I configured my RB5009 router to allow/disallow my kids from internet access by enabling/disabling them in the firewall address-list which works fine. (See firewall rule #8). However, if they are ALREADY CONNECTED to the internet, rule #8 has no effect because I’m assuming that after rule #1 is satisfied, (connection-state=established), nothing below it gets processed. I can plainly see they remain connected by viewing the firewall “Connections” tab. So, I moved rule #8 before #1 but that doesn’t disconnect them. How can I accomplish this?
/ip/firewall/filter> print
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; WinBox Remote Access
chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=22,8291 log=no log-prefix=""
4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp src-address-list=whitelist log=no log-prefix=""
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
7 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
8 ;;; Internet Blocker
chain=forward action=drop src-address-list=blacklist log=no log-prefix=""
9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
/ip/firewall/address-list> print
# LIST ADDRESS
;;; iPad Silver
0 blacklist 192.168.88.3
;;; iPad Pink
1 blacklist 192.168.88.4
;;; Block non-DHCP-reserved devices
2 blacklist 192.168.88.30-192.168.88.100
3 whitelist 192.168.88.0/24