Time limit network by MAC adress

Hello
I'm trying to follow the web interface instruction reported here
HERE
to limit network acess time by mac address but with my configuration (on 21.02-RC4) nothing happens, I've setup the rule on both (B) and (C). The config is that:
A - Internet provider router (wifi turned off) @ip 192.168.1.1
B - GL.iNet GL-B1300 @ip 192.168.2.1 wan port is connected via cable to the provider's router lan port
C - Netgear Extender EX6150v2 @ip 192.168.2.10 connected via cable to B

This is the rule:

1. Navigate to LuCI → Network → Firewall → Traffic Rules.
2. Click Add and specify:

• Name: Filter-Parental-Controls
• Protocol: Any
• Source zone: lan
• Destination zone: wan
• Action: reject

3. On the Advanced Settings tab specify:

• Source MAC address: 00:11:22:33:44:55

4. On the Time Restrictions tab specify:

• Week Days: Monday, Tuesday, Wednesday, Thursday, Friday
• Start Time: 21:30:00
• Stop Time: 07:00:00

5. Click Save, then Save & Apply.

Can someone help me with that? Is there something wrong? I'm not an expert...
Thanks in advance

Is this the actual MAC address you've used?

Try to reorder the firewall rules following this guide.

no, its dummy

Sorry, just to avoid to mess up things, the first part it's a script? Or should be run directly in command line? The uci commands I think should go in command line.
Btw it's my only time-related rule, why I should need to reorder all the fw rules to apply one?
And thanks for supporting.
Regards

p.s.
Also the time specified does not work at all, I specified 21:30 - 09:15 but it simply blocked all the macs forever...

Post here the following:
uci export firewall; iptables-save -t filter -c

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option name 'time_limit'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	list src_mac 'xx'
	list src_mac 'xx'
	list src_mac 'xx'
	list src_mac 'xx'
	option start_time '21:35:00'
	option stop_time '09:15:00'
	option utc_time '1'

# Generated by iptables-save v1.8.7 on Thu Sep  2 10:17:09 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[124:12910] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[275:33933] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[261:32766] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[7:420] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[14:1167] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[129:22534] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[129:22534] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[124:12910] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[259:76163] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[250:75452] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[9:711] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[7:420] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[138:23245] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[129:22534] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[2:92] -A zone_lan_forward -p tcp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx -m time --timestart 21:35:00 --timestop 09:15:00 -m comment --comment "!fw3: time_limit" -j zone_wan_dest_REJECT
[129:22534] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[129:22534] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[14:1167] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[14:1167] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[9:711] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[9:711] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[14:1167] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Thu Sep  2 10:17:09 2021

That's it i've edited the mac address to 'xx'.
Thanks for helping on this.

A couple of remarks. The time is defined as UTC, while you are in CEST, which is UTC+2. This means the rules will work until 11:15 CEST.
You didn't apply the fix to block established connections.

If i remember correctly, there's an issue with rules passing midnight ?

you need(ed) to create one rule for XX:YY - 11:59, and another one for 00:00 - AA:ZZ

Yes because I've asked if they are all shell commands or it is a script. I mean, can I enter every line of the fix by hand?
Btw if I simply restart the firewall then established connections are then blocked according to the rule?
And yes, seems to be at least partially UTC related because seems to be working now, I will wait tonight to test the "deny" part
Thanks

I will try, thanks

That one!

Restarting the firewall doesn't change the state of a packet. I don't recall if the connection tracking is also cleared, but I guess it should be.

You don't need to wait. Add a rule with the current time.

Ok I entered the fix, changed start time of current rule to act now, but connected also if the rule denied it. It is too complicated for me, I dont have time for this, I give up isn't working.

Can someone give advice how to remove the "fix" that is not working at all? I have made modification that will surely *uck things up as always. I have this firewall.estab file in /etc now, can I delete this useless?

rm /etc/firewall.estab; uci -q delete firewall.estab; uci commit firewall; /etc/init.d/firewall restart
Also remove the /etc/firewall.estab line from /etc/sysupgrade.conf

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.