Turn off internet at night whitelist vs Kid Control

gazingbazooka · Thu Jul 02, 2020 5:35 pm

RB3011, I'm trying to turn off the internet at night for all devices with dynamic IP. I tried kid control but you have to list every device which is very painful. I'm thinking of just turning off the internet at night for everything that's in the DHCP server IP range with a firewall rule. Everything that needs to stay on has a static IP (WAP, ATA, TV, etc).

So assuming clients get a dynamic IP in this range:

/ip pool
add name=dhcp ranges=10.1.8.128-10.1.8.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w name=DHCP-Home
/ip address
add address=10.1.8.1/24 comment=defconf interface=bridge network=10.1.8.0
/ip dhcp-server config
set store-leases-disk=12h
/ip dhcp-server lease
add address=10.1.8.2 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.3 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.4 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.6 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.8 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.9 mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-server network
add address=10.1.8.0/24 comment=defconf gateway=10.1.8.1 netmask=24

Would it be as easy as blocking the firewall like so:

add action=reject chain=forward out-interface=ether1 reject-with=icmp-network-unreachable src-address=!10.1.8.0/26 time=\
    2h-6h,sun,mon,tue,wed,thu,fri,sat

anav · Thu Jul 02, 2020 6:00 pm

use an object oriented approach.
Means listing the kids devices once and static them.
Create address list.
Apply firewall rules
done

gazingbazooka · Thu Jul 02, 2020 6:15 pm

I'm still looking to just turn off the internet for everyone that's not in the static list. This includes my laptop, kids devices, my neighbour being on my wifi. Just peace and quiet. The only devices I care about being on are in this list:

/ip dhcp-server lease
add address=10.1.8.2 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.3 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.4 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.6 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.8 mac-address=XX:XX:XX:XX:XX:XX
add address=10.1.8.9 mac-address=XX:XX:XX:XX:XX:XX

I dont want to list out the 40 devices that should turn off and keep adding to that list.

Zacharias · Thu Jul 02, 2020 6:19 pm

The only devices I care about being on are in this list

Create an address list with these addresses and with the help of firewall time parameter block everyone except that list...

anav · Thu Jul 02, 2020 6:55 pm

The only devices I care about being on are in this list
Create an address list with these addresses and with the help of firewall time parameter block everyone except that list...

Concur with zach use the same object oriented approach to create a list of static devices you wish to allow and block the rest

gazingbazooka · Thu Jul 02, 2020 7:50 pm

So it sounds like the same firewall rule except using a list:

add action=reject chain=forward out-interface=ether1 reject-with=icmp-network-unreachable src-address=!staticIPList time=\
    2h-6h,sun,mon,tue,wed,thu,fri,sat

vs just blanket address:

add action=reject chain=forward out-interface=ether1 reject-with=icmp-network-unreachable src-address=!10.1.8.0/26 time=\
    2h-6h,sun,mon,tue,wed,thu,fri,sat

Zacharias · Thu Jul 02, 2020 7:58 pm

src-address-list not src-address...
It looks fine...
You could as well create a list with the rest of the addresses in case you do not like the ! (not)

gazingbazooka · Thu Jul 02, 2020 8:07 pm

Right you are. Caught my copy and paste sloppiness.

Can you help me understand how the list is better than using the src-address approach? It seems to me like the end result is the same, however it forces me to keep a list in parallel.

Zacharias · Thu Jul 02, 2020 8:08 pm

The end result will be the same in either case... so no worries...

anav · Thu Jul 02, 2020 8:24 pm

If you do it by defined interfaces interface list member usage makes sense.
If you have two or more users from different subnets or within a subnet you wish to identify, SOURCE-ADDRESS-LIST (Firewall) makes sense.
If you can identify subnets that are not already interfaces you can use source-address as you have done.

After using object oriented setups on zyxel routers I see the efficiency in the long haul and thus prefer to not work with individual firewall rules if necessary.
For one reason, monkeying with rules is more dangerous, and if I have a good rule, I dont want to touch it.
To change users or access I simply modify the list and rule stays intact.

gazingbazooka · Thu Jul 02, 2020 8:34 pm

Thank for your help!

Turn off internet at night whitelist vs Kid Control [SOLVED]

Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control

Re: Turn off internet at night whitelist vs Kid Control [SOLVED]

Re: Turn off internet at night whitelist vs Kid Control

Who is online