Hi Mikrotik Experts ;
I have CCR1009-8G-1S-1S+ as my server plus 3 Unifi Ubiquiti AP all connected to the router directly, I am using this system since 4 months so far, I have Electricity Timer to cut the power from the Server and the internet modems every day at 03:00 am and back on again at 06:00 am.
I had script to shutdown the server 2 mins earlier.. Now Iam facing lots of problems and I also believe its from electricity outage from the Server and the internet modems everyday for over than 100 day!
1) Do you think Shutting down the equipment everyday is good or bad for the devices?
2) Now I took the timer out just for testing, How can I disable the internet at 03:00 am and back on again at 06:00 am ?
3) I believe I can do that Usi ng DHCP Or Firewall"Mangle". Which one the better ?
4) Is it possible to block it to ever one except the Lan connection Devices ?
Thanks in advance <3
Re: Disable Internet at Certain hours !!
Thank you so much for this blog!
But i only found the command to be applied on one IP only
How Can I make it for range of IPs ?
Also 1) Do you think Shutting down the equipment everyday is good or bad for the devices?
But i only found the command to be applied on one IP only
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,satAlso 1) Do you think Shutting down the equipment everyday is good or bad for the devices?
Re: Disable Internet at Certain hours !!
Look at this..it blocks flow from IP range to output interface. You could remove IP range to block all packets going to WAN.
To switch off or not to switch off....?
No...I do not think it is necessary....IMHO it is not good as for electronic devices the process of switching on/off is the moment when most unstable power is....read it as: the time when the overvoltage/overcurrent could happen till it drops to the desired value.
Code: Select all
add action=reject chain=forward comment="block 172.16.99.nnn" out-interface=ETH1-WAN src-address=172.16.99.0/24 time=0s-23h,sun,mon,tue,wed,thu,fri,sat
To switch off or not to switch off....?
No...I do not think it is necessary....IMHO it is not good as for electronic devices the process of switching on/off is the moment when most unstable power is....read it as: the time when the overvoltage/overcurrent could happen till it drops to the desired value.
Re: Disable Internet at Certain hours !!
Thanx alot for replying.. Iam kinda of new to mikrotik I am not any good in writing commands !!
Exactly I need to block the IPs from 172.16.0.50 till 172.16.0.250 from 03.00 am till 06.00 am everyday except fri,sat .
So can you write the exact command for that?
Thanks in advance
Exactly I need to block the IPs from 172.16.0.50 till 172.16.0.250 from 03.00 am till 06.00 am everyday except fri,sat .
So can you write the exact command for that?
Thanks in advance
Re: Disable Internet at Certain hours !!
Try to set it yourself... experience via practice... 
Use WinBox and you need just make some clicks to have firewall rule set.
I will try to prepare them.
Use WinBox and you need just make some clicks to have firewall rule set.
I will try to prepare them.
Re: Disable Internet at Certain hours !!
Make it easy for yourself and change your IP addressing to restrict some thing like 172.16.0.128/25.Thanx alot for replying.. Iam kinda of new to mikrotik I am not any good in writing commands !!
Exactly I need to block the IPs from 172.16.0.50 till 172.16.0.250 from 03.00 am till 06.00 am everyday except fri,sat .
So can you write the exact command for that?
Thanks in advance
That's addresses 172.16.0.129 - 172.16.0.254
Re: Disable Internet at Certain hours !!
There are always different and 'doable' methods to accomplish any task.
If you want to block multiple IP addresses and series, then better to create an address list, and then block/allow this address in the Filter rule.
As showed in the example below ...
The good part is that you can manage address list from winbox gui by going to IP > FIREWALL > ADDRESS LISTS.
If you want to block multiple IP addresses and series, then better to create an address list, and then block/allow this address in the Filter rule.
As showed in the example below ...
Code: Select all
/ip firewall address-list
add address=172.16.0.10-172.16.0.20 list=Target_Users
add address=172.16.0.15 list=Target_Users
add address=172.16.0.50-172.16.50.60 list=Target_Users
/ip firewall filter
add action=drop chain=input comment="Block Address List with specific users in specific Timings from 4pm till 6pm / zaib" src-address-list=Target_Users time=\
16h-18h,sun,mon,tue,wed,thu,fri,saRe: Disable Internet at Certain hours !!
Thank you so much for these info, it helped me some how guys
But When I applied this rule through terminal or GUI
For some how it wasn't working, I didn't get it!
Though it was black color when it was active and red color when it was inactive ..
I've tried for different times and for group of people or only one IP address.. still it was not effective.
But When I applied this rule through terminal or GUI
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Block Address List with specific users in specific Timings from 4pm till 6pm / zaib" src-address-list=Target_Users time=\
16h-18h,sun,mon,tue,wed,thu,fri,sa
Though it was black color when it was active and red color when it was inactive ..
I've tried for different times and for group of people or only one IP address.. still it was not effective.
Re: Disable Internet at Certain hours !!
2) Why not simply disable ether1-gateway or your UPlink?
Create one scheduler for enabling ether1-gateway in 06:00 (for ex)
For disabling in 03:00 as you want
I hope so, this will solve your problem. This will disable internet for all your connection, wifi+LAN.
1) And, also dont ofter plug/unplug your electical equipment to avoid energy "stress" to your units. Stay power ON.
Create one scheduler for enabling ether1-gateway in 06:00 (for ex)
Code: Select all
/system scheduler
add comment="Enable Internet" disabled=no interval=1d name=Enable Internet on-event="/interface wireless enable ether1-gateway" policy=read,write,test start-date=Mar/02/2015 start-time=06:00:00Code: Select all
/system scheduler
add comment="DisableInternet" disabled=no interval=1d name=Disable Internet on-event="/interface wireless disable ether1-gateway" policy=read,write,test start-date=Mar/02/2015 start-time=03:00:001) And, also dont ofter plug/unplug your electical equipment to avoid energy "stress" to your units. Stay power ON.
Re: Disable Internet at Certain hours !!
Thanks a lot for post that, but still this will kick me out, So i cant use it for now2) Why not simply disable ether1-gateway or your UPlink?
What I need to block everyone except for few IPs?
Thanks guys in advance
Re: Disable Internet at Certain hours !!
Have you moved the block rule before any possible allow rule that may cause you new rule to never be evaluated?For some how it wasn't working, I didn't get it!
Though it was black color when it was active and red color when it was inactive ..
I've tried for different times and for group of people or only one IP address.. still it was not effective.
Re: Disable Internet at Certain hours !!
Nope, I didn't.Have you moved the block rule before any possible allow rule that may cause you new rule to never be evaluated?
almost this is the only rule Ive added in the firewall rules!
Re: Disable Internet at Certain hours !!
The rule you copied was configured with chain=input.Nope, I didn't.Have you moved the block rule before any possible allow rule that may cause you new rule to never be evaluated?
almost this is the only rule Ive added in the firewall rules!
It should have been chain=forward.
In winbox, it is easy to edit the rule and change the chain.
input = packets talking to the Mikrotik itself (regardless of which interface they arrive on)
output = packets the Mikrotik is about to send out to the Internet from itself.
forward = packets that go THROUGH the Mikrotik as a router
Re: Disable Internet at Certain hours !!
I did change the chain to FORWARD!
but actually the same, The funny is the rule seems to be working but not functioning !
but actually the same, The funny is the rule seems to be working but not functioning !
Re: Disable Internet at Certain hours !!
Rules are checked in order from first to last until a match is found. Some actions (continue, log, jump, and others) don't stop the checks, but most do.I did change the chain to FORWARD!
but actually the same, The funny is the rule seems to be working but not functioning !
A rule only matches if ALL specified conditions are true. Src IP, time, in-interface, protocol, etc.
From what you're saying, one of the following is the case:
Some previous rule is catching everything and this new rule is never being reached.
This rule has a match condition which stops it from matching
The action is accept? (it should be drop or reject to block access)
One other thing - it's pretty common for chains to have accept rules for established,related connections early in the list for performance reasons. If your forward chain has such rules, then when "internet blackout" time comes, it will only block new connections. Connections that were already established will keep right on working.
Re: Disable Internet at Certain hours !!
I've attached a pic which will make it much easier to youFrom what you're saying, one of the following is the case:
Some previous rule is catching everything and this new rule is never being reached.
This rule has a match condition which stops it from matching
The action is accept? (it should be drop or reject to block access)
You do not have the required permissions to view the files attached to this post.
Re: Disable Internet at Certain hours !!
If you're doing a hotspot, then you should set any hours-of-operation inside the hotspot configurations.
See how all of those rules have the D flag (dynamic)? That means hotspot added them. You can't guarantee rule order inside the hotspot except by doing configs there.
I think there are hours-of-use settings in the user and hotspot server profiles.
If your packets are not on the hotspot interfaces (don't match the jump statements) then the hours rule /should/ work, assuming that it doesn't have match criteria that are broken somehow...
See how all of those rules have the D flag (dynamic)? That means hotspot added them. You can't guarantee rule order inside the hotspot except by doing configs there.
I think there are hours-of-use settings in the user and hotspot server profiles.
If your packets are not on the hotspot interfaces (don't match the jump statements) then the hours rule /should/ work, assuming that it doesn't have match criteria that are broken somehow...
-
-
africantech
just joined
- Posts: 7
- Joined:
Re: Disable Internet at Certain hours !!
Hello Zerobyte,One other thing - it's pretty common for chains to have accept rules for established,related connections early in the list for performance reasons. If your forward chain has such rules, then when "internet blackout" time comes, it will only block new connections. Connections that were already established will keep right on working.
I'm grappling with the exact same issue and am trying to figure out how to stop or drop a connection so that the exclusion time firewall rule can kick in. Any help would be hugely appreciated.
Edit: Solved - Since this is a home network I had set most of the devices (including the one that I am trying to manage using the above rules) to have DHCP long leases. I realised that if I set the device to a 10 minute renewal period on the DHCP lease, the rule will kick in when the lease is renewed. This means that the device in question will (should) only have a 10 minute window within which it will still be able to access the internet.
The rule I'm using is:
Code: Select all
/ip firewall filter add chain=forward action=drop time="17:50:00-23h58m,mon,tue,wed,thu,fri,sat,sun" src-mac-address=EE:66:77:44:55:BB comment="Block PS4 daily from 17:50 to 23:58"
Re: Disable Internet at Certain hours !!
Hello Africantech,Hello Zerobyte,One other thing - it's pretty common for chains to have accept rules for established,related connections early in the list for performance reasons. If your forward chain has such rules, then when "internet blackout" time comes, it will only block new connections. Connections that were already established will keep right on working.
I'm grappling with the exact same issue and am trying to figure out how to stop or drop a connection so that the exclusion time firewall rule can kick in. Any help would be hugely appreciated.
Edit: Solved - Since this is a home network I had set most of the devices (including the one that I am trying to manage using the above rules) to have DHCP long leases. I realised that if I set the device to a 10 minute renewal period on the DHCP lease, the rule will kick in when the lease is renewed. This means that the device in question will (should) only have a 10 minute window within which it will still be able to access the internet.
The rule I'm using is:
Code: Select all/ip firewall filter add chain=forward action=drop time="17:50:00-23h58m,mon,tue,wed,thu,fri,sat,sun" src-mac-address=EE:66:77:44:55:BB comment="Block PS4 daily from 17:50 to 23:58"
This is what helped me to achieve the settings you are requesting. This assistance came from aacable in his blog based on question on time based internet access and his response with my implementation to achieve the goal.
For Amrory, you will see that you have to take the rule above hotspot rule, take the rule above making it start from 0. This will make it work in hotspot though i had issues but when I disable hotspot firewall, the rule started working. Which means it cannot work together with hotspot.
Here is the conversation and the responses;
TIME based filter rule
Just for an Example I want toBLOCKall sort of access for an IP from1:00pmtill3:00pm, then simply create a Firewall rule that will block traffic from this IP address and and inTIME section, modify the required time, something like below . . .
Change the IP / Time as per your requirement
CLI Code:
[table][tr][td] [/td]
[td] [/td]
[/tr]
[/table]
/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address= 178.20.28.0/22 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
Hello Sir, please I need your help on this issue.We are faced with a problem where we want all staff are allowed to browse the internet only from 7:00 tiil 16:00, but allow only the Admin/manager unrestricted access to internet. The network is on dhcp while the lan ip address is 178.50.30.0/24 but will use that of Admin/manager pc mac id as the filter. Please your help is needed in this direction as staff now abuse the use of the network because after that time they they use it to do some unimaginable things.
Thanks and God bless you.
Comment by sapanda — April 15, 2016 @ 1:27 PM
Reply
there are *many* ways you can block/allow users.
Example:
Create two filter rules,
1st, allow the admin IP or MAC address in forward chain
you need to put this rule on top
/ip firewall filter add chain=forward src.mac address=xx: xx: xx: xx: xx: xx dst-address=192.168.0.10 action=accept
2nd , reject requests from all ip series of lan users, and set time in it.
OR
in default NAT rule, you can define time in which you want to allow the ip range.
Settings that worked for me
/ip firewall filter
add chain=forward src-mac-address=00:21:5C:4E:11:31
add chain=forward src-mac-address=C0:BD:D1:3F:96:13
add action=drop chain=input comment=\
"Block access for all users from 4pm -9pm" in-interface=bridge1 time=\
13h-22h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes