Wireless Access List - Times not working

JesseWV · December 5, 2020, 5:53am

I am trying to disable wireless access for 8 clients during certain times of the day. Times will be different on Weekdays versus Weekends so there are separate rules. I created the entries in the Access List with the appropriate times and days. I also made a copy of each one for each wireless interface, wlan2 (2ghz) and wlan5 (5ghz). This gave me a total 32 entries in the Access List section.

The problem I’m having is none of the clients ever get disconnected when the specified time period elapses. In fact, they can even disconnect and reconnect after the time specified.

Here’s a sample of the 4 entries for one of the devices. Any help would be very much appreciated.

/interface wireless access-list
add comment=“Weekdays: FireStick” interface=wlan2 mac-address=XX:XX:XX:XX:XX:XX time=6h-23h,sun,mon,tue,wed,thu vlan-mode=no-tag
add comment=“Weekdays: FireStick” interface=wlan5 mac-address=XX:XX:XX:XX:XX:XX time=6h-23h,sun,mon,tue,wed,thu vlan-mode=no-tag
add comment=“Weekend: FireStick” interface=wlan2 mac-address=XX:XX:XX:XX:XX:XX time=6h-1h,fri,sat vlan-mode=no-tag
add comment=“Weekend: FireStick” interface=wlan5 mac-address=XX:XX:XX:XX:XX:XX time=6h-1h,fri,sat vlan-mode=no-tag

sindy · December 5, 2020, 9:00am

Like firewall rules, also wireless access list rules are matched top to bottom until first match, and if none of them matches, the connection is accepted. So what you are missing are drop (authentication=no) rules for those MAC addresses after the permissive ones. If you don’t need to set specific handling (individual passphrase, particular VLAN, …) for them, and it’s just accept/reject, you can make a complement of the time intervals and use only the authentication=no rules.

JesseWV · December 5, 2020, 11:30pm

So I added the “authentication=no” rules. I also figured out that I can just use “interface=any” instead of having separate rules for each one so I was able to delete 8 extra rules that are no longer needed.

Now I have a new problem. It seems the “time=6h-1h,fri,sat” rules are preventing access completely on friday and saturday. I’m guessing because it doesn’t understand that 06:00:00-01:00:00 goes into the next day.

I contemplated doing the opposite like you suggested and defining the times when authentication is NOT allowed but this creates a new problem where I need access denied from 23:00:00 to 06:00:00, which is again crossing into the next day.

The only solution I can think of is to change the first rule to run fri,sat only until 23:59:59 and another rule to cover sat,sun from 00:00:00-01:00:00.

The question is, would this cause a network interruption exactly at midnight?

sindy · December 6, 2020, 8:46am

No. There is no time instant between (1d,day(N)) and (0s,day(N+1)) which would match none of the two (disclaimer: I never had an opportunity to try this during the leap second - once in a blue moon, the 23:59 minute has 61 seconds rather than 60, to compensate for the totally irresponsible behaviour of the Earth).

This is actually how it is intended to work - it is impossible to span a single rule across midnight, so if you (as a theoretical example) want to permit (or deny) something only during the first hour after the “morning midnight” and during the last hour before the “evening midnight” on Wednesday, you need two rules:
time=0s-1h,Wed
time=23h-1d,Wed

For the two hours around the midnight from Wednesday to Thursday, you also need two rules:
time=23h-1d,Wed
time=0s-1h,Thu

The actual match condition is currentTime.timeOfDay >= rule.timeOfDay.first && currentTime.timeOfDay <= rule.timeOfDay.last && currentTime.dayOfWeek in rule.dayOfWeekList.

You may be used to other types of systems, where the output variable is set exactly at the time configured in one rule, and stays like that until a new setting is provided at the time configured in another rule. In such a system, you’d have “6h,Mon => X=on” in one rule, and “18h,Fri => X=off” in another one, to switch X on at Monday morning and to off at Friday evening.

JesseWV · January 29, 2021, 10:34pm

I am still unable to disconnect a client at a specified time. Here’s what I have tried:

Allowed time list with a set of authenticate=no rules at the bottom like this:

add authentication=no comment=“Manual-BLOCK: Kids-FireStick” disabled=yes interface=wlan2 mac-address=01:23:45:67:89:AB vlan-mode=no-tag
add authentication=no comment=“Manual-BLOCK: Kids-FireStick” disabled=yes interface=wlan5 mac-address=01:23:45:67:89:AB vlan-mode=no-tag
add comment=“Weekend: Kids-FireStick” interface=wlan2 mac-address=01:23:45:67:89:AB time=6h-23h59m59s,fri,sat vlan-mode=no-tag
add comment=“Weekend: Kids-FireStick” interface=wlan2 mac-address=01:23:45:67:89:AB time=0s-1h,sat,sun vlan-mode=no-tag
add comment=“Weekdays: Kids-FireStick” interface=wlan2 mac-address=01:23:45:67:89:AB time=6h-23h,sun,mon,tue,wed,thu vlan-mode=no-tag
add comment=“Weekend: Kids-FireStick” interface=wlan5 mac-address=01:23:45:67:89:AB time=6h-23h59m59s,fri,sat vlan-mode=no-tag
add comment=“Weekend: Kids-FireStick” interface=wlan5 mac-address=01:23:45:67:89:AB time=0s-1h,sat,sun vlan-mode=no-tag
add comment=“Weekdays: Kids-FireStick” interface=wlan5 mac-address=01:23:45:67:89:AB time=6h-23h,sun,mon,tue,wed,thu vlan-mode=no-tag
add authentication=no comment=“NoTime-BLOCK: Kids-FireStick” interface=wlan5 mac-address=01:23:45:67:89:AB vlan-mode=no-tag
add authentication=no comment=“NoTime-BLOCK: Kids-FireStick” interface=wlan2 mac-address=01:23:45:67:89:AB vlan-mode=no-tag

Not-Allowed time list, which should not need the additional rules at the bottom:

add authentication=no comment=“Manual-BLOCK: Kids-FireStick” disabled=yes interface=wlan-2g mac-address=01:23:45:67:89:AB vlan-mode=no-tag
add authentication=no comment=“Manual-BLOCK: Kids-FireStick” disabled=yes interface=wlan-5g mac-address=01:23:45:67:89:AB vlan-mode=no-tag
add authentication=no comment=“Weekend: Kids-FireStick” interface=wlan-2g mac-address=01:23:45:67:89:AB time=1h-6h,sat,sun vlan-mode=no-tag
add authentication=no comment=“Weekdays: Kids-FireStick” interface=wlan-2g mac-address=01:23:45:67:89:AB time=23h-23h59m59s,sun,mon,tue,wed,thu vlan-mode=no-tag
add authentication=no comment=“Weekdays: Kids-FireStick” interface=wlan-2g mac-address=01:23:45:67:89:AB time=0s-6h,mon,tue,wed,thu,fri vlan-mode=no-tag
add authentication=no comment=“Weekend: Kids-FireStick” interface=wlan-5g mac-address=01:23:45:67:89:AB time=1h-6h,sat,sun vlan-mode=no-tag
add authentication=no comment=“Weekdays: Kids-FireStick” interface=wlan-5g mac-address=01:23:45:67:89:AB time=23h-23h59m59s,sun,mon,tue,wed,thu vlan-mode=no-tag
add authentication=no comment=“Weekdays: Kids-FireStick” interface=wlan-5g mac-address=01:23:45:67:89:AB time=0s-6h,mon,tue,wed,thu,fri vlan-mode=no-tag

Note the extra rules at the top which I use to manually disconnect the client from the AP. This works instantly.

Are existing wireless registrations affected by the Access List or do they only apply to new attempts to connect?

Based on the client being disconnected when I manually enable a block rule, and not at any time specified in any of the other rules, it seems that the rules are only re-evaluated something changes.