Sorry writing this with my phone so I can not attach config yet. When waiting for that, my question. I updated my RB5009 from 7.19.6 to 7.21.3 and now if wan connection goes of and then on again DNS is not working anymore. Reboot helps after wan is on again. Somehow DNS is resetting with wan off/on. Something has changed between those versions. I had a schedule to switch wan off during night. From 10pm to 4 am. I disabled that schedule so now everything is working. I tested a little, I made a schedule to switch wan off and then on after one minute. This did not mess up DNS so maybe it need a longer period of time for malfunction.

When problem is on, router get ip from operator and clients get ip:s from router. And /ip/firewall/connections shows that DNS 1.1.1.2 and 1.0.0.2 are trying very hard to get connection but no success.

I try to send config later.

I can live with current situation but I am curious what the problem actually is.

The truth lies in the config...looking forward reading it.
Why do you turn off your WAN interface?

Something has changed between those versions.

Yeah...I think so too

MikroTik RouterOS 7.21.3 (c) 1999-2026 https://www.mikrotik.com/

Press F1 for help

[XXXX] > export

2026-02-24 18:11:36 by RouterOS 7.21.3

software id = ID ID ID

model = RB5009UG+S+

serial number = Serial

/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 port-cost-mode=short protocol-mode=none vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1514
set [ find default-name=ether2 ] l2mtu=1514
set [ find default-name=ether3 ] l2mtu=1514
set [ find default-name=ether4 ] l2mtu=1514
set [ find default-name=ether5 ] l2mtu=1514
set [ find default-name=ether6 ] l2mtu=1514
set [ find default-name=ether7 ] l2mtu=1514
set [ find default-name=ether8 ] l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] l2mtu=1514

/interface vlan
add interface=BR1 name=2.4Ghz_VLAN vlan-id=77
add interface=BR1 name=LAITE_VLAN vlan-id=75
add interface=BR1 name=M_LAPTOP_VLAN vlan-id=30
add interface=BR1 name=OMALAPTOP_VLAN vlan-id=40
add interface=BR1 name=OMA_PC_VLAN vlan-id=20
add interface=BR1 name=PI_VLAN vlan-id=50
add interface=BR1 name=SFP_VLAN vlan-id=25
add interface=BR1 name=SSID1_VLAN vlan-id=60
add interface=BR1 name=SSID2_VLAN vlan-id=65
add interface=BR1 name=TV_VLAN vlan-id=70

/interface list
add name=WAN
add name=LAN
add name=MGMT

/interface lte apn
set [ find default=yes ] name=Handset use-network-apn=no

/ip pool
add name=OMA_PC_POOL ranges=10.0.20.55-10.20.0.56
add name=M_LAPTOP_POOL ranges=10.0.30.10-10.0.30.15
add name=OMALAPTOP_POOL ranges=10.0.40.10-10.0.40.15
add name=PI_POOL ranges=10.0.50.10-10.0.50.15
add name=SSID1_POOL ranges=10.0.60.10-10.0.60.15
add name=TV_POOL ranges=10.0.70.10-10.0.70.15
add name=SSID2_POOL ranges=10.0.65.10-10.0.65.15
add name=dhcp_pool8 ranges=100.64.0.1-100.64.81.166,100.64.81.168-100.64.255.254
add name=LAITE_POOL ranges=10.0.75.10-10.0.75.15
add name=2.4Ghz_POOL ranges=10.0.77.10-10.0.77.15
add name=SFP_POOL ranges=10.0.25.10-10.0.25.15

/ip dhcp-server
add address-pool=OMA_PC_POOL interface=OMA_PC_VLAN lease-time=10m name=OMA_PC_DHCP
add address-pool=M_LAPTOP_POOL interface=M_LAPTOP_VLAN lease-time=10m name=M_LAPTOP_DHCP
add address-pool=OMALAPTOP_POOL interface=OMALAPTOP_VLAN lease-time=10m name=OMALAPTOP_DHCP
add address-pool=PI_POOL interface=PI_VLAN lease-time=10m name=PI_DHCP
add address-pool=SSID1_POOL interface=SSID1_VLAN lease-time=10m name=SSID1_DHCP
add address-pool=TV_POOL interface=TV_VLAN lease-time=521w3d name=TV_DHCP
add address-pool=SSID2_POOL interface=SSID2_VLAN lease-time=10m name=SSID2_DHCP
add address-pool=dhcp_pool8 interface=ether1 name=dhcp1
add address-pool=LAITE_POOL interface=LAITE_VLAN lease-time=521w3d name=LAITE_DHCP
add address-pool=2.4Ghz_POOL interface=2.4Ghz_VLAN lease-time=10m name=2.4Ghz_DHCP
add address-pool=SFP_POOL interface=SFP_VLAN lease-time=10m name=SFP_DHCP

/ip smb users
set [ find default=yes ] disabled=yes

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=40
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=50
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 internal-path-cost=10 path-cost=10 pvid=70
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether6 internal-path-cost=10 path-cost=10 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=25

/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=30m udp-timeout=10s

/ip neighbor discovery-settings
set discover-interface-list=none

/ip settings
set max-neighbor-entries=4096 rp-filter=strict

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6 untagged=ether2 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=40
add bridge=BR1 tagged=BR1 vlan-ids=50
add bridge=BR1 tagged=BR1,ether6 vlan-ids=60,65,75,77
add bridge=BR1 tagged=BR1 vlan-ids=70
add bridge=BR1 tagged=BR1 vlan-ids=25

/interface list member
add interface=ether1 list=WAN
add interface=OMA_PC_VLAN list=LAN
add interface=M_LAPTOP_VLAN list=LAN
add interface=OMALAPTOP_VLAN list=LAN
add interface=PI_VLAN list=LAN
add interface=ether8 list=MGMT
add interface=SSID1_VLAN list=LAN
add interface=TV_VLAN list=LAN
add interface=*12 list=WAN
add interface=SSID2_VLAN list=LAN
add interface=OMA_PC_VLAN list=MGMT
add interface=LAITE_VLAN list=LAN
add interface=2.4Ghz_VLAN list=LAN
add interface=SFP_VLAN list=LAN

/interface ovpn-server server
add auth=sha1,md5 mac-address=xx:xx:xx:xx name=ovpn-server1

/ip address
add address=10.0.20.1/24 interface=OMA_PC_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=M_LAPTOP_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=OMALAPTOP_VLAN network=10.0.40.0
add address=10.0.50.1/24 interface=PI_VLAN network=10.0.50.0
add address=10.0.60.1/24 interface=SSID1_VLAN network=10.0.60.0
add address=10.0.70.1/24 interface=TV_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=ether8 network=10.0.80.0
add address=10.0.65.1/24 interface=SSID2_VLAN network=10.0.65.0
add address=10.0.75.1/24 interface=LAITE_VLAN network=10.0.75.0
add address=10.0.77.1/24 interface=2.4Ghz_VLAN network=10.0.77.0
add address=10.0.25.1/24 interface=SFP_VLAN network=10.0.25.0

/ip cloud
set update-time=no

/ip dhcp-client
add interface=ether1

/ip dhcp-server lease
add address=xxx.xxx.xxx.xxx client-id=xx:xx:xx: mac-address=xx:xx:xx:xx server=SFP_DHCP

/ip dhcp-server network
add address=10.0.20.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.20.1
add address=10.0.25.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.25.1
add address=10.0.30.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.40.1
add address=10.0.50.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.50.1
add address=10.0.60.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.60.1
add address=10.0.65.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.65.1
add address=10.0.70.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.70.1
add address=10.0.75.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.75.1 netmask=24
add address=10.0.77.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.77.1
add address=XXX.XXX.XXX.XXX gateway=xxx.xxx.xxx.xxx

/ip dns
set cache-max-ttl=30m servers=1.1.1.2,1.0.0.2

/ip firewall address-list
add address=10.0.20.0/24 list=Local_LAN
add address=10.0.25.0/24 list=Local_LAN
add address=10.0.30.0/24 list=Local_LAN
add address=10.0.40.0/24 list=Local_LAN
add address=10.0.50.0/24 list=Local_LAN
add address=10.0.60.0/24 list=Local_LAN
add address=10.0.65.0/24 list=Local_LAN
add address=10.0.70.0/24 list=Local_LAN
add address=10.0.75.0/24 list=Local_LAN
add address=10.0.77.0/24 list=Local_LAN
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=10.0.80.0/24 list=Local_LAN

/ip firewall filter
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid log-prefix=Input_Drop_Invalid_
add action=accept chain=input comment="\"Accept established, related\"" connection-state=established,related
add action=drop chain=input comment="\"Drop All from WAN\"" in-interface-list=WAN log-prefix=Drop_Wan
add action=accept chain=input comment="\"Accept ICMP\"" protocol=icmp
add action=accept chain=input comment="Accept to local loopback." dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
add action=accept chain=input comment="Allow 5009 config from port 8" in-interface-list=MGMT src-address=10.0.80.5
add action=accept chain=input comment="Allow 5009 config from port 2" in-interface-list=MGMT src-address=10.0.20.55
add action=drop chain=input comment="\"Drop all else\"" log-prefix=Input_Drop_All_Else_

add action=drop chain=forward comment="\"Drop invalid\"" connection-state=invalid log-prefix=Forward_Drop_Invalid_
add action=accept chain=forward comment="\"Accept established, related\"" connection-state=established,related
add action=drop chain=forward comment="\"Drop all from WAN not DSTNATed\"" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow list LAN to internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Zyxel config from port 2" dst-address=10.0.20.15 src-address=10.0.20.55
add action=accept chain=forward comment="Allow Zyxel config from port 8" dst-address=10.0.20.15 src-address=10.0.80.5
add action=accept chain=forward comment="Allow Shelly config from port 2" dst-address=10.0.75.15 src-address=10.0.20.55
add action=drop chain=forward comment="\"Drop all else\"" log=yes log-prefix=Forward_Drop_All_Else_

/ip firewall nat
add action=masquerade chain=srcnat comment="\"NAT\"" out-interface-list=WAN

/ip firewall raw
add action=accept chain=prerouting comment="\"defconf: enable for transparent firewall\"" disabled=yes
add action=drop chain=prerouting comment="\"defconf: drop forward to local lan from WAN\"" dst-address-list=Local_LAN in-interface-list=WAN
add action=drop chain=prerouting comment="\"defconf: drop bogon IP's\"" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="\"defconf: drop bogon IP's\"" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="\"defconf: drop bogon IP's\"" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="\"defconf: drop bogon IP's\"" dst-address-list=bad_dst_ipv4 log-prefix="Drop bogon ips"
add action=drop chain=prerouting comment="\"defconf: drop non global from WAN\"" in-interface-list=WAN src-address-list=not_global_ipv4

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl tls-version=only-1.2
set winbox address=10.0.80.0/24,10.0.20.55/32
set api disabled=yes
set api-ssl disabled=yes

/ip ssh
set strong-crypto=yes

/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
add action=drop chain=output

/ipv6 nd
set [ find default=yes ] advertise-dns=yes

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Helsinki

/system identity
set name=XXX

/system logging
add disabled=yes topics=ntp

/system note
set show-at-login=no

/system ntp client
set enabled=yes

/system ntp client servers
add address=194.100.49.139
add address=194.100.49.151

/system routerboard reset-button
set enabled=yes

/system scheduler
add disabled=yes interval=1d name="Wan Off" on-event="/interface disable [find where default-name=\"ether1\"]\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-12-26 start-time=22:00:00
add disabled=yes interval=1d name="Wan On" on-event="/interface enable [find where default-name=\"ether1\"]\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-12-27 start-time=04:00:00
add interval=1d name="TV-Box interface OFF" on-event="/interface disable [find where default-name=\"ether7\"]" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-05-31 start-time=21:25:00
add interval=1d name="TV-Box interface ON" on-event="/interface enable [find where default-name=\"ether7\"]" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-06-01 start-time=06:00:00

/tool bandwidth-server
set enabled=no

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=MGMT

/tool mac-server ping
set enabled=no

/user settings
set minimum-password-length=15
[XXXXXX] >

So here is my config. Please concentrate first to the DNS problem, there might be some unnecessary parts in the config but I will clean it up later. Maybe…

At first review seems fine.
Did you try changing this line to see if any difference is made.

/ip dns
set allow-remote-requests=yes *cache-max-ttl=30m servers=
1.1.1.2,1.0.0.2

Not sure, why you gave dhcp to the offbridge. More entries to manage. This way anyone can plug-in and potentially gain access, whereas if there is only the address 192.168.xxx.1/30, then the only way someone can gain access is guessing the right subnet as you put in ipv4 settings manually into your PC 192.168.xxx.2 to gain access.

Also you dont add this off bridge to your LAN interface?? what if you want to get something from the net while connected here or look up something???

Plus this should be fixed………
/ip neighbor discovery-settings
set discover-interface-list=MGMT

Why all the 1514 settings on interface LMTU? Is that simply default??

Is it only DNS not working after wan toggle? can you ping the DNS server? can you ping other public IP like 8.8.8.8? is it only the router broken DNS or the clients as well? is there something in the logs at time of 4:00? how does your routing table change? compare table when working to inactive wan and reenabled wan.

As far as firewall goes, I would say the rules are slightly out of order and can be improved from a security view point, why else go to the trouble in other spots and then get soft in firewall rules…….
Also missing fasstrack rule!! Dont fill up logs with useless drop all traffic.

/ip firewall address-list
add address=10.0.80.2 list=Authorized comment=”offbridge access”  {or 10.0.80.0/24}
add address=10.0.20.55 list=Authorized comment=”admin pc”
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1 in-interface=lo \
    src-address=127.0.0.1
========================================================
add action=accept chain=input comment=”admin access”  in-interface-list=MGMT \
    src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries - TCP" 
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP/NTP" 
   dst-port=53,123 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
==================================================
add action=accept chain=forward comment="internet" in-interface-list=LAN \
     out-interface-list=WAN 
add action=accept chain=forward comment=”admin access” in-interface-list=MGMT 
     src-address-list=Authorized out-interface-list=LAN
add action=drop chain=forward comment="Drop all else”

Continuing the discussion from DNS broken ROS 7.21.3:

That 1514 is default, has been working this far. Don’t really know what it should be and why to change it?

All “clients” in my system are my own computers and other things in my house, I’m not worried about someone will plug-in and potentially gain access.

Why to change allow-remote-requests=yes?

Why to change: /ip neighbor discovery-settings set discover-interface-list=MGMT?

My 5009 is the only box I have there are no neighbours? Or am I missing something?

Why this, router has been working fine with 7.19.6?

add action=accept chain=input dst-address=127.0.0.1 in-interface=lo \
    src-address=127.0.0.1

This also, 7.19.6 was fine without it?

add action=accept chain=input comment="Allow LAN DNS queries - TCP" 
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP/NTP" 
   dst-port=53,123 in-interface-list=LAN protocol=udp

I tried to ping 1.1.1.2 and 8.8.8.8 from router tools/ping but no success. My computer had no internet access from ny browser. Did I ping from my computer, not shure? I just tried to get everyhing working and rebooting router helped. Then I disabled scheduler.

What is going on with DNS in the case when wan goes off and on? Does it reset all DNS info or what?

7.19.6 DNS was not broken when toggling wan. Is this new behaviour some kind of security improvement?

What if wan goes down from operator side, DNS is broken and I have no connection? Or is the DNS broken only when I toggle wan inside of my router? Maybe I test it some day by disconnecting cable from router wan side. Looks like I should organize a testing plan to find out more. But what I need to know, how long time wan should be toggled off before DNS goes down? I said before that I tested it for one minute, then it was working. Of course I did it in hurry and there could be an error in my testing…

At the moment I have no systems in my house that need internet connection all the time. Maybe some day I will have and then this looks like a real problem.

In the log at 04:00 there was normal things, router got ip address, no differencies to the normal working situation.

That used to be the default for the RB5009, but since 7.21 the new default L2MTU is 1596. That's why your export now includes the old default value (because RouterOS upgrades do not migrate parameters to new defaults), do this if you want to migrate to the new default L2MTU for RB5009 and get rid of those lines from the export:

/interface ethernet
set [find] l2mtu=1596

(Your export also has more remnants of old defaults that you can clean up using @tangent's guide from here MikroTik Solutions: Configuration Flotsam, things like port-cost-mode=short, /interface lte apn, /ip smb users, /interface ovpn-server server, path-cost, udp-timeout, etc).

As for your issue: It looks like it's not only DNS that is not working, but you lose full IP connectivity. I would start by dialing back some unconventional settings in your configuration, for example, try to:

• Set rp-filter under /ip settings to loose or no.
• Set loose-tcp-tracking to yes under /ip firewall connection tracking.

Besides that, your RAW rules are pretty useless (your filter table will do the blocking anyway) and only consume resources unnecessarily, you should disable them. Not all examples from the docs are useful. Also for better performance (especially because you've turned off fasttrack), swap the positions of the Accept established, related and Drop invalid rules in your filter table (both input and forward chain). You don't improve the security by placing Drop invalid before Accept established, related (they both act on connection-state that can only have one value at a time) but add one extra rule to be processed for the majority of the packets.

It's useful when you want to connect to your router using MAC address in WinBox, which is currently possible because you have

Using the same list for discovery-settings provides the comfort that the router appears in the Neighbor list in WinBox and you don't have to remember and manually type the MAC address.

Isn't that line blocking all in-traffic at the very first rule executed?

At least to all the defined local 10.x networks. On ether1 is running a dhcp-client. Traffic should be routed.

No, at that point in RAW prerouting the packet has not yet reached connection tracking, which means any NAT translation is not applied yet. Response packets coming from the internet still have the public IP address of the router as dst-address (not yet translated to LAN addresses), and will not be blocked by that RAW rule.

That RAW rule only blocks when some attacker from the WAN side sends packets with fake destination address (in the range of Local_LAN to the router), which is probably never. And without that rule, the rules in the filter table will drop those anyway.

Thank you all for good answers, I will study things when having more time. But now it’s working because I disabled scheduler. Why to disable wan during night, well, when I go to sleep I check that all doors in my house are locked. Something like that. But ROS should really recover after toggling wan.

It should recover. You could also enable dhcp debug logging to see if dhcp-client on ether1 does start after re-enabling ether1.

What if I make following firewall rule and then I enable/disable that rule with scheduler? Enable rule at 22:00 an disable at 04:00?

/ip firewall filter add chain=forward in-interface=ether1 action=drop comment="WAN-Off"

Wan-Off scheduler:

/system scheduler add name=wan_down start-time=22:00 interval=1d on-event="/ip firewall filter enable [find comment=\"WAN-Off\"]"

Wan-On scheduler

/system scheduler add name=wan_up start-time=04:00 interval=1d on-event="/ip firewall filter disable [find comment=\"WAN-Off\"]"

I will test this later. But in the meantime, any comments, will this increase security, even theoretically?

I suppose this could stop possible attacks during the night better than a strict firewall?

Not saying I’m suffering for attacks but better be sure…