Turn off internet at night whitelist vs Kid Control

RouterOS Beginner Basics
1

RB3011, I’m trying to turn off the internet at night for all devices with dynamic IP. I tried kid control but you have to list every device which is very painful. I’m thinking of just turning off the internet at night for everything that’s in the DHCP server IP range with a firewall rule. Everything that needs to stay on has a static IP (WAP, ATA, TV, etc).

So assuming clients get a dynamic IP in this range:

/ip pool
add name=dhcp ranges=10.1.8.128-10.1.8.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w name=DHCP-Home
/ip address
add address=10.1.8.1/24 comment=defconf interface=bridge network=10.1.8.0
/ip dhcp-server config
set store-leases-disk=12h
/ip dhcp-server lease
add address=10.1.8.2 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.3 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.4 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.6 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.8 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.9 mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-server network
add address=10.1.8.0/24 comment=defconf gateway=10.1.8.1 netmask=24

Would it be as easy as blocking the firewall like so:

add action=reject chain=forward out-interface=ether1 reject-with=icmp-network-unreachable src-address=!10.1.8.0/26 time=\
    2h-6h,sun,mon,tue,wed,thu,fri,sat
2

use an object oriented approach.
Means listing the kids devices once and static them.
Create address list.
Apply firewall rules
done

3

I’m still looking to just turn off the internet for everyone that’s not in the static list. This includes my laptop, kids devices, my neighbour being on my wifi. Just peace and quiet. The only devices I care about being on are in this list:

/ip dhcp-server lease
add address=10.1.8.2 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.3 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.4 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.6 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.8 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.9 mac-address=XX:XX:XX:XX:XX:XX

I dont want to list out the 40 devices that should turn off and keep adding to that list.

4

The only devices I care about being on are in this list

Create an address list with these addresses and with the help of firewall time parameter block everyone except that list…

5

Concur with zach use the same object oriented approach to create a list of static devices you wish to allow and block the rest

6

So it sounds like the same firewall rule except using a list:

add action=reject chain=forward out-interface=ether1 reject-with=icmp-network-unreachable src-address=!staticIPList time=\
    2h-6h,sun,mon,tue,wed,thu,fri,sat

vs just blanket address:

add action=reject chain=forward out-interface=ether1 reject-with=icmp-network-unreachable src-address=!10.1.8.0/26 time=\
    2h-6h,sun,mon,tue,wed,thu,fri,sat
7

src-address-list not src-address
It looks fine…
You could as well create a list with the rest of the addresses in case you do not like the ! (not)

8

Right you are. Caught my copy and paste sloppiness.

Can you help me understand how the list is better than using the src-address approach? It seems to me like the end result is the same, however it forces me to keep a list in parallel.

9

The end result will be the same in either case… so no worries…

10

If you do it by defined interfaces interface list member usage makes sense.
If you have two or more users from different subnets or within a subnet you wish to identify, SOURCE-ADDRESS-LIST (Firewall) makes sense.
If you can identify subnets that are not already interfaces you can use source-address as you have done.

After using object oriented setups on zyxel routers I see the efficiency in the long haul and thus prefer to not work with individual firewall rules if necessary.
For one reason, monkeying with rules is more dangerous, and if I have a good rule, I dont want to touch it.
To change users or access I simply modify the list and rule stays intact.

11

Thank for your help!