_helper - [0:0]
[3632:494256] -A PREROUTING -i br-Adults_Lan -m comment --comment "!fw3: Adults_Zone CT helper assignment" -j zone_Adults_Zone_helper
[20014:2027457] -A PREROUTING -i br-Kids_Lan -m comment --comment "!fw3: Kids_Zone CT helper assignment" -j zone_Kids_Zone_helper
COMMIT
# Completed on Sun Jun 27 12:09:11 2021
# Generated by iptables-save v1.8.7 on Sun Jun 27 12:09:11 2021
*mangle
:PREROUTING ACCEPT [109578:117602660]
:INPUT ACCEPT [2381:300884]
:FORWARD ACCEPT [93847:99068009]
:OUTPUT ACCEPT [2696:1238718]
:POSTROUTING ACCEPT [96537:100306092]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
[211:12292] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[122:7100] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
[0:0] -A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Sun Jun 27 12:09:11 2021
# Generated by iptables-save v1.8.7 on Sun Jun 27 12:09:11 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_Adults_Zone_rule - [0:0]
:forwarding_Kids_Zone_rule - [0:0]
:forwarding_Wan_Zone_rule - [0:0]
:forwarding_rule - [0:0]
:input_Adults_Zone_rule - [0:0]
:input_Kids_Zone_rule - [0:0]
:input_Wan_Zone_rule - [0:0]
:input_rule - [0:0]
:output_Adults_Zone_rule - [0:0]
:output_Kids_Zone_rule - [0:0]
:output_Wan_Zone_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Adults_Zone_dest_ACCEPT - [0:0]
:zone_Adults_Zone_forward - [0:0]
:zone_Adults_Zone_input - [0:0]
:zone_Adults_Zone_output - [0:0]
:zone_Adults_Zone_src_ACCEPT - [0:0]
:zone_Kids_Zone_dest_ACCEPT - [0:0]
:zone_Kids_Zone_dest_REJECT - [0:0]
:zone_Kids_Zone_forward - [0:0]
:zone_Kids_Zone_input - [0:0]
:zone_Kids_Zone_output - [0:0]
:zone_Kids_Zone_src_ACCEPT - [0:0]
:zone_Wan_Zone_dest_ACCEPT - [0:0]
:zone_Wan_Zone_dest_REJECT - [0:0]
:zone_Wan_Zone_forward - [0:0]
:zone_Wan_Zone_input - [0:0]
:zone_Wan_Zone_output - [0:0]
:zone_Wan_Zone_src_REJECT - [0:0]
[181:16938] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2204:284106] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1490:227681] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[132:7780] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[453:36286] -A INPUT -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_input
[0:0] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_input
[261:20139] -A INPUT -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_input
[93847:99068009] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[93341:98889957] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[238:27340] -A FORWARD -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_forward
[268:150712] -A FORWARD -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[181:16938] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2522:1224876] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1963:994409] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[251:116139] -A OUTPUT -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_output
[79:7298] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_Wan_Zone_output
[229:107030] -A OUTPUT -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_output
[0:0] -A MINIUPNPD -d 192.168.1.10/32 -p tcp -m tcp --dport 49781 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.1.10/32 -p udp -m udp --dport 49781 -j ACCEPT
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[132:7780] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[251:116139] -A zone_Adults_Zone_dest_ACCEPT -o br-Adults_Lan -m comment --comment "!fw3" -j ACCEPT
[238:27340] -A zone_Adults_Zone_forward -m comment --comment "!fw3: Custom Adults_Zone forwarding rule chain" -j forwarding_Adults_Zone_rule
[224:25119] -A zone_Adults_Zone_forward -s 192.168.1.10/32 -m comment --comment "!fw3: Mr_Sparkle_out" -j zone_Kids_Zone_dest_ACCEPT
[238:27340] -A zone_Adults_Zone_forward -m comment --comment "!fw3: Zone Adults_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Adults_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Adults_Zone_forward -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
[453:36286] -A zone_Adults_Zone_input -m comment --comment "!fw3: Custom Adults_Zone input rule chain" -j input_Adults_Zone_rule
[0:0] -A zone_Adults_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[453:36286] -A zone_Adults_Zone_input -m comment --comment "!fw3" -j zone_Adults_Zone_src_ACCEPT
[251:116139] -A zone_Adults_Zone_output -m comment --comment "!fw3: Custom Adults_Zone output rule chain" -j output_Adults_Zone_rule
[251:116139] -A zone_Adults_Zone_output -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
[453:36286] -A zone_Adults_Zone_src_ACCEPT -i br-Adults_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[229:107030] -A zone_Kids_Zone_dest_ACCEPT -o br-Kids_Lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Kids_Zone_dest_REJECT -o br-Kids_Lan -m comment --comment "!fw3" -j reject
[268:150712] -A zone_Kids_Zone_forward -m comment --comment "!fw3: Custom Kids_Zone forwarding rule chain" -j forwarding_Kids_Zone_rule
[0:0] -A zone_Kids_Zone_forward -m time --timestart 22:30:00 --timestop 06:00:00 --kerneltz -m comment --comment "!fw3: kids block weekdays" -j zone_Wan_Zone_dest_REJECT
[0:0] -A zone_Kids_Zone_forward -d 192.168.1.10/32 -m time --timestart 06:00:00 --timestop 23:30:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Mr_Sparkle_in" -j zone_Adults_Zone_dest_ACCEPT
[268:150712] -A zone_Kids_Zone_forward -m comment --comment "!fw3: Zone Kids_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Kids_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Kids_Zone_forward -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
[261:20139] -A zone_Kids_Zone_input -m comment --comment "!fw3: Custom Kids_Zone input rule chain" -j input_Kids_Zone_rule
[1:65] -A zone_Kids_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[260:20074] -A zone_Kids_Zone_input -m comment --comment "!fw3" -j zone_Kids_Zone_src_ACCEPT
[229:107030] -A zone_Kids_Zone_output -m comment --comment "!fw3: Custom Kids_Zone output rule chain" -j output_Kids_Zone_rule
[229:107030] -A zone_Kids_Zone_output -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
[260:20074] -A zone_Kids_Zone_src_ACCEPT -i br-Kids_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[6:635] -A zone_Wan_Zone_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[579:184715] -A zone_Wan_Zone_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Wan_Zone_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Wan_Zone_forward -m comment --comment "!fw3: Custom Wan_Zone forwarding rule chain" -j forwarding_Wan_Zone_rule
[0:0] -A zone_Wan_Zone_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_Adults_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_Adults_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_forward -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Block open vpn 1194" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -p udp -m udp --dport 1194 -m comment --comment "!fw3: Block open vpn 1194" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Block openvpn 443" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -p udp -m udp --dport 443 -m comment --comment "!fw3: Block openvpn 443" -j zone_Kids_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Wan_Zone_forward -j MINIUPNPD
[0:0] -A zone_Wan_Zone_forward -m comment --comment "!fw3" -j zone_Wan_Zone_dest_REJECT
[0:0] -A zone_Wan_Zone_input -m comment --comment "!fw3: Custom Wan_Zone input rule chain" -j input_Wan_Zone_rule
[0:0] -A zone_Wan_Zone_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Wan_Zone_input -j MINIUPNPD
[0:0] -A zone_Wan_Zone_input -m comment --comment "!fw3" -j zone_Wan_Zone_src_REJECT
[79:7298] -A zone_Wan_Zone_output -m comment --comment "!fw3: Custom Wan_Zone output rule chain" -j output_Wan_Zone_rule
[79:7298] -A zone_Wan_Zone_output -m comment --comment "!fw3" -j zone_Wan_Zone_dest_ACCEPT
[0:0] -A zone_Wan_Zone_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Jun 27 12:09:11 2021
@vgaetera I think you had solved some similar issue in the past. Maybe you can provide some hint?
It was working before all I did was update to 21.02 from 19.07 I have not changed the order of the rules or any thing, the config file is the same and it worked before.
I can run The script but currently that rule is at the top of the list.
It says it relys on IPSET-DNS and Im using DNS over HTTPS I'm guessing using a different DNS forwarder is not going to be an issue (it did work before)?
upon running the script I get these errors :
I dont know where is is getting the Lan zone from with as it is not a zone I have created
and the other rules do have protocols associated so I'm a bit confused why i get these errors
.
Warning: Warning: ubus rule (ubus:https-dns-proxy[main] rule 1) refers to not existing zone 'lan'
Warning: Section @rule[12] (Block open vpn 1194) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[13] (Block openvpn 443) does not specify a protocol, assuming TCP+UDP
Warning: Warning: ubus redirect (ubus:https-dns-proxy[main] redirect 0) refers to not existing zone 'lan'
Warning: Section @redirect[0] (Adblock_Adult_dns_53) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] (Adblock_Kids_dns_53) does not specify a protocol, assuming TCP+UDP
Warning: Warning: ubus rule (ubus:https-dns-proxy[main] rule 1) refers to not existing zone 'lan'
Warning: Warning: ubus redirect (ubus:https-dns-proxy[main] redirect 0) refers to not existing zone 'lan'
The LAN zone is used by https-dns-proxy for automatic redirects.
If you want to apply DNS hijacking for other zones, disable the automatic redirect:
uci set https-dns-proxy.config.force_dns="0"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart
And set up custom redirects for each zone you want to intercept DNS traffic:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.