Parental control - does not drop connection

[przemekwawa]

Hi, today I found that my kid was using still some web chat with her friend after 22h - access to the Internet in parental control is limited to 8-22...
Only restart of AP has helped.
I have in home two rt-ac66u, one is working as router, second is connected by ethernet cable to the first one and is working as AP. My kids computer is connected to AP...
Any ideas?
Does it work this way by design or is it error?

I have found another thread few minutes later that is about the same
http://forums.smallnetbuilder.com/showthread.php?t=15107
have to check if "HW acceleration off" will help

 

[RMerlin]

There's a known limitation with Parental Control where it will fail to terminate existing connections. Not sure why since the firewall rules seem to be properly configured to prevent existing connections from working past the cutoff time.

It's possible however that HW acceleration might be responsible, since it causes traffic to partly bypass the firewall rules.

 

[przemekwawa]

Is there on asus anything similar to tcpkill? Maybe solution would be to create script that would kill all connections at some time..
I will try to disable HW acceleration and test it, but is it worth it? Probably nobody knows how much does it help..

 

[RMerlin]

Is there on asus anything similar to tcpkill? Maybe solution would be to create script that would kill all connections at some time..
I will try to disable HW acceleration and test it, but is it worth it? Probably nobody knows how much does it help..

HW acceleration is only necessary for WAN connections faster than 120-140 Mbits (or 300 Mbits with an RT-AC56/AC68).

 

[przemekwawa]

HW acceleration is only necessary for WAN connections faster than 120-140 Mbits (or 300 Mbits with an RT-AC56/AC68).

Thanks (as always for helpful answers ), I have 80mbits now, so I can turn it off.
Is there anything similar to tcpkill on asus routers? Because restarting whole router in future at 22 everyday is not an good idea...

//edit
I found funny thing in iptables - please look at second line. All next are not important...
Chain FORWARD (policy DROP)
target prot opt source destination
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Sun MAC <<MAC1>>
ACCEPT all -- anywhere anywhere
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Mon MAC <<MAC1>>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Tue MAC <<MAC1>>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Wed MAC <<MAC1>>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Thu MAC <<MAC1>>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Fri MAC <<MAC1>>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Sat MAC <<MAC1>>
DROP all -- anywhere anywhere MAC <<MAC1>>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Sun MAC <MAC2>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Mon MAC <MAC2>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Tue MAC <MAC2>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Wed MAC <MAC2>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Thu MAC <MAC2>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Fri MAC <MAC2>
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Sat MAC <MAC2>
DROP all -- anywhere anywhere MAC <MAC2>
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere

//edit second...
I am tired... Rules are ok.
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 PControls all -- br0 any anywhere anywhere TIME from 7:0 to 22:0 on Sun MAC <MAC>
0 0 ACCEPT all -- tun21 any anywhere anywhere
0 0 PControls all -- br0 any anywhere anywhere TIME from 7:0 to 22:0 on Mon MAC <MAC>

So have to check hardware acc

 

[przemekwawa]

Ok, update after some tests. With hardware acceleration it works fine with existing connections. They are dropped.
But I have another problem with such settings - when I am trying to watch movie using my popcorn hour connected to Synology NAS, it is trying to buffer for about 1 minute and then says, that cannot open movie. So disabling hardware (nat) acceleration in some funny way affects LAN connections (without NAT)...
Any advice?
I tried to find anything about possibility of kill connection using some commands, but didn't find anything usefull.
Restarting router works, but it is extreme solution - if I e.g. will broke connection of my wife

 

[Builder71]

Ok, update after some tests. With hardware acceleration it works fine with existing connections. They are dropped.
...

I guess you mean with hardware acceleration off they drop?

 

[Builder71]

...

//edit
I found funny thing in iptables - please look at second line. All next are not important...
Chain FORWARD (policy DROP)
target prot opt source destination
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Sun MAC <<MAC1>>
ACCEPT all -- anywhere anywhere
PControls all -- anywhere anywhere TIME from 7:0 to 22:0 on Mon MAC <<MAC1>>
...

//edit second...
I am tired... Rules are ok.
...

Can you tell me why you think this is OK?
I see the same on my router, by looking at it you think it will never hit the third line.
Because of the accept all any any.

 

[RMerlin]

When checking rules, always provide the -v flag, otherwise you won't be seeing the complete rule. That ACCEPT rule probably has a few criteras that a non-verbose list isn't showing you.

 

[Builder71]

When checking rules, always provide the -v flag, otherwise you won't be seeing the complete rule. That ACCEPT rule probably has a few criteras that a non-verbose list isn't showing you.

Thx, that is correct.
With -v it shows me the interface, which is tun21 for the accept rule.
The PControls are related to the br0 interface.

So yes, rules are ok.

 

[przemekwawa]

Sorry for late response - I had a lot of work.
Yes, exactly, it is vpn interface. I was thinking that the same line is problem

And yes, when hardware acceleration is off they drop
When is on, they did not.

Half solution-I created Windows Task on daughters computer that resets all connections, at the same moment when Parental Control disables access.
Second half solution - I have to speak once again with daughter about rules...