Firewall -Network Services Filter

[sammyano]

Hello guys,
Please advise as to what am doing wrong -
I added 2 devices (IOS) under Firewall - Network Services Filter as seen in the attached screen grab, however both can still access the Internet after the specified times. Note- I used the Network Services Filter as opposed to the Parental control, because Parental control only uses hourly, where as wanted to give the kids up to half past the desired hour.

Is there a more better way to do this?
Thanks

 

[RMerlin]

Can't see anything on that thumbnail-sized screenshot, sorry.

Try disabling HW acceleration under LAN -> Switch Control, see if it helps.

 

[sammyano]

Ok - thanks I will disable HW, please I have updated the screen grab no sorry about that

 

[RMerlin]

Leave the source port empty. You want to only block access from any local port to local port 80/443/etc...). Your source port will be any random port used by the web browser, it won't be 80.

 

[sammyano]

Leave the source port empty. You want to only block access from any local port to local port 80/443/etc...). Your source port will be any random port used by the web browser, it won't be 80.

I have removed both port range and still both devices can still access the internet after the set time of 22:30 GMT - any ideas why?

 

[RMerlin]

I have removed both port range and still both devices can still access the internet after the set time of 22:30 GMT - any ideas why?

Don't remove both, remove only the source port.

I just tested it here, and it works fine for me.

Not that it's possible the router doesn't like the fact you have a starting hour later than the ending hour.

 

[sammyano]

Don't remove both, remove only the source port.

I just tested it here, and it works fine for me.

Not that it's possible the router doesn't like the fact you have a starting hour later than the ending hour.

Thanks - RMerlin - so you are suggesting that my problem could the the fact that Start Time = '22:30' as opposed to 00:00, the idea for me was to disconnect those devices Mon - Fri @ 22:30 and weekends @ 23:00, what was the Start/End time that work for you?

 

[RMerlin]

Thanks - RMerlin - so you are suggesting that my problem could the the fact that Start Time = '22:30' as opposed to 00:00, the idea for me was to disconnect those devices Mon - Fri @ 22:30 and weekends @ 23:00, what was the Start/End time that work for you?

I only tested the whole day scenario (i.e. 00:00 to 23:59) to confirm that blocking does work.

 

[sammyano]

OK - thanks, will modify Mon - Fri with 00:00 - 22:30 and weekends from 00:00 - 22:59 and see what happens

 

[sammyano]

RMerlin, it looks like the Network Service Filter does not work properly as devices set to be block still can access the internet . I have set the destination port of 80 and start time to 22:30 to 06:59. From your previous comment it works for the full day 00:00- 23:59 , is there any other settings in the router that might be block thiese settings. Perhaps you might be able to advise of an alternative way to achieve my aim, since parental control only works hourly.
Thanks in advance

 

[RMerlin]

I just tested a specific time block between 12:49 and 12:53, and it worked fine for me. Port 110 was unreachable starting at 12:49, and became once again reachable at 12:53 (one minute earlier than the schedule was set tho).

No idea what could be wrong with your particular setup, I never used this feature. Sorry. All I can think of would be for you to double check your client IPs.

 

[sammyano]

Thanks RMerlin, guys can someone using this feature please let me know if there is something wrong with my settings, I have assigned these tow devices to a static IP but still Network Services Filter does not seem to block the devices during the specified times

 

[Martineau]

Thanks RMerlin, guys can someone using this feature please let me know if there is something wrong with my settings, I have assigned these tow devices to a static IP but still Network Services Filter does not seem to block the devices during the specified times

Issue

iptables -vL

and post the output, which should show a similar list of rules as shown in the attached screenshot, where due to the limitation of iptables v1.4.14 apparently omitting the --contiguous directive, the GUI request had to split the crossing of midnight into two rules and unfortunately had to leave a 1 second window where access is actually not blocked!



Regards,

 

[sammyano]

Issue

iptables -vL

and post the output, which should show a similar list of rules as shown in the attached screenshot, where due to the limitation of iptables v1.4.14 apparently omitting the --contiguous directive, the GUI request had to split the crossing of midnight into two rules and unfortunately had to leave a 1 second window where access is actually not blocked!



Regards,

Hello - iptables -vL - does display the rules but still devices can access the Internet after the specified times - see out below -

0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Sun
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 23:0 on Sun
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Mon
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Mon
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Tue
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Tue
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Wed
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Wed
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Thu
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Thu
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Fri
514 34742 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Fri
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Sat
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 23:0 on Sat
0 0 DROP tcp -- br0 eth0 192.168.1.103 anywhere TIME to 6:59 on Sun tcp dpt:www

 

[Martineau]

Hello - iptables -vL - does display the rules but still devices can access the Internet after the specified times - see out below -

0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Sun
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 23:0 on Sun
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Mon
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Mon
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Tue
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Tue
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Wed
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Wed
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Thu
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Thu
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Fri
514 34742 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 22:30 on Fri
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME to 6:59 on Sat
0 0 DROP udp -- br0 eth0 192.168.1.102 anywhere TIME from 23:0 on Sat
0 0 DROP tcp -- br0 eth0 192.168.1.103 anywhere TIME to 6:59 on Sun tcp dpt:www

Please show the complete output of the 'iptables -vL' command.

The rules may very well be correctly defined, but could be in the wrong sequence/Chain and thus pre-empted by a preceding rule.

NOTE: I have experienced on one occasion, where www port access was strangely blocked for everything (possibly because of my GUI/command line actions), but I could not see where the rule was in the iptables display - I ended up having to reset the router to clear NVRAM, after which things worked as expected.

However, rather than depend on the GUI interface(s) to add the URL/KEYWORD/NETWORK Services filters I now create them manually (allows for 1 min granularity, although in theory 1 sec granularity should also work), and apart from the known UTC vs. local time zone issue, all my simple URL filter blocking scripts works fine.

Regards,

 

[sammyano]

Hello thanks, can help with how to create the rules manually as opposed to using the GUI

 

[sammyano]

Guys, please need some inputs on why or how the DNS Filter settings enclosed is not disconnecting device when specified time is over.

 

[ColinTaylor]

Guys, please need some inputs on why or how the DNS Filter settings enclosed is not disconnecting device when specified time is over.

Hi sammyano,

I think I have a solution for you.

I think I may have found 2 bugs in the firmware:

1) Daylight Saving Time was not being applied properly on the router so it thought the time was 1 hour ahead of what it is. I live in the UK so I have had to set the time zone from (GMT) London to (GMT) Greenwich Mean Time. (We've just changed from DST to GMT so maybe it will sort itself out next week)

2) Setting Protocol to TCP ALL does not work. Set it to TCP instead.

TCP ALL generates an iptables rule containing this:

-m time --timestart 23:00 --days Mon -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

As I understand it this means that all 6 flags must be set for the rule to apply? That's never going to happen.


So in answer to your question you need just 1 line per client in the Network Services Filter Table.

Source IP = IP address of your client
Port Range = leave empty
Destination IP = leave empty
Port Range = leave empty
Protocol = TCP

That's it. Nothing else.

 

[sammyano]

Cheers ColinTaylor - I have changed my settings, so will see tomorrow if the devices are disconnected based on the selected times

 

[ColinTaylor]

It seems the time zone bug has been reported multiple times before. i.e. http://www.smallnetbuilder.com/forums/showthread.php?t=13427

Looks like it should correct itself after this weekend.

UPDATE: Just an update to say that the time did correct itself at (what it thought was) 2am today, Sunday 2nd November. Only a week late