Community discussions

MikroTik App
 
hillelana
just joined
Topic Author
Posts: 17
Joined: Mon Mar 05, 2018 12:58 am

Block internet from all but one user

Mon Jul 12, 2021 2:41 am

I set a firewall rule to block internet access past midnight so we can get to sleep and not be sucked into watching youtube way past our bedtimes.
My daughter needed to work late one night, so I put her address in the source box, with a ! in the box to the left. She still got blocked at midnight. What did I do wrong?
I attached a screenshot of the firewall rule.
You do not have the required permissions to view the files attached to this post.
 
himala002
just joined
Posts: 12
Joined: Fri Jun 25, 2021 10:16 am

Re: Block internet from all but one user

Mon Jul 12, 2021 6:09 am

try this one..
chain = forward, action = accept, src address = <her IP address>
 
hillelana
just joined
Topic Author
Posts: 17
Joined: Mon Mar 05, 2018 12:58 am

Re: Block internet from all but one user

Mon Jul 12, 2021 6:50 am

Thank you. I'll try that. I'm still curious why my way did not work.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Block internet from all but one user

Mon Jul 12, 2021 7:06 am

Thank you. I'll try that. I'm still curious why my way did not work.
Is that address reserved for them? Did it pull a new address from DHCP before midnight?
What does the rest of the rule say? Might be some other matcher.
Use /export (or /ip firewall filter export) to get the exact config of the rule to post, you've given us only 1 single config option of the rule so its hard to say what it could have been.
 
hillelana
just joined
Topic Author
Posts: 17
Joined: Mon Mar 05, 2018 12:58 am

Re: Block internet from all but one user

Mon Jul 12, 2021 7:37 am

It's a static address on the laptop. Here's the export:
# jul/11/2021 21:35:19 by RouterOS 6.48.3

# software id = NQN0-H282

#

# model = 951Ui-2HnD

# serial number = 815508339205

/ip firewall filter

add action=drop chain=input comment="defconf: accept ICMP (changed to drop ping for security)" protocol=icmp

# inactive time

add action=drop chain=forward comment="no internet midnight to 5" src-address=!192.168.1.46 time=23h57m-5h,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="Nintendo DS" src-address=192.168.1.50

# inactive time

add action=drop chain=forward comment=xbox src-address=192.168.1.45 time=22h15m-10h,sun,mon,tue,wed,thu,fri,sat

# inactive time

add action=drop chain=forward comment=xbox src-address=192.168.1.48 time=22h15m-10h,sun,mon,tue,wed,thu,fri,sat

# inactive time

add action=drop chain=forward comment="green dell" src-address=192.168.1.51 time=22h15m-10h,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="green dell ethernet" src-address=192.168.1.254

# inactive time

add action=drop chain=forward comment="Nana's" src-address=192.168.1.57 time=22h30m-10h,sun,mon,tue,wed,thu,fri,sat

# inactive time

add action=drop chain=forward comment="new Nana's" src-address=192.168.1.44 time=22h30m-10h,sun,mon,tue,wed,thu,fri,sat

add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related

add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 in-interface-list=WAN

add action=drop chain=forward comment=TS disabled=yes src-address=192.168.1.49 time=23h30m-1d,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="Elana phone 116" disabled=yes src-address=192.168.1.116

add action=drop chain=forward comment=Sony disabled=yes src-address=192.168.1.63 time=22h15m-1d,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="block amazon prime" dst-address=13.226.241.124
Thank you.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block internet from all but one user

Mon Jul 12, 2021 8:14 am

One thing to keep in mind: once a connection is fasttracked, it (mostly) bypasses any firewall filter and the drop rules won't break it. Only new connections won't be able to establish. If you want to break existing connections, then either disable fasttrack (not a very good idea from performance point of view) or move (modified) drop rules to /ip firewall raw ...

BTW, time rules running over midnight might be problematic. It seems like they actually didn't work in some older ROS versions and might be slightly dubious. For example: if rule had time=23h-5h,sun ... when does it start and when does it end? To which time does the day apply, start time, end time or both? Is it active between 23 Sunday and 5h Monday (grand total of 6 hours)? Or is it active between 23h Sunday and 5h (next) Sunday (almost a week)? Or is it between 23h Saturday and 5h Sunday?
So you might want to change start time to 0h1m (4 minutes later than your current rule) which should make the rule less dubious.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 10:27 am

What did I do wrong?
You lost yourself control if you need a rule on firewall to stop do something.
Try to stop using the phone "just to go to the bathroom".
You gain in quality of life.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block internet from all but one user

Mon Jul 12, 2021 12:49 pm

@rextended: I think your last answer was un-needed. OP asked for help with technical issue while you're telling him how to live his personal life (and that's none of business of any of forum members). It wasn't the first time where your answers were way out of scope. If I were @hillelana, I'd report your post as offensive.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 1:11 pm

The OP is the first to give personal details of his (hers?) life.
And I gave my point of view and advice on his problem.
Offenses are another thing.
Report it yourself instead wrote "If I were @hillelana, I'd report your post as offensive"
"If I were" is just a means of try to conditioning another person.
You go offtopic more than me, and you force me to reply.
If you didn't write anything and reported me to the moderator, wasn't it better?

Do not think that this prejudices the opinion I have towards you, or that he does things "out of spite".
All as if you hadn't written anything.

If I were to have been offensive, I apologize, it was certainly not what I wanted to do.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 2:32 pm

rextended is right in that MT is not a parent and should not be a substitute for parenting. Kid control =lazy parenting.
The op for a self-admitted adult addiction needs counselling and the kids need discipline. :-)
As noted, these are personal items brought up by the OP and the responses are out of concern to help :-)
Think of it as an added bonus provided by this site. Heck for all we know this was a cry for help!

Similarly when someone comes here and states they need to block x,y,z cause of abuse by employers, the answer is not router settings,
its a verbal warning, then a written warning and then FIRED!.............
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block internet from all but one user

Mon Jul 12, 2021 3:15 pm

So we have different attitude towards this forum. Personally I try to offer technical support for whatever poster asks and I'm generally not suggesting a completely different approach to solving the problem. Unless it's different approach but still technical by means of using (preferably MT) device. If OP came to ask how to solve his life challenge using ROS firewall, I don't think we're in position to suggest him to change life style.

You two seem to think differently.

And I didn't report post by @rextended because it was not me who might feel offended and it's not me to decide whether it is offensive towards OP or not. That's why I wrote "if I were" ...

Over & out.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 3:47 pm

@mkx thanks: I felt that you are a good person who tries to understand how others think.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 4:42 pm

Opinions are free and the OP can discard or utilize whatever information/advice is provided. I respect your willingness to go to the ends of the earth regarding technical advice and to remain neutral and avoid the non-technical - ( aka you have better self-control than myself :-) )
 
hillelana
just joined
Topic Author
Posts: 17
Joined: Mon Mar 05, 2018 12:58 am

Re: Block internet from all but one user

Mon Jul 12, 2021 9:34 pm

I apologize for throwing in the joke that got us all distracted. Also, this doesn't show my bad parenting skills, because it was mainly not for my kids, but for my wife. (Oh, no! Another joke - maybe)
Meanwhile, despite fasttrack and being around midnight, the rule blocks connections quite fine. I'm just wondering why the ! 192.168.1.46 didn't let that laptop be an exception and get internet.
Thank you for your suggestions.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 9:56 pm

>read next post<
Last edited by rextended on Tue Jul 13, 2021 9:59 am, edited 4 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 11:41 pm

Before you monkey with (leapord with) just fw rules, its best to see the entire config as many items have relationships.
/export hide-sensitive file=anynameyouwish.
Last edited by anav on Mon Jul 12, 2021 11:42 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet from all but one user

Mon Jul 12, 2021 11:56 pm

@anav obviously all the effort for duplicate post is only to notice to you that functionality, if you do not have already noticed.
 
nje431
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Tue Sep 10, 2013 5:17 pm

Re: Block internet from all but one user

Tue Jul 13, 2021 12:59 am

For my 2 cents, what struck me is you are only allowing traffic outbound from you daughter's source IP. But I'm not seeing a rule allowing return traffic to get back to her.

I think what I would do, is a separate rule to accept her source IP, followed by the drop rule, but condition the drop rule to only apply to your internal IP range, i.e. 192.168.1.0/24
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet from all but one user

Tue Jul 13, 2021 1:43 am

What is not dropped is accepted for default
There is no rule to drop LAN traffic after the rule whith "!IP" except specific IPs

and this rule drop all non-wanted (not natted, initiated) traffic from WAN, not LAN
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 in-interface-list=WAN
 
nje431
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Tue Sep 10, 2013 5:17 pm

Re: Block internet from all but one user

Tue Jul 13, 2021 3:06 am

But the first rule is "don't forward anything that isn't source 192.168.1.46", before the rule you mentioned. And rule order matters......
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Block internet from all but one user

Tue Jul 13, 2021 7:13 am

/ip firewall filter
add action=drop chain=forward comment="no internet midnight to 5" src-address=!192.168.1.46 time=23h57m-5h,sun,mon,tue,wed,thu,fri,sat
As nje431 stated, this rule drops ALL forwards except from 192.168.1.46 when active. This would include all others from LAN and all from WAN.

@hillelana
You should consider using address-list. This would keep you from having to duplicate the firewall rules for each device and make any changes much simpler. It also helps reduce CPU usage.
/ip firewall filter
add action=drop chain=forward comment="no internet" src-address-list=no_access
add action=drop chain=forward comment="no internet 00:00 to 5:00" src-address-list=0000_to_0500 time=23h57m-5h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="no internet 22:15 to 10:00" src-address-list=2215_to_1000 time=22h15m-10h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="no internet 22:30 to 10:00" src-address-list=2230_to_1000 time=22h30m-10h,sun,mon,tue,wed,thu,fri,sat

/ip firewall address-list
add address=192.168.1.46 list=0000_to_0500
add address=192.168.1.45 list=2215_to_1000
add address=192.168.1.48 list=2215_to_1000
add address=192.168.1.51 list=2215_to_1000
add address=192.168.1.57 list=2230_to_1000
add address=192.168.1.44 list=2230_to_1000
add address=192.168.1.50 list=no_access
add address=192.168.1.254 list=no_access
You can just disable a address-list entry (or firewall rule if you keep current setup) to allow temporary access.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet from all but one user

Tue Jul 13, 2021 9:58 am

But the first rule is "don't forward anything that isn't source 192.168.1.46", before the rule you mentioned. And rule order matters......

/ip firewall filter
add action=drop chain=forward comment="no internet midnight to 5" src-address=!192.168.1.46 time=23h57m-5h,sun,mon,tue,wed,thu,fri,sat
As nje431 stated, this rule drops ALL forwards except from 192.168.1.46 when active. This would include all others from LAN and all from WAN.

This is clear, is why I wrote:
There is no rule to drop LAN traffic after the rule whith "!IP" except specific IPs


The OP can "fix" the rule simply adding to them
in-interface-list=LAN


The address-list is great, but I suggest to use on addition static DHCP Lease for not update continuosly the address list...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block internet from all but one user

Tue Jul 13, 2021 5:52 pm

Configuring firewall rules without seeing the complete config is a waste of my time........later.

Who is online

Users browsing this forum: BioMax, holvoetn, kevinds and 36 guests