Hi!
Newbie question - is there an IOS “time-range” analogue with absolute start/end datetime in RouterOS?
F.e. I need to NAT some local addresses from 17.07.2017 12:00 to 21.07.2017 14:00.
Thank you in advance.
Yes - there is a time match criteria available to use on rules.
Any rule with a time range will match if the current time is between the two times listed in the range you specified.
- note that this does not cross the midnight boundary, so you’d need to use multiple rules if your time range includes time 00:00:00
One other thing - it seems strange to me that you would perform NAT at certain times of day. Are you trying to block/allow access to something only at certain times?
(or are you directing the same translation to different destinations based on the time of day?)
If you’re using it to block stuff, you should make a filter rule which does this. Disabling a NAT rule except for certain times of day doesn’t actually filter traffic - it simply makes the traffic be forwarded with different src/dst IP addresses and ports during the rule’s active / inactive periods.
ZeroByte, thank you for information.
Regarding my task - I need to to allow internet access via NAT for some local PCs with private IPs within special absolute period of time. Not every day from 12:00 to 14:00 but f.e. from 18.07.2017 12:00 to 21.07.2017 14:00. IOS time-ranges allows me to do this:
time-range TIMEDACCESS
absolute start 12:00 18 July 2017 end 14:00 21 July 2017
access-list 177 permit ip host 192.168.30.30 any time-range TIMEDACCESS
ip nat inside source list 177 pool mypool overload
As I understand RouterOS does not have such functionality (from simplicity point of view). The only way I found is to use scheduled scripts - one for enabling special NAT chain and one for disabling it. Not so elegant solution IMHO.
This sounds like rules allowing kids to use the Internet at certain times…
Don’t forget my main point in my reply: Use filter rules to block Internet access. Don’t break internet access by causing a NAT rule to only work some of the time.
This may sound like “some say potato, some say potatta” but there are differences, and it’s best to establish good habits.
In any case, if you’re looking to clamp down on what some computers/devices can/cannot do, then I would do the following things:
Force DHCP use on the network
- on the LAN interface(s), set arp=reply-only
- on the DHCP server for each LAN segment, set the server to “add ARP on lease=yes” (a checkbox near the bottom of the window in Winbox)
This means that nothing can just configure a static IP address and get any service from the Internet. Only devices which lease their IPs via DHCP will be able to use the Internet.
(LAN is a different story, but that’s beyond the scope of your requirements anyway)
Configure static leases for the devices to be limited
The easiest thing to do is designate some specific range of your LAN as “restricted access.” Because of how IP masking works in firewall rules, routes, etc - make it a range that fits with this.
Eg: 192.168.1.192-192.168.1.254 = restricted (or 224-254 if you only need 32 restricted-access addresses)
Make sure that your DHCP server’s pool does NOT cover this range (e.g. 192.168.1.64-192.168.1.191)
Make static leases for each device to be governed by your restrictions, and put their IPs into the .192 - .254 range
Configure a custom chain for the restricted hosts
Make a new chain by adding rules and for the first new rule, manually typing in the name of the chain (e.g. RestrictedHosts)
place whatever filters / restrictions you like into that chain
add a rule into the forward chain which matches src-address=192.168.1.192/26 and the action=jump jump-target=RestrictedHosts
This is the cleanest way to make rules that only affect one set of hosts, without the need for creating an entirely separate restricted LAN.