Community discussions

 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Disable Internet at Certain hours !!

Tue Feb 24, 2015 1:44 pm

Hi Mikrotik Experts ;

I have CCR1009-8G-1S-1S+ as my server plus 3 Unifi Ubiquiti AP all connected to the router directly, I am using this system since 4 months so far, I have Electricity Timer to cut the power from the Server and the internet modems every day at 03:00 am and back on again at 06:00 am.

I had script to shutdown the server 2 mins earlier.. Now Iam facing lots of problems and I also believe its from electricity outage from the Server and the internet modems everyday for over than 100 day!

1) Do you think Shutting down the equipment everyday is good or bad for the devices?
2) Now I took the timer out just for testing, How can I disable the internet at 03:00 am and back on again at 06:00 am ?
3) I believe I can do that Usi ng DHCP Or Firewall"Mangle". Which one the better ?
4) Is it possible to block it to ever one except the Lan connection Devices ?

Thanks in advance <3
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1702
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Disable Internet at Certain hours !!

Tue Feb 24, 2015 3:49 pm

Real admins use real keyboards.
 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Re: Disable Internet at Certain hours !!

Wed Feb 25, 2015 10:29 am

Thank you so much for this blog!

But i only found the command to be applied on one IP only
/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
How Can I make it for range of IPs ?

Also 1) Do you think Shutting down the equipment everyday is good or bad for the devices?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1702
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Disable Internet at Certain hours !!

Wed Feb 25, 2015 11:56 am

Look at this..it blocks flow from IP range to output interface. You could remove IP range to block all packets going to WAN.
add action=reject chain=forward comment="block 172.16.99.nnn" out-interface=ETH1-WAN src-address=172.16.99.0/24 time=0s-23h,sun,mon,tue,wed,thu,fri,sat

To switch off or not to switch off....?
No...I do not think it is necessary....IMHO it is not good as for electronic devices the process of switching on/off is the moment when most unstable power is....read it as: the time when the overvoltage/overcurrent could happen till it drops to the desired value.
Real admins use real keyboards.
 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Re: Disable Internet at Certain hours !!

Wed Feb 25, 2015 12:11 pm

Thanx alot for replying.. Iam kinda of new to mikrotik I am not any good in writing commands !!

Exactly I need to block the IPs from 172.16.0.50 till 172.16.0.250 from 03.00 am till 06.00 am everyday except fri,sat .

So can you write the exact command for that?

Thanks in advance ;)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1702
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Disable Internet at Certain hours !!

Wed Feb 25, 2015 12:22 pm

Try to set it yourself... experience via practice... :-)
Use WinBox and you need just make some clicks to have firewall rule set.
I will try to prepare them.
Real admins use real keyboards.
 
jebz
Member Candidate
Member Candidate
Posts: 237
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: Disable Internet at Certain hours !!

Wed Feb 25, 2015 3:22 pm

Thanx alot for replying.. Iam kinda of new to mikrotik I am not any good in writing commands !!
Exactly I need to block the IPs from 172.16.0.50 till 172.16.0.250 from 03.00 am till 06.00 am everyday except fri,sat .
So can you write the exact command for that?
Thanks in advance ;)
Make it easy for yourself and change your IP addressing to restrict some thing like 172.16.0.128/25.
That's addresses 172.16.0.129 - 172.16.0.254
 
User avatar
aacable
Member
Member
Posts: 422
Joined: Wed Sep 17, 2008 11:58 am
Location: ISLAMIC Republic of PAKISTAN
Contact:

Re: Disable Internet at Certain hours !!

Thu Feb 26, 2015 8:39 am

There are always different and 'doable' methods to accomplish any task.

If you want to block multiple IP addresses and series, then better to create an address list, and then block/allow this address in the Filter rule.
As showed in the example below ...
/ip firewall address-list
add address=172.16.0.10-172.16.0.20 list=Target_Users
add address=172.16.0.15 list=Target_Users
add address=172.16.0.50-172.16.50.60 list=Target_Users

/ip firewall filter
add action=drop chain=input comment="Block Address List with specific users in specific Timings from 4pm till 6pm / zaib" src-address-list=Target_Users time=\
    16h-18h,sun,mon,tue,wed,thu,fri,sa
The good part is that you can manage address list from winbox gui by going to IP > FIREWALL > ADDRESS LISTS.
_____________
Regard's

Syed Jahanzaib
Web: http://aacable.wordpress.com
Email: aacable [at] hotmail.com
 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Re: Disable Internet at Certain hours !!

Sat Feb 28, 2015 8:34 am

Thank you so much for these info, it helped me some how guys

But When I applied this rule through terminal or GUI
/ip firewall filter
add action=drop chain=input comment="Block Address List with specific users in specific Timings from 4pm till 6pm / zaib" src-address-list=Target_Users time=\
    16h-18h,sun,mon,tue,wed,thu,fri,sa
    
For some how it wasn't working, I didn't get it!

Though it was black color when it was active and red color when it was inactive ..
I've tried for different times and for group of people or only one IP address.. still it was not effective.
 
deanMKD1
Member
Member
Posts: 345
Joined: Fri Dec 12, 2014 12:06 am
Location: Macedonia
Contact:

Re: Disable Internet at Certain hours !!

Mon Mar 02, 2015 12:58 am

2) Why not simply disable ether1-gateway or your UPlink?

Create one scheduler for enabling ether1-gateway in 06:00 (for ex)
/system scheduler
add comment="Enable Internet" disabled=no interval=1d name=Enable Internet on-event="/interface wireless enable ether1-gateway" policy=read,write,test start-date=Mar/02/2015 start-time=06:00:00
For disabling in 03:00 as you want :)
/system scheduler
add comment="DisableInternet" disabled=no interval=1d name=Disable Internet on-event="/interface wireless disable ether1-gateway" policy=read,write,test start-date=Mar/02/2015 start-time=03:00:00
I hope so, this will solve your problem. :) This will disable internet for all your connection, wifi+LAN.
1) And, also dont ofter plug/unplug your electical equipment to avoid energy "stress" to your units. Stay power ON.
 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Re: Disable Internet at Certain hours !!

Wed Mar 04, 2015 7:27 am

2) Why not simply disable ether1-gateway or your UPlink?
Thanks a lot for post that, but still this will kick me out, So i cant use it for now

What I need to block everyone except for few IPs?

Thanks guys in advance
 
jebz
Member Candidate
Member Candidate
Posts: 237
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: Disable Internet at Certain hours !!

Thu Mar 05, 2015 1:43 am

For some how it wasn't working, I didn't get it!
Though it was black color when it was active and red color when it was inactive ..
I've tried for different times and for group of people or only one IP address.. still it was not effective.
Have you moved the block rule before any possible allow rule that may cause you new rule to never be evaluated?
 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Re: Disable Internet at Certain hours !!

Thu Mar 05, 2015 9:24 pm

Have you moved the block rule before any possible allow rule that may cause you new rule to never be evaluated?
Nope, I didn't.

almost this is the only rule Ive added in the firewall rules!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: Disable Internet at Certain hours !!

Thu Mar 05, 2015 9:38 pm

Have you moved the block rule before any possible allow rule that may cause you new rule to never be evaluated?
Nope, I didn't.

almost this is the only rule Ive added in the firewall rules!
The rule you copied was configured with chain=input.
It should have been chain=forward.
In winbox, it is easy to edit the rule and change the chain.

input = packets talking to the Mikrotik itself (regardless of which interface they arrive on)
output = packets the Mikrotik is about to send out to the Internet from itself.
forward = packets that go THROUGH the Mikrotik as a router
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Re: Disable Internet at Certain hours !!

Sun Mar 08, 2015 8:39 am

I did change the chain to FORWARD!



but actually the same, The funny is the rule seems to be working but not functioning !
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: Disable Internet at Certain hours !!

Sun Mar 08, 2015 6:16 pm

I did change the chain to FORWARD!

but actually the same, The funny is the rule seems to be working but not functioning !
Rules are checked in order from first to last until a match is found. Some actions (continue, log, jump, and others) don't stop the checks, but most do.

A rule only matches if ALL specified conditions are true. Src IP, time, in-interface, protocol, etc.

From what you're saying, one of the following is the case:
Some previous rule is catching everything and this new rule is never being reached.
This rule has a match condition which stops it from matching
The action is accept? (it should be drop or reject to block access)

One other thing - it's pretty common for chains to have accept rules for established,related connections early in the list for performance reasons. If your forward chain has such rules, then when "internet blackout" time comes, it will only block new connections. Connections that were already established will keep right on working.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Amroory
just joined
Topic Author
Posts: 19
Joined: Tue Feb 24, 2015 8:22 am

Re: Disable Internet at Certain hours !!

Mon Mar 09, 2015 12:46 pm

From what you're saying, one of the following is the case:
Some previous rule is catching everything and this new rule is never being reached.
This rule has a match condition which stops it from matching
The action is accept? (it should be drop or reject to block access)
I've attached a pic which will make it much easier to you


You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: Disable Internet at Certain hours !!

Mon Mar 09, 2015 3:18 pm

If you're doing a hotspot, then you should set any hours-of-operation inside the hotspot configurations.
See how all of those rules have the D flag (dynamic)? That means hotspot added them. You can't guarantee rule order inside the hotspot except by doing configs there.
I think there are hours-of-use settings in the user and hotspot server profiles.

If your packets are not on the hotspot interfaces (don't match the jump statements) then the hours rule /should/ work, assuming that it doesn't have match criteria that are broken somehow...
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
africantech
just joined
Posts: 5
Joined: Mon Jan 11, 2016 11:03 am

Re: Disable Internet at Certain hours !!

Sun Jun 12, 2016 8:27 pm

One other thing - it's pretty common for chains to have accept rules for established,related connections early in the list for performance reasons. If your forward chain has such rules, then when "internet blackout" time comes, it will only block new  connections. Connections that were already established will keep right on working.
Hello Zerobyte,
I'm grappling with the exact same issue and am trying to figure out how to stop or drop a connection so that the exclusion time firewall rule can kick in. Any help would be hugely appreciated.

Edit: Solved - Since this is a home network I had set most of the devices (including the one that I am trying to manage using the above rules) to have DHCP long leases. I realised that if I set the device to a 10 minute renewal period on the DHCP lease, the rule will kick in when the lease is renewed. This means that the device in question will (should) only have a 10 minute window within which it will still be able to access the internet.

The rule I'm using is:
/ip firewall filter add chain=forward action=drop time="17:50:00-23h58m,mon,tue,wed,thu,fri,sat,sun" src-mac-address=EE:66:77:44:55:BB comment="Block PS4 daily from 17:50 to 23:58"
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: Disable Internet at Certain hours !!

Wed Jun 15, 2016 1:57 pm

One other thing - it's pretty common for chains to have accept rules for established,related connections early in the list for performance reasons. If your forward chain has such rules, then when "internet blackout" time comes, it will only block new  connections. Connections that were already established will keep right on working.
Hello Zerobyte,
I'm grappling with the exact same issue and am trying to figure out how to stop or drop a connection so that the exclusion time firewall rule can kick in. Any help would be hugely appreciated.

Edit: Solved - Since this is a home network I had set most of the devices (including the one that I am trying to manage using the above rules) to have DHCP long leases. I realised that if I set the device to a 10 minute renewal period on the DHCP lease, the rule will kick in when the lease is renewed. This means that the device in question will (should) only have a 10 minute window within which it will still be able to access the internet.

The rule I'm using is:
/ip firewall filter add chain=forward action=drop time="17:50:00-23h58m,mon,tue,wed,thu,fri,sat,sun" src-mac-address=EE:66:77:44:55:BB comment="Block PS4 daily from 17:50 to 23:58"
Hello Africantech, 
This is what helped me to achieve the settings you are requesting. This assistance came from aacable in  his blog based on question on time based internet access and his response with my implementation to achieve the goal.
For Amrory, you will see that you have to take the rule above hotspot rule, take the rule above making it start from 0. This will make it work in hotspot though i had issues but when I disable hotspot firewall, the rule started working. Which means it cannot work together with hotspot.
Here is the conversation and the responses;
 
TIME based filter rule
Just for an Example I want toBLOCKall sort of access for an IP from1:00pmtill3:00pm, then simply create a Firewall rule that will block traffic from this IP address and and inTIME section, modify the required time, something like below . . .
Change the IP / Time as per your requirement

CLI Code:
[table][tr][td] [/td]
[td] [/td]
[/tr]
[/table]
/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
 
/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address= 178.20.28.0/22 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
Hello Sir, please I need your help on this issue.We are faced with a problem where we want all staff are allowed to browse the internet only from 7:00 tiil 16:00, but allow only the Admin/manager unrestricted access to internet. The network is on dhcp while the lan ip address is 178.50.30.0/24 but will use that of Admin/manager pc mac id as the filter. Please your help is needed in this direction as staff now abuse the use of the network because after that time they they use it to do some unimaginable things.
Thanks and God bless you.
Comment by sapanda — April 15, 2016 @ 1:27 PM
Reply


there are *many* ways you can block/allow users. 
Example:

Create two filter rules, 
1st, allow the admin IP or MAC address in forward chain

you need to put this rule on top
/ip firewall filter add chain=forward src.mac address=xx: xx: xx: xx: xx: xx dst-address=192.168.0.10 action=accept 
2nd , reject requests from all ip series of lan users, and set time in it.

OR
in default NAT rule, you can define time in which you want to allow the ip range.
 
 
 
Settings that worked for me
/ip firewall filter
add chain=forward src-mac-address=00:21:5C:4E:11:31
add chain=forward src-mac-address=C0:BD:D1:3F:96:13
add action=drop chain=input comment=\
    "Block access for all users from 4pm -9pm" in-interface=bridge1 time=\
    13h-22h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes

Who is online

Users browsing this forum: No registered users and 17 guests