Wednesday, October 03, 2018

MikroTik: access control helpers

I have a MikroTik router and am overall pretty happy with it. Especially the Caps-Man feature for central administration of Wifi access points is great.

One thing I am a bit fighting with is restricting my kids from accessing the internet at certain times of the day. The firewall offers quite some features, but I can't get it to cut existing connections when the rule is triggered by time (and this is also true for the dynamic rules of the kid control feature). But then perhaps I just don't understand routeros well enough.

What I have done is to set up access-lists for caps-man. When they are enabled, WiFi access is no longer possible. They kick in well at the right time, so all is good.

But: sometimes my kids get legitimate exceptions and when I then forget to re-enable the rule, they won't tell me :)

What I have done is created the following script, which is nightly triggered from the scheduler:

:local maccaps
:foreach i in=[/caps-man access-list find ] do={
  :set maccaps ( [/caps-man access-list get value-name=comment number=$i])
  :if ($maccaps~ "^RESET .*\$") do={
       /caps-man access-list enable numbers=$i

This looks for access list entries with a comment, where the comment starts with "RESET ". If found the script just re-enables that access list rule.

Permissions needed are read, write and policy.

Please let me know if there are better options.

No comments: