block Internet access for all except router but allow access at specified times

[fakenetworkexpert]

I have multiple devices behind a router running Asuswrt-Merlin (currently 380.69_2). Since several of my devices are from Apple, they're constantly using the Internet, even though most of them don't really need Internet access, most of the time. I travel, for work, so I need to be able to remotely access some of the devices on the network, occasionally.

My ISP enforces a very low bandwidth cap, but doesn't count data between 3am and 6am. So what I'd like to do is completely block all Internet access during the week, but automatically open up Internet access from 3am to 6am every night. And I need to retain the ability to SSH into the router, in case I need to give myself access to something.

What I've been doing is manually turning off NAT. That way, if I need access to something, I can SSH into the router, and do whatever I need to do, including using port forwarding to get to the router's GUI. But local devices think they can't reach the Internet, so they don't chew up my bandwidth.

It seems like the "Network Services Filter" in the Firewall section would do exactly what I want to do. I set up a White List to open the whole subnetwork (192.168.1.0/24) from 3 to 6am every week day. And that works to block internet access from devices on my local network except for those "free" hours. Problem is that I can only SSH in to the router from outside the network during that window.

Can anyone suggest a way to get the same effect as enabling the networks services filter "except for" the router, itself?

 

[Xentrk]

Here is a sample script I run on a DD-WRT router to block internet access at certain times of day. I have it set to run in cron.

The children_off.sh script drops packets to the internet for the devices specified. The children_on.sh script deletes the chain created by the children_off.sh script. You will have to modify the location of the log file.


children_off.sh

#!/bin/sh
echo "######################children_off script START at `date`" >> /var/log/cronlog
iptables -I FORWARD -s 192.168.2.100 -j DROP
iptables -I FORWARD -s 192.168.2.101 -j DROP
<snip>
iptables -L FORWARD | grep DROP >> /var/log/cronlog
echo "######################children_off script END at `date`" >> /var/log/cronlog

children_on.sh

#!/bin/sh
echo "####################children_on script START at `date`" >> /var/log/cronlog
iptables -D FORWARD -s 192.168.2.100 -j DROP
iptables -D FORWARD -s 192.168.2.101 -j DROP
<snip>
iptables -L FORWARD >> /var/log/cronlog
echo "###################children_on script END at `date`" >> /var/log/cronlog

 

[Martineau]

I need to retain the ability to SSH into the router, in case I need to give myself access to something.

As posted many times - DO NOT USE SSH to remotely access YOUR LAN from the Internet - instead set up an OpenVPN Server (or two for resiliency using say ports xxxx/443).

It seems like the "Network Services Filter" in the Firewall section would do exactly what I want to do.

Can anyone suggest a way to get the same effect as enabling the networks services filter "except for" the router, itself?

So to answer your question, you can use CIDR notation in the GUI to enter subnets
e.g. These 13 rules exclude 192.168.1.1 for NSFW

192.168.1.2/31
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/26
192.168.1.192/27
192.168.1.224/28
192.168.1.240/29
192.168.1.248/30
192.168.1.252/31
192.168.1.254/32

However, if you can assign reserved addresses to your rogue Apple devices etc. then the rules can be simplified or even try Parental controls for blocking.