Scheduling firewall rules on DrayTek Vigor 165

One interesting feature of the DrayTek Vigor 165 is the ability to schedule firewall rules, rules can be enabled and disabled using the router’s scheduler. For examples some clients can be forbidden Internet access at a given time. Combined with other type of filters, like URL filters, it can also be used to let users access some websites only at specific times.

One use in a family environment could be to block access to children’s devices past a given hour.

In my previous post I have shown how to use rules chaining to build a tree of rules, where child rules can refine the behaviour of the parent rule.

In that example, the LAN to WAN main rule passes all traffic that is not blocked by a further match. We can add a child blocking rule for a specific subnet, and enable it only for a specific time interval.

First, we need to add the scheduler entry in Application > Schedule. Click any unused entry, and configure it, for example:

Setting the scheduler

In this example, the scheduler will activate any linked object at 22:00 each day, and will keep it active for ten hours – until 8:00. Setting a start date allow to start activating the schedule some time in the future, if needed.

The scheduler list will show which entries are active, and when:

Scheduler list

Now we can create a firewall rule to be activated with that schedule. In the previous example I create a filter set named “LAN rules” which was invoked by the main “LAN2WAN” rule. We can add a new rule to block traffic from the subnet assigned to children (that of course would require to have a dedicated subnet):

Scheduled firewall rule

The firewall rule is a usual firewall rule but in the “Schedule Profile” section has one or more schedule assigned. This rule will be active only in those specific time intervals. If we wish to be “evil”, we can also send a syslog entry when this rule is active and matched. Because the Vigor 165 has no internal storage, an external syslog server needs to be configured.

“Clear sessions when the schedule is ON” allows to close open connections when the schedule is activated.

Scheduled rules needs the correct time set on the router. The easiest way to achieve it, and ensure the time is correctly set after a reboot, is to set an NTP server in System Maintenance > Time and Date. Use any public NTP server close to you. Here the correct time zone and daylight saving time start/stop days – for countries using it – can be set also. When using a public NTP server, don’t poll it too often. I get the time once a day.

In the next post I will show how to use the URL content filter to block specific websites.