Recently I have needed to restrict access to the internet during certain hours. This is very easy to achieve with MikroTIk using a few mangle and filter rules. I currently have this configuration on a RB751 so I am using a bridge for the LAN. I have ports 2-5 switched together and then bridged the wlan1 and ether2 (the master port) together. Instead of just restricting everything on the bridge I wanted to be able to allow access to myself and certain others during “restricted times”, and this is why I used mangle to mark connections and filter via the connection marks.
Here you can see the two rules mark the connections from my allowed devices. The last two rules mark everything else in and out of the DHCP bridge.
/ip firewall mangle add action=mark-connection chain=forward comment="Mark CBrown Computer" disabled=no in-interface=DHCP \ new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX add action=mark-connection chain=forward comment="Mark CBrown iPhone" disabled=no in-interface=DHCP \ new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX add action=mark-connection chain=prerouting comment="DHCP Upload" disabled=no in-interface=DHCP \ new-connection-mark=DHCP passthrough=no add action=mark-connection chain=postrouting comment="DHCP Download" disabled=no new-connection-mark=DHCP \ out-interface=DHCP passthrough=no
Now for the filter rules. This is where the actual time restrictions take place. The first two rules allow my devices access all the time and as you can see in the third and fourth rules I take my connection mark (DHCP) and “jump” it into my “times” chain from both my input and forward chains. Once in the “times” chain rules 6,7, and 8 block access during the times I want the internet turned off. Rules 5 and 9 allow me to enable the internet during a restricted time or disable it during an allowed time. You could only block the the forward chain if you are not using a web proxy and it will restrict the traffic but to block ALL communication (even to the router) is only 1 more rule.
/ip firewall filter add action=accept chain=input connection-mark=Allowed disabled=no add action=accept chain=forward connection-mark=Allowed disabled=no add action=jump chain=input comment="Jump to Times" connection-mark=DHCP disabled=no jump-target=times add action=jump chain=forward comment="Jump to Times" connection-mark=DHCP disabled=no jump-target=times add action=return chain=times comment="********TURN ON********" disabled=no add action=drop chain=times comment="Drop 2300-2400" disabled=no time=\ 23h-23h59m59s,sun,mon,tue,wed,thu,fri,sat add action=drop chain=times comment="Drop 2400-0500" disabled=no time=\ 1s-4h59m59s,sun,mon,tue,wed,thu,fri,sat add action=drop chain=times comment="Drop Weekday 0800-1630" disabled=no time=\ 8h1s-16h29m59s,mon,tue,wed,thu,fri add action=drop chain=times comment="********TURN OFF********" disabled=yes
It is also very important to make sure you have setup your SNTP client and set your time zone on your MikroTik. If you don’t your time restrictions will obviously not work. Below is setup for EST.
/system ntp client set enabled=yes mode=unicast primary-ntp=188.8.131.52 secondary-ntp=184.108.40.206 /system clock set time-zone-name=America/New_York
This is good, thank you.
One question though, you refer to DHCP. What I need is the following. ALL computers are static IP#’s as it is an office. I need to restrict access to these computers after hours. What would I have to change in your lines to do the same except with static IP. I far prefer static. As a matter of interest I have the RB433 setup as a proxy currently so it can restrict sites (facebook etc) 7/24
Great Writeup. Keep up the good work.
I was using the interface DHCP and the connection mark for it was also called DHCP. You just need to use the interface for your LAN. You could also put the static IP’s in an address list and mark the traffic from the address list.
Can you help me implement the following rules on my mikrotik RB1100 X2 AH
1. No internet for users in address list (Tellers) from 8am to 5 pm
2. User (Tellers) has access to a list of approved sites 24/7
I have a doubt about the scenario:
Will the first two rules always match the packets and avoid them to be processed in the remaining rules?
What I mean is: the action “accept” send the mangled packet out the firewall, accept them and not process in sequence.
This is a good writeup. Is there any other method other than this. My situation is that, I want only the Admin and manager to have unrestricted internet access while others will be allowed access internet from 8:00 till 16:00 Monday to saturdays, but will share files in the network. The network is on DHCP and the range of ip is 220.127.116.11/24.