I have created a traffic rule in the firewall to restrict 6 devices. If I do not set a time restriction it works to block these devices but if I set the time restriction the devices are still moving traffic? I have it set as protocol: any, source: lan, static IPs, destination: wan, action: reject, Advanced MAC addresses also entered, Time: not in UTC - configured for America NY. Any thoughts? Thanks!
I assume you've run into the situation of having to restart your firewall, so that the connections "established" and "related" between the two time zones are deleted...
1 Like
I restarted the firewall & rebooted the router to make sure that the new settings were in place.
you can post the output of the commands executed on your router that you find in this post:
or you can opt with crontab by activating/deactivating the firewall rule see this as a starting point (with the problem of time synchronization on the router and any established/related connections):
"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "Pentium(R) Dual-Core CPU E5800 @ 3.20GHz",
"model": "HP-Pavilion NY428AA-ABA p6110f",
"board_name": "hp-pavilion-ny428aa-aba-p6110f",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "x86/64",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
Mon Jun 9 19:00:10 EDT 2025
Mon Jun 9 23:00:10 UTC 2025
-ash: iptables-save: not found
-ash: uci: not found
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].src='lan'
firewall.@rule[0].dest='wan'
firewall.@rule[0].name='Summer Break Block Internet'
firewall.@rule[0].target='REJECT'
firewall.@rule[0].start_time='23:00:00'
firewall.@rule[0].stop_time='07:00:00'
firewall.@rule[0].start_date='2025-06-01'
firewall.@rule[0].stop_date='2040-06-01'
firewall.@rule[0].src_mac='XX:XX:XX:XX:XX:XX' 'XX:XX:XX:XX:XX:XX' 'XX:XX:XX:XX:XX:XX' 'XX:XX:XX:XX:XX:XX' 'XX:XX:XX:XX:XX:XX' 'XX:XX:XX:XX:XX:XX'
firewall.@rule[0].proto='all'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='Wireguard'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='WireGuard' 'lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='Wireguard'
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='Wireguard'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Wireguard'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='51820'
firewall.@redirect[0].dest_ip='192.168.10.1'
firewall.@redirect[0].dest_port='51820'
so from 7:00 to 23:00 of any day of the week these PCs (with the defined Macs) must be able to connect to the WAN during the rest of the hours they must be prevented from connecting to the WAN ...
confirm ...
Yes, my buddy doesn't want his kids to be able to access the internet after a specified time at night. He had told me that it didn't work so I ended up remotely logging in and changing the hours to shut off from 17:30 to 18:00 earlier and he confirmed with me that the devices in question still had traffic.
in my opinion it is better to do this:
create a rule that allows traffic from these PCs (rule 0) without specifying any time limit "start_time + stop_time)
and a rule that does not allow traffic from these PCs (rule 1) without specifying any time limit "start_time + stop_time)
then you create a script that enables rule 0 of the firewall and restarts the firewall
and you create a script that disables rule 0 of the firewall and restarts the firewall
and you add it to crontab:
I assume it is already established and related traffic
If I remove the time restrictions it blocks it. Would it not make more sense to use just 1 rule and have a script disable or enable the rule at specified time periods?
traffic is allowed/not allowed based on the first rule is processed
yes you can do it like this with the limit of when the router has to synchronize the time it has inside (but it will be something outside the firewall)
I don't have much experience using cron jobs on here so maybe I should stick with your suggestion of 2 rules to try and follow along better.
There are several ways to approach this rule, but depending on how tech savvy and/or determined the kids are, they may be able to circumvent many of the options. That includes this current rule:
Have you and/or your buddy verified that the MACs are as expected, including during the "blackout" time? If MAC randomization is enabled on those devices and/or if the kids are changing the apparent MAC (easy to do on many OSs), the rule may not be matching and thus not effective.
A very similar approach to this method would be to set the rule using IP addresses rather than MAC addresses. This could solve the issue if the MACs are indeed properly static, but for some reason the rule isn't working on MACs. For this to be reliable (in general, although with awareness of how it may fail based on my comments above), be sure to assign the devices reserved IPs (via the dhcp server).
That said, another approach is to use a dedicated SSID and subnet for the kids' devices. Then, instead of the MAC list, you'll simply reject all traffic from that new network to the internet. This works as long as the kids can't get onto the other SSID, so there may be some logistics to deal with here.
And yet another way to do this would be to use wifi scheduler to disable an SSID that the kids are using... simply turning off their access.
Again, access to another SSID, or for that matter, cellular connectivity, negates all of this. So in addition to the technical measures discussed here, something may need to be done with respect to the on-device parental controls which may be a more effective route. It's also worth checking with your buddy to make sure that he can confirm that the kids are still actually using the internet via the OpenWrt router during the blocked time frame.
1 Like
One other thing I'm seeing here...
If the tunnel that was added to the lan interface is a VPN service or other endpoint through which traffic can be routed to reach the internet, blocking the wan will not stop the internet. This seems a bit unlikely, though, unless it's a site-to-site or similar, since masquerading is not enabled here.
always great answers/opinions from you, thanks for your input.
1 Like
I had initially also tried it with static IPs with the time restrictions still not working but I ended up removing the static IPs and relying only on MAC addresses because his kid's phone would not connect with a static IP.
I have both OpenVPN & Wireguard setup so that I can tunnel into his network to manage the router remotely and so his laptops out in the field can access his NAS.
To be clear, I'm referring to a DHCP reservation -- that is handled by the DHCP server -- based on the MAC address. This should work even if the kid's phone can't or doesn't work with manually set static IPs.
Ok... so that is unlikely to be the cause of an inadvertent route to the Internet.
Unfortunately the OpenWrt is not setup with wireless, he is using eero devices in bridge mode but the OpenWrt is handling all of the DHCP. He used to shut these off with an app for eero but putting them into bridge mode disables that feature.
I setup the OpenWrt as his primary router from the ONT & he has 3 eero devices piggybacked off of that in the house and 2 ASUS routers in the pole barn in access point mode.