Help With Schedule And Access Rule

I’m trying to setup a rule to restrict internet access on school nights and weekends. Below are screenshots of the custom schedule I setup and the outbound firewall rule I added…

My thinking is that “Any…” would literally translate to any protocol, destination IP, or port. I’ve tried both Allow and Deny but no matter what is selected the device is able to access the web.

Not sure what I’m doing wrong here but would truly appreciate some help.

Base on your description and screenshots, you were trying to restrict an IP (192.168…1.42) from accessing Internet at the defined “School Nights” schedule. This should be working, unless there is/are other rule(s) on top of this rule that overwritten this policy.

Do remember the Firewall rules are being processed from top to bottom, so if the “interesting traffic” hit to the rule on top, if won’t be processed by the rules below it.

If this is not your case, please open a support ticket here, so our team can follow up with your case.

The rule does seem to be working now. However, only by IP. I tried using a MAC address and the rule was completely ignored (it’s the first rule in the Outbound firewall settings). The IP is static so this isn’t really an issue but it would be nice if the rule also worked using the host’s MAC.

If you have the network connectivity below, blocking source MAC address will be worked.
Clients —> (LAN) Balance router —> Internet

If you have the network connectivity below, blocking source MAC address will not be worked. MAC address belongs to layer 2 and it can’t pass through layer 3 device.

Clients —> Layer 3 switch —> (LAN) Balance router —> Internet

I’m attaching a new screenshot of my router and the settings because it looks like you may think I have different product…

I was wrong in thinking the access rules were working. I’d chosen Deny and one of the devices was no longer accessing the internet so I assumed it to be working correctly. However, the firewall is denying access at all times and not using the schedule I setup. This is set by IP as you can see from the screenshots above. As far as I can tell, this router has Access Rule options that just simply do nothing at all. You’re also seeing the rules in the order they’re setup and not one of them work. The only thing the firewall settings see is the option for either Allow or Deny. The schedule is meaningless.

I’m not familiar with the Balance router you referenced but as far as L2/L3 go, the Surf is providing static IPs to these devices based on their MACs. If the device has the intelligence to do this, it should also be able to use either option in the access rules. Why have that as a dropdown option at all if it’s incapable of using it? Even better would be to allow access rules based on an IP range rather than just a single IP.

Should I open a support ticket or is the Surf unable to do what I’m trying to do?

I figured out a solution which is a bit convoluted. The trick to making things work is to create 2 schedules:

  1. The time to allow access.
  2. The time to deny access.

With a single schedule setup the firewall doesn’t know what to do with all that extra time. Now that I have both schedules enabled everything appears to be working…

1 Like

Thank you for publishing your workaround; I need to do the same thing in my network. It seems pretty crazy to need two rules to do one thing. Have you done any more experimenting since your post to confirm the two rules are really necessary?

Ever since I upgraded to the latest Firmware 7 the only rule I’ve needed is the blocked times. With the 6.x firmware it required both rules to work.

1 Like

Great, thank you.

1 Like

I have been looking all over for the scheduling rules in firmware 7.0 on my Ballance One with AP One Pro and AP Mini as WiFI access points.

Need to block one SSID after business hours.

How to do this?


Go to System → Schedule create a profile. Then you can apply the schedule to different settings on the balance (like firewall rules and outbound policies).

1 Like


I must have been very tired and blind last night…

1 Like

We would like our son’s VLAN to not be available between midnight and 5:00 a.m. The MAC address in the screenshot below is the BSSID of his VLAN. These settings do not block access to the VLAN between midnight and 5:00 a.m. What should I change to block access? Thank you for your advice!

Pepwave Surf SOHO MK3 7.1.0s026 build 1291

It looks like you have this rule set to Always on in the Enable field. It should be set to your custom schedule. Other than that it looks good.

Hope that does it.

Thanks for your reply. Whether I have the firewall rule set to “Always on” or to my custom setting, the VLAN is still available when it should be off.

Cthulhu, would you please post a screen shot of your working settings? When I save my firewall rule with any setting other than “Always on,” an asterisk appears next to the name of the rule, which indicates that the rule is off.

I would but no longer use the Pepwave router. I’ve gone to Ubiquiti.

The schedule is now working as expected. No firewall rule is necessary to activate the schedule, if the bottom rule is the default and it allows any.