I have CCR1009-8G-1S-1S+ as my server plus 3 Unifi Ubiquiti AP all connected to the router directly, I am using this system since 4 months so far, I have Electricity Timer to cut the power from the Server and the internet modems every day at 03:00 am and back on again at 06:00 am.
I had script to shutdown the server 2 mins earlier.. Now Iam facing lots of problems and I also believe its from electricity outage from the Server and the internet modems everyday for over than 100 day!
Do you think Shutting down the equipment everyday is good or bad for the devices?
Now I took the timer out just for testing, How can I disable the internet at 03:00 am and back on again at 06:00 am ?
I believe I can do that Usi ng DHCP Or Firewall"Mangle". Which one the better ?
Is it possible to block it to ever one except the Lan connection Devices ?
But i only found the command to be applied on one IP only
/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
How Can I make it for range of IPs ?
Also 1) Do you think Shutting down the equipment everyday is good or bad for the devices?
To switch off or not to switch off…?
No…I do not think it is necessary…IMHO it is not good as for electronic devices the process of switching on/off is the moment when most unstable power is…read it as: the time when the overvoltage/overcurrent could happen till it drops to the desired value.
There are always different and ‘doable’ methods to accomplish any task.
If you want to block multiple IP addresses and series, then better to create an address list, and then block/allow this address in the Filter rule.
As showed in the example below …
/ip firewall address-list
add address=172.16.0.10-172.16.0.20 list=Target_Users
add address=172.16.0.15 list=Target_Users
add address=172.16.0.50-172.16.50.60 list=Target_Users
/ip firewall filter
add action=drop chain=input comment="Block Address List with specific users in specific Timings from 4pm till 6pm / zaib" src-address-list=Target_Users time=\
16h-18h,sun,mon,tue,wed,thu,fri,sa
The good part is that you can manage address list from winbox gui by going to IP > FIREWALL > ADDRESS LISTS.
Thank you so much for these info, it helped me some how guys
But When I applied this rule through terminal or GUI
/ip firewall filter
add action=drop chain=input comment="Block Address List with specific users in specific Timings from 4pm till 6pm / zaib" src-address-list=Target_Users time=\
16h-18h,sun,mon,tue,wed,thu,fri,sa
For some how it wasn’t working, I didn’t get it!
Though it was black color when it was active and red color when it was inactive ..
I’ve tried for different times and for group of people or only one IP address.. still it was not effective.
The rule you copied was configured with chain=input.
It should have been chain=forward.
In winbox, it is easy to edit the rule and change the chain.
input = packets talking to the Mikrotik itself (regardless of which interface they arrive on)
output = packets the Mikrotik is about to send out to the Internet from itself.
forward = packets that go THROUGH the Mikrotik as a router
Rules are checked in order from first to last until a match is found. Some actions (continue, log, jump, and others) don’t stop the checks, but most do.
A rule only matches if ALL specified conditions are true. Src IP, time, in-interface, protocol, etc.
From what you’re saying, one of the following is the case:
Some previous rule is catching everything and this new rule is never being reached.
This rule has a match condition which stops it from matching
The action is accept? (it should be drop or reject to block access)
One other thing - it’s pretty common for chains to have accept rules for established,related connections early in the list for performance reasons. If your forward chain has such rules, then when “internet blackout” time comes, it will only block new connections. Connections that were already established will keep right on working.
From what you’re saying, one of the following is the case:
Some previous rule is catching everything and this new rule is never being reached.
This rule has a match condition which stops it from matching
The action is accept? (it should be drop or reject to block access)
I’ve attached a pic which will make it much easier to you
If you’re doing a hotspot, then you should set any hours-of-operation inside the hotspot configurations.
See how all of those rules have the D flag (dynamic)? That means hotspot added them. You can’t guarantee rule order inside the hotspot except by doing configs there.
I think there are hours-of-use settings in the user and hotspot server profiles.
If your packets are not on the hotspot interfaces (don’t match the jump statements) then the hours rule /should/ work, assuming that it doesn’t have match criteria that are broken somehow…
Hello Zerobyte,
I’m grappling with the exact same issue and am trying to figure out how to stop or drop a connection so that the exclusion time firewall rule can kick in. Any help would be hugely appreciated.
Edit: Solved - Since this is a home network I had set most of the devices (including the one that I am trying to manage using the above rules) to have DHCP long leases. I realised that if I set the device to a 10 minute renewal period on the DHCP lease, the rule will kick in when the lease is renewed. This means that the device in question will (should) only have a 10 minute window within which it will still be able to access the internet.
The rule I’m using is:
/ip firewall filter add chain=forward action=drop time="17:50:00-23h58m,mon,tue,wed,thu,fri,sat,sun" src-mac-address=EE:66:77:44:55:BB comment="Block PS4 daily from 17:50 to 23:58"
Hello Africantech,
This is what helped me to achieve the settings you are requesting. This assistance came from aacable in his blog based on question on time based internet access and his response with my implementation to achieve the goal.
For Amrory, you will see that you have to take the rule above hotspot rule, take the rule above making it start from 0. This will make it work in hotspot though i had issues but when I disable hotspot firewall, the rule started working. Which means it cannot work together with hotspot.
Here is the conversation and the responses;
TIME based filter rule
Just for an Example I want toBLOCKall sort of access for an IP from1:00pmtill3:00pm, then simply create a Firewall rule that will block traffic from this IP address and and inTIME section, modify the required time, something like below . . .
Change the IP / Time as per your requirement
CLI Code:
[table][tr][td] [/td]
[td] [/td]
[/tr]
[/table]
/ip firewall filter
add action=drop chain=input comment=“Block access for user ZAIB from 1:pm till 3:pm” disabled=no src-address=172.16.0.10 time=
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
/ip firewall filter
add action=drop chain=input comment=“Block access for user ZAIB from 1:pm till 3:pm” disabled=no src-address= 178.20.28.0/22 time=
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
Hello Sir, please I need your help on this issue.We are faced with a problem where we want all staff are allowed to browse the internet only from 7:00 tiil 16:00, but allow only the Admin/manager unrestricted access to internet. The network is on dhcp while the lan ip address is 178.50.30.0/24 but will use that of Admin/manager pc mac id as the filter. Please your help is needed in this direction as staff now abuse the use of the network because after that time they they use it to do some unimaginable things.
Thanks and God bless you. Comment by[u]sapanda[/u]— April 15, 2016 @[u]1:27 PM[/u] [u]Reply[/u]
there are many ways you can block/allow users.
Example:
Create two filter rules,
1st, allow the admin IP or MAC address in forward chain
you need to put this rule on top
/ip firewall filter add chain=forward src.mac address=xx: xx: xx: xx: xx: xx dst-address=192.168.0.10 action=accept
2nd , reject requests from all ip series of lan users, and set time in it.
OR
in default NAT rule, you can define time in which you want to allow the ip range.
Settings that worked for me
/ip firewall filter
add chain=forward src-mac-address=00:21:5C:4E:11:31
add chain=forward src-mac-address=C0:BD:D1:3F:96:13
add action=drop chain=input comment=
“Block access for all users from 4pm -9pm” in-interface=bridge1 time=
13h-22h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
