Hope that someone can point me in the right direction as to where I'm going wrong. I'm attempting to setup parental controls to schedule device access based on MAC address.
I've followed the guide here https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls
Yet the device still has access. It even has access if i switch WiFi off on it and initiate a new connection, during the period it is suposed to be blocked.
Here is some of the config, if I need to provide something additional please just ask.
root@LEDE:~# ifconfig
br-lan Link encap:Ethernet HWaddr 00:18:0A:84:D3:43
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:aff:fe84:d343/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:228165 errors:0 dropped:0 overruns:0 frame:0
TX packets:813 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32248977 (30.7 MiB) TX bytes:62988 (61.5 KiB)
eth0 Link encap:Ethernet HWaddr 00:18:0A:84:D3:43
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18073616 errors:0 dropped:37 overruns:0 frame:0
TX packets:7533323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1735403007 (1.6 GiB) TX bytes:985793742 (940.1 MiB)
Interrupt:4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:918 errors:0 dropped:0 overruns:0 frame:0
TX packets:918 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:61201 (59.7 KiB) TX bytes:61201 (59.7 KiB)
wlan0 Link encap:Ethernet HWaddr 00:18:0A:84:D3:44
inet6 addr: fe80::218:aff:fe84:d344/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3826811 errors:0 dropped:0 overruns:0 frame:0
TX packets:13187859 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:470649179 (448.8 MiB) TX bytes:17939407625 (16.7 GiB)
wlan1 Link encap:Ethernet HWaddr 00:18:0A:84:D3:45
inet6 addr: fe80::218:aff:fe84:d345/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3730264 errors:0 dropped:0 overruns:0 frame:0
TX packets:5210536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:523460149 (499.2 MiB) TX bytes:5828171420 (5.4 GiB)
root@LEDE:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd84:70db:91fc::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.3'
option gateway '10.0.0.2'
option dns '10.0.0.2'
root@LEDE:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option name 'wifi'
option network 'wifi'
config forwarding
option dest 'lan'
option src 'wifi'
config forwarding
option dest 'wan'
option src 'wifi'
config forwarding
option dest 'wifi'
option src 'lan'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'Device Control'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
config rule
option enabled '1'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option weekdays 'Mon Tue Wed Thu Fri'
option start_time '21:00:00'
option stop_time '07:00:00'
option name 'Restrict Devices - Schedule'
option src_mac 'C4:9D:ED:0B:3A:A6'
Here is are the contents of the file /etc/cronfw.sh. Which after running the file it does appear to re-order the firewall rules as expected.
root@LEDE:~# cat /etc/cronfw.sh
#!/bin/sh
# Insert rule for forwarding established connection traffic, just before the final rule (reject)
new_rule_num=$(iptables -v -L FORWARD --line-numbers | grep reject | cut -d ' ' -f 1)
iptables -I FORWARD $new_rule_num -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Delete first rule for forwarding established connection traffic
old_rule_num=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | cut -d ' ' -f 1 | sed -n 1p)
iptables -D FORWARD $old_rule_num
# Get rid of any duplicate ESTABLISHED rules (these seem to be caused when restarting the firewall)
est_count=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | wc -l)
while [ $est_count -gt 1 ]; do
old_rule_num=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | cut -d ' ' -f 1 | sed -n 1p)
iptables -D FORWARD $old_rule_num
est_count=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | wc -l)
done
Order of the firewall rules
root@LEDE:~# iptables -v -L FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 forwarding_rule all -- any any anywhere anywhere /* !fw3: user chain for forwarding */
2 0 0 zone_lan_forward all -- br-lan any anywhere anywhere /* !fw3 */
3 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
4 0 0 reject all -- any any anywhere anywhere /* !fw3 */
root@LEDE:~#