I set a firewall rule to block internet access past midnight so we can get to sleep and not be sucked into watching youtube way past our bedtimes.
My daughter needed to work late one night, so I put her address in the source box, with a ! in the box to the left. She still got blocked at midnight. What did I do wrong?
I attached a screenshot of the firewall rule.
try this one..
chain = forward, action = accept, src address =
Thank you. I’ll try that. I’m still curious why my way did not work.
Is that address reserved for them? Did it pull a new address from DHCP before midnight?
What does the rest of the rule say? Might be some other matcher.
Use /export (or /ip firewall filter export) to get the exact config of the rule to post, you’ve given us only 1 single config option of the rule so its hard to say what it could have been.
It’s a static address on the laptop. Here’s the export:
# jul/11/2021 21:35:19 by RouterOS 6.48.3
# software id = NQN0-H282
#
# model = 951Ui-2HnD
# serial number = 815508339205
/ip firewall filter
add action=drop chain=input comment="defconf: accept ICMP (changed to drop ping for security)" protocol=icmp
# inactive time
add action=drop chain=forward comment="no internet midnight to 5" src-address=!192.168.1.46 time=23h57m-5h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Nintendo DS" src-address=192.168.1.50
# inactive time
add action=drop chain=forward comment=xbox src-address=192.168.1.45 time=22h15m-10h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment=xbox src-address=192.168.1.48 time=22h15m-10h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment="green dell" src-address=192.168.1.51 time=22h15m-10h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="green dell ethernet" src-address=192.168.1.254
# inactive time
add action=drop chain=forward comment="Nana's" src-address=192.168.1.57 time=22h30m-10h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment="new Nana's" src-address=192.168.1.44 time=22h30m-10h,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 in-interface-list=WAN
add action=drop chain=forward comment=TS disabled=yes src-address=192.168.1.49 time=23h30m-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Elana phone 116" disabled=yes src-address=192.168.1.116
add action=drop chain=forward comment=Sony disabled=yes src-address=192.168.1.63 time=22h15m-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="block amazon prime" dst-address=13.226.241.124
Thank you.
One thing to keep in mind: once a connection is fasttracked, it (mostly) bypasses any firewall filter and the drop rules won’t break it. Only new connections won’t be able to establish. If you want to break existing connections, then either disable fasttrack (not a very good idea from performance point of view) or move (modified) drop rules to /ip firewall raw …
BTW, time rules running over midnight might be problematic. It seems like they actually didn’t work in some older ROS versions and might be slightly dubious. For example: if rule had time=23h-5h,sun … when does it start and when does it end? To which time does the day apply, start time, end time or both? Is it active between 23 Sunday and 5h Monday (grand total of 6 hours)? Or is it active between 23h Sunday and 5h (next) Sunday (almost a week)? Or is it between 23h Saturday and 5h Sunday?
So you might want to change start time to 0h1m (4 minutes later than your current rule) which should make the rule less dubious.
You lost yourself control if you need a rule on firewall to stop do something.
Try to stop using the phone “just to go to the bathroom”.
You gain in quality of life.
@rextended: I think your last answer was un-needed. OP asked for help with technical issue while you’re telling him how to live his personal life (and that’s none of business of any of forum members). It wasn’t the first time where your answers were way out of scope. If I were @hillelana, I’d report your post as offensive.
The OP is the first to give personal details of his (hers?) life.
And I gave my point of view and advice on his problem.
Offenses are another thing.
Report it yourself instead wrote “If I were @hillelana, I’d report your post as offensive”
“If I were” is just a means of try to conditioning another person.
You go offtopic more than me, and you force me to reply.
If you didn’t write anything and reported me to the moderator, wasn’t it better?
Do not think that this prejudices the opinion I have towards you, or that he does things “out of spite”.
All as if you hadn’t written anything.
If I were to have been offensive, I apologize, it was certainly not what I wanted to do.
rextended is right in that MT is not a parent and should not be a substitute for parenting. Kid control =lazy parenting.
The op for a self-admitted adult addiction needs counselling and the kids need discipline. 
As noted, these are personal items brought up by the OP and the responses are out of concern to help
Think of it as an added bonus provided by this site. Heck for all we know this was a cry for help!
Similarly when someone comes here and states they need to block x,y,z cause of abuse by employers, the answer is not router settings,
its a verbal warning, then a written warning and then FIRED!..
So we have different attitude towards this forum. Personally I try to offer technical support for whatever poster asks and I’m generally not suggesting a completely different approach to solving the problem. Unless it’s different approach but still technical by means of using (preferably MT) device. If OP came to ask how to solve his life challenge using ROS firewall, I don’t think we’re in position to suggest him to change life style.
You two seem to think differently.
And I didn’t report post by @rextended because it was not me who might feel offended and it’s not me to decide whether it is offensive towards OP or not. That’s why I wrote “if I were” …
Over & out.
@mkx thanks: I felt that you are a good person who tries to understand how others think.
Opinions are free and the OP can discard or utilize whatever information/advice is provided. I respect your willingness to go to the ends of the earth regarding technical advice and to remain neutral and avoid the non-technical - ( aka you have better self-control than myself )
I apologize for throwing in the joke that got us all distracted. Also, this doesn’t show my bad parenting skills, because it was mainly not for my kids, but for my wife. (Oh, no! Another joke - maybe)
Meanwhile, despite fasttrack and being around midnight, the rule blocks connections quite fine. I’m just wondering why the ! 192.168.1.46 didn’t let that laptop be an exception and get internet.
Thank you for your suggestions.
read next post<
Before you monkey with (leapord with) just fw rules, its best to see the entire config as many items have relationships.
/export hide-sensitive file=anynameyouwish.
@anav obviously all the effort for duplicate post is only to notice to you that functionality, if you do not have already noticed.
For my 2 cents, what struck me is you are only allowing traffic outbound from you daughter’s source IP. But I’m not seeing a rule allowing return traffic to get back to her.
I think what I would do, is a separate rule to accept her source IP, followed by the drop rule, but condition the drop rule to only apply to your internal IP range, i.e. 192.168.1.0/24
What is not dropped is accepted for default
There is no rule to drop LAN traffic after the rule whith “!IP” except specific IPs
and this rule drop all non-wanted (not natted, initiated) traffic from WAN, not LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 in-interface-list=WAN
But the first rule is “don’t forward anything that isn’t source 192.168.1.46”, before the rule you mentioned. And rule order matters…