Syed Jahanzaib Personal Blog to Share Knowledge !

December 23, 2013

Mikrotik TIME base Rules

Filed under: Uncategorized — Tags: — Syed Jahanzaib / Pinochio~:) @ 3:17 PM

Scedule-time

TIME is a small but helpful feature of mikrotik. If you want to implement any rule in specific timings only , then it can quickly help you in this regard.

TIME based filter rule

Just for an Example I want to BLOCK all sort of access for an IP from 1:00pm till 3:00pm, then simply create a Firewall rule that will block traffic from this IP address and and in TIME section, modify the required time, something like below . . .

Change the IP / Time as per your requirement

time

CLI Code:


/ip firewall filter
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat

If the user is pppoe, use FORWARD chain.

.

TIME based QUEUE

Allow users to use 1mbps link at day time starting from 12:00PM till 12:00AM,
then from 12:00AM they can use 2mps till next day 12:00PM.
Example:


/queue simple

add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="2Mb from 12:00am till 12:00pm   - NIGHT Package" direction=both disabled=no \
interface=all limit-at=0/0 max-limit=2M/2M name="2Mb from 12:00am till 12:00pm - NIGHT Package" packet-marks="" parent=none priority=8 \
queue=default-small/default-small target-addresses=172.16.0.0/24 time=0s-11h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="1Mb from 12:00pm till 12:00am    - DAY Package" direction=both disabled=no \
interface=all limit-at=0/0 max-limit=1M/1M name="1Mb from 12:00pm till 12:00am - DAY Pacakge" packet-marks="" parent=none priority=8 queue=\
default-small/default-small target-addresses=172.16.0.0/24 time=12h-23h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

Another example:

Single User 192.168.1.10
Timings:
6:00AM to 6:00PM 512k
6:00PM to 6:00AM 1Mb

/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=0/0 max-limit=512k/512k name="512kb from 06:00 till 18:00 / Zaib" packet-marks="" parent=none \
priority=8 queue=default-small/default-small target-addresses=192.168.1.10/32 time=6h-17h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=0/0 max-limit=1M/1M name="1mb from 18:00 till 06:00 / Zaib" packet-marks="" parent=none priority=\
8 queue=default-small/default-small target-addresses=192.168.1.10/32 time=18h-5h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

Regard’s
Syed Jahanzaib

Advertisements

16 Comments »

  1. Hi,
    Thanks for this, i am trying to modify it to fit my needs but its not going!
    I want to block certain users from 20:00hrs to 0700hrs but it keeps telling me that the end time is smaller than the begining time!
    Also i would like to block the same IP on weekends!
    Please i would appreciate your assistance.
    Thanks

    Like

    Comment by Ahmed Bello — December 23, 2013 @ 4:11 PM

    • You cannot add lower hour times with greater value for startup.
      Perhaps you have to add two rules to accomplish your task. TIME feature is quick and convenient, otherwise you ahve to use SCHEDULER and scripting to achieve the same . . .

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — December 23, 2013 @ 5:03 PM

  2. can we make a Que for each user to limit specific domain download which override their original limit by radius ? let’s say a user has 1Mbps limit , i want to give him 3Mbps only to download youtube videos ..

    Like

    Comment by sadook — December 23, 2013 @ 5:15 PM

  3. Assalam-o-Allaikum,

    My questions is regarding time based rule. If I want to close the transmission of any ip from 7pm till 7am, it gives the error the Start time is bigger than End time. in start time i used 19:00:00 and in End time 06:59:59 What the time I can use..

    Regards Muhammad Ali

    Like

    Comment by Muhammad Ali — December 24, 2013 @ 11:19 AM

    • brother why dont u use it in positive manner.
      i.e. allow it 7am to 7pm 🙂

      regards,
      @Z@M

      Like

      Comment by nomi — December 27, 2013 @ 12:40 PM

  4. Not effected sir,

    Like

    Comment by rafi — December 12, 2014 @ 4:06 PM

  5. Hi all,
    I found this command very helpful, but how can i apply it for range of IPs?

    /ip firewall filter
    add action=drop chain=input comment=”Block access for user ZAIB from 1:pm till 3:pm” disabled=no src-address=172.16.0.10 time=\
    13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat

    Like

    Comment by OMAR — February 25, 2015 @ 1:31 PM

    • There are always different and ‘doable’ methods to accomplish any task.

      If you want to block multiple IP addresses and series, then better to create an address list, and then block/allow this address in the Filter rule.
      As showed in the example below …

      /ip firewall address-list
      add address=172.16.0.10-172.16.0.20 list=Target_Users
      add address=172.16.0.15 list=Target_Users
      add address=172.16.0.50-172.16.50.60 list=Target_Users
      
      /ip firewall filter
      add action=drop chain=input comment="Block Address List with specific users in specific Timings from 4pm till 6pm / zaib" src-address-list=Target_Users time=\
          16h-18h,sun,mon,tue,wed,thu,fri,sa

      The good part is that you can manage address list from winbox gui by going to IP > FIREWALL > ADDRESS LISTS.

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — February 26, 2015 @ 11:35 AM

  6. AOA
    Dear sir,
    i am using PPPOE + Hotspot service in mikrotik 200 clients and 100+ active

    i have an problem in hotspot my users put device or dhcp on my network witch disturb my hotspot page and ip’s
    my hotspot ip is 10.20.30.1
    problomatic ip is 192.168.x.xx

    mail my ans plz ASAP
    m in tens 0315-4646743

    Like

    Comment by sharaz4113 — August 29, 2015 @ 5:01 PM

  7. Hi,
    I want to know how to block internet access to a certain group (per IP for exemple) while keeping them connected to the LAN to communicate with other local network computers in a time interval (9h00-11h00)

    Like

    Comment by Yannick-Céphas Lobo Ndjango — October 27, 2015 @ 11:45 AM

  8. Hello Sir, please I need your help on this issue. We are faced with a problem where we want all staff are allowed to browse the internet only from 7:00 tiil 16:00, but allow only the Admin/manager unrestricted access to internet. The network is on dhcp while the lan ip address is 178.50.30.0/24 but will use that of Admin/manager pc mac id as the filter. Please your help is needed in this direction as staff now abuse the use of the network because after that time they they use it to do some unimaginable things.

    Thanks and God bless you.

    Like

    Comment by sapanda — April 15, 2016 @ 1:27 PM

    • there are *many* ways you can block/allow users.
      Example:

      Create two filter rules,
      1st, allow the admin IP or MAC address in forward chain.
      2nd , reject requests from all ip series of lan users, and set time in it.

      OR

      in default NAT rule, you can define time in which you want to allow the ip range.

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — April 15, 2016 @ 2:23 PM

      • Thanks for your response. Sorry that I do not have a test machine to try this, but can you assist me to create the filter rules with any mac id or use xx:xx: as example and then the 2nd rules.

        Thanks and expecting your help

        Like

        Comment by sapanda — April 15, 2016 @ 2:39 PM

      • /ip firewall filter
        add chain=forward src-mac-address=00:21:5C:4E:11:31
        add chain=forward src-mac-address=C0:BD:D1:3F:96:13
        add action=drop chain=input comment=\
        “Block access for all users from 4pm -9pm” in-interface=bridge1 time=\
        13h-22h59m59s,sun,mon,tue,wed,thu,fri,sat
        add action=passthrough chain=unused-hs-chain comment=\
        “place hotspot rules here” disabled=yes
        =================
        Have done this as directed but the second mac id is not browsing the internet while the 1st src-mac id browses unhindered. Please note that the network I test this is on hotspot. did i do anything wrong from my setup.

        Thanks

        Like

        Comment by sapanda — June 2, 2016 @ 6:31 PM

  9. Thanks, quite educative.

    Pls and to schedule access to youtube say between 9am to 2pm access to youtube should be denied while it should be allowed from 2pm onwards. the network is dhcp and both wireless and cable. your swift response is appreciated. i would be glad if you could add sample codes.

    Like

    Comment by Alvino — February 14, 2017 @ 3:11 AM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: