Unable to get Parental Controls to work

Hope that someone can point me in the right direction as to where I'm going wrong. I'm attempting to setup parental controls to schedule device access based on MAC address.
I've followed the guide here https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls
Yet the device still has access. It even has access if i switch WiFi off on it and initiate a new connection, during the period it is suposed to be blocked.

Here is some of the config, if I need to provide something additional please just ask.

root@LEDE:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:18:0A:84:D3:43
          inet addr:10.0.0.3  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::218:aff:fe84:d343/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:228165 errors:0 dropped:0 overruns:0 frame:0
          TX packets:813 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:32248977 (30.7 MiB)  TX bytes:62988 (61.5 KiB)

eth0      Link encap:Ethernet  HWaddr 00:18:0A:84:D3:43
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18073616 errors:0 dropped:37 overruns:0 frame:0
          TX packets:7533323 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1735403007 (1.6 GiB)  TX bytes:985793742 (940.1 MiB)
          Interrupt:4

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:918 errors:0 dropped:0 overruns:0 frame:0
          TX packets:918 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:61201 (59.7 KiB)  TX bytes:61201 (59.7 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:18:0A:84:D3:44
          inet6 addr: fe80::218:aff:fe84:d344/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3826811 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13187859 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:470649179 (448.8 MiB)  TX bytes:17939407625 (16.7 GiB)

wlan1     Link encap:Ethernet  HWaddr 00:18:0A:84:D3:45
          inet6 addr: fe80::218:aff:fe84:d345/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3730264 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5210536 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:523460149 (499.2 MiB)  TX bytes:5828171420 (5.4 GiB)

root@LEDE:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd84:70db:91fc::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.0.0.3'
        option gateway '10.0.0.2'
        option dns '10.0.0.2'

root@LEDE:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'wifi'
        option network 'wifi'

config forwarding
        option dest 'lan'
        option src 'wifi'

config forwarding
        option dest 'wan'
        option src 'wifi'

config forwarding
        option dest 'wifi'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name 'Device Control'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'

config rule
        option enabled '1'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option weekdays 'Mon Tue Wed Thu Fri'
        option start_time '21:00:00'
        option stop_time '07:00:00'
        option name 'Restrict Devices - Schedule'
        option src_mac 'C4:9D:ED:0B:3A:A6'

Here is are the contents of the file /etc/cronfw.sh. Which after running the file it does appear to re-order the firewall rules as expected.

root@LEDE:~# cat /etc/cronfw.sh
#!/bin/sh
# Insert rule for forwarding established connection traffic, just before the final rule (reject)
new_rule_num=$(iptables -v -L FORWARD --line-numbers | grep reject | cut -d ' ' -f 1)
iptables -I FORWARD $new_rule_num -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Delete first rule for forwarding established connection traffic
old_rule_num=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | cut -d ' ' -f 1 | sed -n 1p)
iptables -D FORWARD $old_rule_num

# Get rid of any duplicate ESTABLISHED rules (these seem to be caused when restarting the firewall)
est_count=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | wc -l)
while [ $est_count -gt 1 ]; do
      old_rule_num=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | cut -d ' ' -f 1 | sed -n 1p)
      iptables -D FORWARD $old_rule_num
      est_count=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | wc -l)
done

Order of the firewall rules

root@LEDE:~# iptables -v -L FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 forwarding_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
2        0     0 zone_lan_forward  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
3        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
4        0     0 reject     all  --  any    any     anywhere             anywhere             /* !fw3 */
root@LEDE:~#

guide has

option enable '1'

you have

option enabled '1'

No idea if that will effect things.... ( edit: guide might be dated, just tested and gui does input and apply as "enabled" )

May have something to do with the "Time in UTC" checkbox.... What do you have in SYSTEM > TIME

Thanks for he reply wulfy.
I did notice that too, but i originally created the firewall rule via LuCI. So the 'enabled' field wasn't manually entered into the file. The GUI created it.
SYSTEM > TIME indicates Fri Jun 28 17:01:05 2019
I'm in UK so on UTC +1. So even one hour after the schedule is suposed to have started (to allow for time difference) device still has access.

To expedite things

Just change the time in your rule to 2 minutes from now and execute the /etc/cronfw.sh manually when that time has passed then test.

Hi I use Gargoyle for stuff like this. It's built on top of OpenWrt.
https://www.gargoyle-router.com/index.php

Check if the device your trying to block is not randomly changing its MAC address.

I have changed the schedule to run everyday, start at 18:00 and end at 17:00.
Restarted firewall and still have access.
I can confirm that the device is not changing it's MAC address.

The gargoyle interface looks OK, but unless I'm missing something does it offer something that LuCI does not?

Yes lots of things.
Gargoyle is a tremendously flexible tool, and every situation is a little different - however sometimes an example is a good place to start.
https://www.gargoyle-router.com/wiki/doku.php?id=common_scenarios
All the tools you would use to keep kids off the net or bad websites are all ready set up for you in the web interface.

tapper, I'm a bit wary of trying Gargoyle as the list of supported routers seems a bit sparce.
The documentation to add it as a package in an exisitng WRT installation doesn't seem complete either.
My device is a Meraki MR-18 with a Atheros/Qualcomm QCA9557-AT4A CPU.
But think i will try to figure out what's going wrong with what I've got. I did not have any spare time to look at this at the weekend.
Think i need to reset the device and start again. That would probably be the best course of action at the moment. There's not much config been done so far. One SSID in bridged mode.
Probably quicker to start over from scratch, rather than troubleshoot this config.

I have decided to reset and start again, so I upgraded to latest version and reset the device.
Only config I made is to create a WiFi network & associate it with the radio's.
Then I created the firewall rule as per the guide (using cli) and the cronfw.sh, verified the file re-orders the rule set when executed.
Still cannot restrict the device.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd43:1271:2bed::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.0.3'
        option gateway '10.0.0.2'
        option dns '10.0.0.2'

Firewall

root@OpenWrt:~# cat /etc/config/firewall

config rule
        option src 'lan'
        option src_mac '2C:59:8A:72:6A:61'
        option stop_time '07:00:00'
        option weekdays 'Mon Tue Wed Thu Fri'
        option target 'REJECT'
        option name 'Restrict Weekdays'
        option enable '1'
        option dest 'wan'
        option start_time '18:00:00'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

This device is a single ethernet port, Wireless Access Point.
No WAN port is defined. The firewall zone settings in LuCI indicate that the 'WAN' zone is empty - when I hover over it.
Is this part of the issue?
The network output above is the complete config.

Wan_Empty.png950×569 20.4 KB