Recently I have needed to restrict access to the internet during certain hours.  This is very easy to achieve with MikroTIk using a few mangle and filter rules.  I currently have this configuration on a RB751 so I am using a bridge for the LAN.  I have ports 2-5 switched together and then bridged the wlan1 and ether2 (the master port) together.  Instead of just restricting everything on the bridge I wanted to be able to allow access to myself and certain others during “restricted times”, and this is why I used mangle to mark connections and filter via the connection marks.

Here you can see the two rules mark the connections from my allowed devices.  The last two rules mark everything else in and out of the DHCP bridge.

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark CBrown Computer" disabled=no in-interface=DHCP \
    new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX
add action=mark-connection chain=forward comment="Mark CBrown iPhone" disabled=no in-interface=DHCP \
    new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX
add action=mark-connection chain=prerouting comment="DHCP Upload" disabled=no in-interface=DHCP \
    new-connection-mark=DHCP passthrough=no
add action=mark-connection chain=postrouting comment="DHCP Download" disabled=no new-connection-mark=DHCP \
    out-interface=DHCP passthrough=no

Now for the filter rules.  This is where the actual time restrictions take place. The first two rules allow my devices access all the time and as you can see in the third and fourth rules I take my connection mark (DHCP) and “jump” it into my “times” chain from both my input and forward chains.  Once in the “times” chain rules 6,7, and 8 block access during the times I want the internet turned off.  Rules 5 and 9 allow me to enable the internet during a restricted time or disable it during an allowed time.  You could only block the the forward chain if you are not using a web proxy and it will restrict the traffic but to block ALL communication (even to the router) is only 1 more rule.

/ip firewall filter
add action=accept chain=input connection-mark=Allowed disabled=no
add action=accept chain=forward connection-mark=Allowed disabled=no
add action=jump chain=input comment="Jump to Times" connection-mark=DHCP disabled=no jump-target=times
add action=jump chain=forward comment="Jump to Times" connection-mark=DHCP disabled=no jump-target=times
add action=return chain=times comment="********TURN ON********" disabled=no
add action=drop chain=times comment="Drop 2300-2400" disabled=no time=\
    23h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=times comment="Drop 2400-0500" disabled=no time=\
    1s-4h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=times comment="Drop Weekday 0800-1630" disabled=no time=\
    8h1s-16h29m59s,mon,tue,wed,thu,fri
add action=drop chain=times comment="********TURN OFF********" disabled=yes

It is also very important to make sure you have setup your SNTP client and set your time zone on your MikroTik.  If you don’t your time restrictions will obviously not work.  Below is setup for EST.

/system ntp client
set enabled=yes mode=unicast primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
/system clock
set time-zone-name=America/New_York