Need help disabling internet on a schedule

Varroa · September 6, 2011, 1:27pm

Hi Everybody, I have a 450G deployed at my house and I have two VLANS and a WAN port configured for use. I would like to somehow disable access to the internet (WAN port) on a schedule (disable it from midnight until 6 am). I tried setting the NAT rule to disable during those times but it seems that some traffic can still pass with this rule disabled during those times. Is there any way of disabling the WAN port on a schedule or something similar? Thanks.

fewi · September 6, 2011, 1:34pm

Write IP firewall filters with timers instead, and drop all traffic with the particular in-interface.

Varroa · September 6, 2011, 1:40pm

So if I did something like this would it stop access to my WAN port from midnight to 6 am but leave routing within my network enabled? I got this from the wiki but I don’t understand what the limit values are for (64k/128k)? Also, if I only wanted to stop access to only one of my VLANs (192.168.1.x) would I just modify the target address to 192.168.1.0/24 instead of 1921.168.0.0/24? Thanks

[admin@MikroTik] queue simple> add name=Cust0 interface=WAN
... target-address=192.168.0.0/24 max-limit=64000/64000
[admin@MikroTik] queue simple> /system script
[admin@MikroTik] system script> add name=start_limit source={
/queue simple set Cust0 max-limit=64000/64000
}
[admin@MikroTik] system script> add name=stop_limit source={
/queue simple set Cust0 max-limit=128000/128000
}
[admin@MikroTik] system script> .. scheduler
[admin@MikroTik] system scheduler> add interval=24h name=“set-64k”
... start-time=6:00:00 on-event=start_limit
[admin@MikroTik] system scheduler> add interval=24h name=“set-128k”
... start-time=23:59:59 on-event=stop_limit

fewi · September 6, 2011, 2:05pm

That’s a queue. That’s something completely different.

Assuming the network you want to block is behind an interface called ‘my-network’ and the WAN interface is called ‘WAN-network’:

/ip firewall filter
add chain=forward in-interface=my-network out-interface=WAN-network time=0h-6h,sun,mon,tue,wed,thu,fri,sat action=drop

Varroa · September 6, 2011, 2:15pm

So if I have my interfaces labelled WAN, LAN (master port for all LAN interfaces), LAN1, LAN2 (all these being on VLAN 192.168.1.0) and GUEST (guest being VLAN 192.168.2.0) then I would do this to disable internet access to all LAN interfaces?

/ip firewall filter
add chain=forward in-interface=LAN out-interface=WAN time=0h-6h,sun,mon,tue,wed,thu,fri,sat action=drop

fewi · September 6, 2011, 2:22pm

It’s hard to say from just your description. Probably. Post the output of “/interface vlan print detail” and “/interface ethernet print detail”. Your description of how master/slave ports and VLAN interfaces are related are a little confusing.

Varroa · September 6, 2011, 2:27pm

Ok, I will do that when I get home from work later today and get back to you, thanks.

fewi · September 6, 2011, 2:29pm

Just add that kind of rule for every physical interface that a slave or VLAN interface you want to restrict it tied to, really.

Varroa · September 6, 2011, 2:34pm

Thanks, I will give it a try tonight.

Varroa · September 6, 2011, 10:40pm

[admin@MikroTik] > /interface vlan print detail
Flags: X - disabled, R - running, S - slave
[admin@MikroTik] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx
gateway-status=xx.xx.xx.xx reachable WAN distance=1 scope=30
target-scope=10

1 ADC dst-address=xx.xx.xx.xx/24 pref-src=xx.xx.xx.xx gateway=WAN
gateway-status=WAN reachable distance=0 scope=10

2 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=LAN
gateway-status=LAN reachable distance=0 scope=10

3 ADC dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=Guest
gateway-status=Guest reachable distance=0 scope=10
[admin@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="LAN" type="ether" mtu=1500 l2mtu=1524

1 R name="LAN2" type="ether" mtu=1500 l2mtu=1524

2 R name="Guest" type="ether" mtu=1500 l2mtu=1524

3 name="LAN3" type="ether" mtu=1500 l2mtu=1524

4 R name="WAN" type="ether" mtu=1500 l2mtu=1524
[admin@MikroTik] > ip firewall export

sep/06/2011 18:29:10 by RouterOS 4.11

software id = RS3H-VQJJ

/ip firewall address-list
add address=10.0.0.0/16 comment="" disabled=no list=admin-access
add address=192.168.1.0/24 comment="" disabled=no list=admin-access
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=20s tcp-close-timeout=20s
tcp-close-wait-timeout=20s tcp-established-timeout=1d
tcp-fin-wait-timeout=20s tcp-last-ack-timeout=20s
tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s tcp-syncookie=no
tcp-time-wait-timeout=20s udp-stream-timeout=3m udp-timeout=20s
/ip firewall filter
add action=accept chain=input comment="" disabled=no src-address-list=
admin-access
add action=drop chain=input comment="" disabled=no dst-port=
21,22,23,80,443,8291 protocol=tcp
add action=drop chain=forward comment="" disabled=no in-interface=LAN
out-interface=WAN time=0s-6h,sun,mon,tue,wed,thu,fri,sat
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT rule" disabled=no
out-interface=WAN time=0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=dst-nat chain=dstnat comment=WHS disabled=yes dst-address=
xx.xx.xx.xx dst-port=80 protocol=tcp to-addresses=192.168.1.182
to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
xx.xx.xx.xx dst-port=443 protocol=tcp to-addresses=192.168.1.182
to-ports=443
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3389
in-interface=WAN protocol=tcp to-addresses=192.168.1.182 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
xx.xx.xx.xx dst-port=4125 protocol=tcp to-addresses=192.168.1.182
to-ports=4125
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8169
in-interface=WAN protocol=tcp to-addresses=192.168.1.182 to-ports=8169
add action=dst-nat chain=dstnat comment="Source DS" disabled=yes dst-port=
27015 in-interface=WAN protocol=tcp to-addresses=192.168.1.197
to-ports=27015
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=27015
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=27015
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=27016
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=27016
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=27017
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=27017
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=27018
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=27018
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=27019
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=27019
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=27020
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=27020
add action=dst-nat chain=dstnat comment="Killing floor" disabled=yes
dst-port=7707 in-interface=WAN protocol=udp to-addresses=192.168.1.197
to-ports=7707
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=7708
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=7708
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=7717
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=7717
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=28852
in-interface=WAN protocol=tcp to-addresses=192.168.1.197 to-ports=28852
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=8075
in-interface=WAN protocol=tcp to-addresses=192.168.1.197 to-ports=8075
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=20560
in-interface=WAN protocol=udp to-addresses=192.168.1.197 to-ports=20560
add action=dst-nat chain=dstnat comment="Mac Plex" disabled=no dst-port=
32400 in-interface=WAN protocol=tcp to-addresses=192.168.1.110
to-ports=32400
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=32400
in-interface=WAN protocol=udp to-addresses=192.168.1.110 to-ports=32400
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] >

fewi · September 6, 2011, 10:57pm

Ah, you were talking about VLANs but there aren’t any.

You may have to duplicate that rule, and set the in-interface to ‘guest’ for the copy of the rule.

Varroa · September 6, 2011, 11:08pm

Yes, they are not true VLANs per say but I didn’t allow any physical routing between the Guest port and the rest of the ports so it works the same. I will duplicate the rule for each interface, thanks.

fewi · September 6, 2011, 11:13pm

I know this might seem like nitpicking, but it’s really not the same at all.

A VLAN is a broadcast domain consisting of layer 2 frames with a consistent header tag that complies with the IEEE802.1q specification. What you have are two routed ports.

I also don’t see anything in your configuration whatsoever that would block routing between the LAN and the guest port. Those two networks have full access to one another on merit of both being directly connected networks, and there are no firewall rules dropping traffic between the two networks.

Varroa · September 6, 2011, 11:46pm

Ok, I was under the impression with the 450G that the ports could not see each other unless you enabled routing between them? Am I mistaken? That is why I said that LAN was the master port and LAN 2 and LAN 3 were slaves to that port (I enabled routing between them via the master port option).

http://wiki.mikrotik.com/wiki/Switch_Chip_Features

Varroa · September 7, 2011, 12:08am

I just did a little experiment. I have two wireless access points (lets call them L & G), the one on the LAN interface (L = 192.168.1.11) and one on Guest interface (G = 192.168.2.2). When i connect wireless to my LAN interface I can connect to my L router configuration page but not my G router page and when I am connected to my Guest interface I can connect to my G router page and not my L router page by typing in the IPs. If these two ports are not hidden from one another then how would I go about seeing the router on the opposite port? (i am actually curious since this would make life a bit easier for me). Thanks

fewi · September 7, 2011, 12:24am

Ports are routed by default. Enabling a master port actually turns off routing, and puts the slaves into the same broadcast domain as the master, meaning they’re switched instead of routed.

There is nothing in the router settings that would keep devices from the LAN network from being routed to the guest network as long as they use the router as a default gateway. They’d still be able on the same subnet without a default gateway, though. Do the APs have default gateways?

To keep the LAN and guest network from talking you’d need firewall rules like these:

/ip firewall filter
add chain=forward src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=drop
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0/24 action=drop

Varroa · September 7, 2011, 12:28am

Ok, thanks for the help. I will add those rules to ensure my guest network cannot gain access to my LAN network. Thanks for all your help!