Hi !

I want to restrict the devices on my network so they can access the internet only in certain times of the day. I've done this successfully in the most common use case - a simple PC behind the NAT.

I have 2 questions:

1. Can I do the same for communications within the network ? I have a NAS server and I want to restrict the usage of it from let's say 3PM to 5PM.

2. I have IPTV set via bridge between eth1 (WAN) and eth5 (STB), so it doesn't pass through the NAT at all. Can I restrict the access to this from 3PM to 5PM as well ?

Yes with IP->firewall rules that allow access only at specific times.
You define what you allow (LAN-LAN) or LAN-WAN etc. (via input and output interface or IP range or list etc.).
In the rules extra tab (if I recall) select the times you want this rule to apply.

If you want to restrict those rules to specific users/IP you can use in addition "adress list" in the second tab.
There are many more ways to do/tune it, once you play a bit with it you can achieve almost whatever you want.

Yes with IP->firewall rules that allow access only at specific times.
You define what you allow (LAN-LAN) or LAN-WAN etc. (via input and output interface or IP range or list etc.).
In the rules extra tab (if I recall) select the times you want this rule to apply.

If you want to restrict those rules to specific users/IP you can use in addition "adress list" in the second tab.
There are many more ways to do/tune it, once you play a bit with it you can achieve almost whatever you want.

Yes but the STB device outside of the NAT doesn't have an IP address. Can I block it via MAC ?

PS: Found the "Use IP Firewall" for the IPTV bridge. Now the IPTV doesn't work. I'm guessing I have to allow it. How do I allow it ? It is located on eth5.

Have you looked at Kid Control?

https://wiki.mikrotik.com/wiki/Manual:Kid-control

PS one computers you can change you mac address if you like.

Have you looked at Kid Control?

https://wiki.mikrotik.com/wiki/Manual:Kid-control

PS one computers you can change you mac address if you like.

I have the following:
default bridge: eth2,eth3,eth4
IPTV bridge:eth1 (WAN), eth5 (STB)

The STB is outside of the NAT so it doesn't have an IP, and the Kid Control feature requires an IP to function, I believe.

I enabled the firewall for the IPTV bridge, but now the TV doesn't work. I'm guessing I have to do something with either NAT or Firewall to allow it, and after I allow it I would know how to block it.

EDIT:
I disabled the firewall for the bridge and decided to use the Bridge Filters. This specific rule seems to do it:

I can enable/disable it in specific time intervals so this is good. However, the IPTV traffic keeps coming to eth1 all the time, since I've set it to just reject eth1 -> eth5 traffic. Any way to make this better ? If I could control this via the Kid Control feature, it would be much better.

I am a bit lost what you want to achieve from a topology point of view.
Your block rule does work (the counter increases). Now what you want is actually to accept that
but only on the correct times you want this to work (correct?).

Basically you do not allow and then block at specific times, you do allow what you want and block the rest (correctly spoken "drop") all the rest.
(drop means the packet is gone, you can not recover it later)
- allow traffic that should always work. (this might be several rules, make sure you really limit to what you want. Rather use 3 precised rules than "one allows
everything rule")
- allow traffic with a rule at specific times to allow the restricted traffic (like your drop rule shown, but do accept and add the time you want this to work).
- drop!
Hint: enable logging of dropped packets. If a service does not work, you will quickly see from which IP and MAC address/port traffic was
dropped. If needed add another rule allowing that traffic and see if service works...

PS: we talk about forward chain only.
You should use the default rules specially to protect your input chain and remove ETH5 from LAN interface list.

Basically, the set-top-box was originally connected via a switch (it can't work behind NAT). I wanted to remove the switch so I've created "sort of" switch via the bridge feature.

Here is the setup:


That makes it hard to control though, since it is essentially not in the internal network, and all of my other devices are time restricted with the "Kid Control" feature. However, the bridge filter feature seems to work in restricting access to it according to certain rules. I would prefer to control it via "Kid Control" as well, but it's probably not possible.

Is there something inherently wrong/insecure about this setup ? I don't understand this well enough to be sure that I'm not creating some sort of a hole in my network.