Recently I have needed to restrict access to the internet during certain hours. This is very easy to achieve with MikroTIk using a few mangle and filter rules. I currently have this configuration on a RB751 so I am using a bridge for the LAN. I have ports 2-5 switched together and then bridged the wlan1 and ether2 (the master port) together. Instead of just restricting everything on the bridge I wanted to be able to allow access to myself and certain others during “restricted times”, and this is why I used mangle to mark connections and filter via the connection marks.
Here you can see the two rules mark the connections from my allowed devices. The last two rules mark everything else in and out of the DHCP bridge.
/ip firewall mangle add action=mark-connection chain=forward comment="Mark CBrown Computer" disabled=no in-interface=DHCP \ new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX add action=mark-connection chain=forward comment="Mark CBrown iPhone" disabled=no in-interface=DHCP \ new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX add action=mark-connection chain=prerouting comment="DHCP Upload" disabled=no in-interface=DHCP \ new-connection-mark=DHCP passthrough=no add action=mark-connection chain=postrouting comment="DHCP Download" disabled=no new-connection-mark=DHCP \ out-interface=DHCP passthrough=no
Now for the filter rules. This is where the actual time restrictions take place. The first two rules allow my devices access all the time and as you can see in the third and fourth rules I take my connection mark (DHCP) and “jump” it into my “times” chain from both my input and forward chains. Once in the “times” chain rules 6,7, and 8 block access during the times I want the internet turned off. Rules 5 and 9 allow me to enable the internet during a restricted time or disable it during an allowed time. You could only block the the forward chain if you are not using a web proxy and it will restrict the traffic but to block ALL communication (even to the router) is only 1 more rule.
/ip firewall filter add action=accept chain=input connection-mark=Allowed disabled=no add action=accept chain=forward connection-mark=Allowed disabled=no add action=jump chain=input comment="Jump to Times" connection-mark=DHCP disabled=no jump-target=times add action=jump chain=forward comment="Jump to Times" connection-mark=DHCP disabled=no jump-target=times add action=return chain=times comment="********TURN ON********" disabled=no add action=drop chain=times comment="Drop 2300-2400" disabled=no time=\ 23h-23h59m59s,sun,mon,tue,wed,thu,fri,sat add action=drop chain=times comment="Drop 2400-0500" disabled=no time=\ 1s-4h59m59s,sun,mon,tue,wed,thu,fri,sat add action=drop chain=times comment="Drop Weekday 0800-1630" disabled=no time=\ 8h1s-16h29m59s,mon,tue,wed,thu,fri add action=drop chain=times comment="********TURN OFF********" disabled=yes
It is also very important to make sure you have setup your SNTP client and set your time zone on your MikroTik. If you don’t your time restrictions will obviously not work. Below is setup for EST.
/system ntp client set enabled=yes mode=unicast primary-ntp=22.214.171.124 secondary-ntp=126.96.36.199 /system clock set time-zone-name=America/New_York