Community discussions

MikroTik App
 
blue0o0
just joined
Topic Author
Posts: 2
Joined: Thu Jan 16, 2020 1:56 pm

How to automatically disable firewall filter rules when some devices come to on-line  [SOLVED]

Sun Jun 06, 2021 6:11 pm

I have created some firewall filter rules to block some devices (my child's cellphone and IPTV box) accessing internet.
I don't want to use time-based rule or kid-control rule. Because it's not easy to define a satisfied time table.
I think maybe this can be done by a more flexible method, for example using script.
My goal is:
When i or my wife at home,our cellphone connected to router, the router automatically disable kid control firewall rules.
When i and my wife both leave home, the router automatically enable kid control firewall rules.

Anyone can help me? Thanks advanced!!!
 
blue0o0
just joined
Topic Author
Posts: 2
Joined: Thu Jan 16, 2020 1:56 pm

Re: How to automatically disable firewall filter rules when some devices come to on-line

Sat Jun 19, 2021 9:42 am

Finally, i found the solution, and it worked perfectly. Here is the cli conifg:
#1. Define kid control firewall rules, to block IPTV box, child's cellphone and home PC out of internet connectivity
/ip firewall filter
add action=drop chain=forward comment="Block IPTV Box" src-mac-address=IP:TV:XX:XX:XX:XX time=8h-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Block my child's cellphone" disabled=yes src-mac-address=KI:DX:XX:XX:XX:XX time=8h-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Block home PC-LAN" src-mac-address=PC:LA:NX:XX:XX:XX time=8h-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Block home PC-WLAN" src-mac-address=PC:WL:AN:XX:XX:XX time=8h-1d,sun,mon,tue,wed,thu,fri,sat

#2. Define auto kid control script.
#Note: DA:DX:XX:XX:XX:XX is dad's cellphone mac address, MO:MX:XX:XX:XX:XX is mom's cellphone mac address.
/system script
add dont-require-permissions=no name=autokidctrl owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#Define Macro phonemac1\r\
    \n:local phonemac1\r\
    \n#Define Macro phonemac12\r\
    \n:local phonemac2\r\
    \n#Find MAC address of cellphone1 in dhcp-server lease table, if found set phonemac1=DA:DX:XX:XX:XX:XX, else set phonemac1=false\r\
    \n:do { :set phonemac1 [/ip dhcp-server lease get [/ip dhcp-server lease find mac-address=\"DA:DX:XX:XX:XX:XX\" ] mac-address ] } on-error={:set phonemac1 \"f\
    alse\"}\r\
    \n#Find MAC address of cellphone2 in dhcp-server lease table, if found set phonemac2=MO:MX:XX:XX:XX:XX, else set phonemac2=false\r\
    \n:do { :set phonemac2 [/ip dhcp-server lease get [/ip dhcp-server lease find mac-address=\"MO:MX:XX:XX:XX:XX\" ] mac-address ] } on-error={:set phonemac2 \"f\
    alse\"}\r\
    \n#If phonemac1=DA:DX:XX:XX:XX:XX or phonemac2=MO:MX:XX:XX:XX:XX, then disable kid controll firewall rules\r\
    \n:if ( \$phonemac1=\"DA:DX:XX:XX:XX:XX\" || \$phonemac2=\"MO:MX:XX:XX:XX:XX\" ) do={\r\
    \n#Disable IPTV box internet blocking rule.\r\
    \n/ip firewall filter disable [ /ip firewall filter find src-mac-address=\"IP:TV:XX:XX:XX:XX\" ]\r\
    \n#Disable my child's cellphone internet blocking rule.\r\
    \n#/ip firewall filter disable [ /ip firewall filter find src-mac-address=\"KI:DX:XX:XX:XX:XX\" ]\r\
    \n#Disable home PC-LAN internet blocking rule.\r\
    \n/ip firewall filter disable [ /ip firewall filter find src-mac-address=\"PC:LA:NX:XX:XX:XX\" ]\r\
    \n#Disable home PC-WLAN internet blocking rule.\r\
    \n/ip firewall filter disable [ /ip firewall filter find src-mac-address=\"PC:WL:AN:XX:XX:XX\" ]\r\
    \n#Else if both phonemac1 and phonemac2 value are false, then enable kid controll firewall rules\r\
    \n}  else={\r\
    \n#Enable IPTV box internet blocking rule.\r\
    \n/ip firewall filter enable [ /ip firewall filter find src-mac-address=\"IP:TV:XX:XX:XX:XX\" ]\r\
    \n#Enable my child's cellphone internet blocking rule.\r\
    \n#/ip firewall filter enable [ /ip firewall filter find src-mac-address=\"KI:DX:XX:XX:XX:XX\" ]\r\
    \n#Enable home PC-LAN internet blocking rule.\r\
    \n/ip firewall filter enable [ /ip firewall filter find src-mac-address=\"PC:LA:NX:XX:XX:XX\" ]\r\
    \n#Enable home PC-WLAN internet blocking rule.\r\
    \n/ip firewall filter enable [ /ip firewall filter find src-mac-address=\"PC:WL:AN:XX:XX:XX\" ]\r\
    \n}"

3. Define a scheduler to run auto kid control script.
/system scheduler
add interval=10m name=schedule1 on-event="/system script run autokidctrl" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
    jun/01/2021 start-time=00:00:00
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 4781
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to automatically disable firewall filter rules when some devices come to on-line

Sun Jun 20, 2021 2:02 am

How cruel you are, in the eyes of your children you will pass only as a dictator, when you are old they will remember it and pay you back with the same coin...
If your child is old enough to be alone, teach him about responsibility and trust instead of teaching him about tyranny.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7826
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to automatically disable firewall filter rules when some devices come to on-line

Sun Jun 20, 2021 2:18 am

The children will simply go the friends house to watch tv and get on social media..............
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 4781
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to automatically disable firewall filter rules when some devices come to on-line

Sun Jun 20, 2021 2:24 am

Right,
and I wrote that for direct experience, with no frills...
The child is almost traumatized, "Why not me and my friends can do it instead"?
I saw him with my cousin's son, he lives above my house, and they've been arguing about it for years...
And now that he's grown up he's a constant rebuke of how he treated him as a child ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7826
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to automatically disable firewall filter rules when some devices come to on-line

Sun Jun 20, 2021 3:24 pm

Give your child too much free time and they will fill it. Best to put them into soccer/futbol, swimming, dance, robotics, music, anything to keep them off screens LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
WeWiNet
Long time Member
Long time Member
Posts: 547
Joined: Thu Sep 27, 2018 4:11 pm

Re: How to automatically disable firewall filter rules when some devices come to on-line

Mon Jun 21, 2021 11:41 am

Finally, i found the solution, and it worked perfectly. Here is the cli conifg:
That is the worst solution I have ever seen on this forum ;-) !!!

You just re-invented IP --> "kid-control"... congratulations.
WeWiNet

**
MTCNA
I like a new challenge, I migrate to ROS7... :? no way, finally I stay with 6.48! I am NOT crazy :lol: !!!
 
emizuno
just joined
Posts: 2
Joined: Mon May 31, 2021 12:08 pm

Re: How to automatically disable firewall filter rules when some devices come to on-line

Fri Jul 23, 2021 7:11 am

Honestly, it's exactly because of your method. Why do my kids never touch the internet and TV when I don't need control at all?

Who is online

Users browsing this forum: No registered users and 52 guests