XII. Firewall/Security Features

Firewall - Scheduling Firewall or CSM rules

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
Scheduling
Time Schedule

In either a home or a work environment, it is often necessary to have specified times in which some network actions are allowed or blocked, for instance during office hours, the firewall would block access to social media sites but they could be allowed during lunch hours or outside of standard working hours.

This is possible on DrayTek routers as they are able to apply Firewall filter rules or Content Filtering rules based on a schedule so that one set of filtering can be applied at some times and another set of filtering can be active the rest of the time.

This requires using the DrayTek router's Firewall facility - by configuring a Filter Rule with a schedule, it can be applied to the network / specific network segments instead of the router's firewall's Default Rule.


This guide will cover the configuration of the schedule so that the Web Content Filter will apply a different profile during office hours than it will outside of office hours:

00:00 - 07:59: Less restrictive content filtering

08:00 - 11:59: More restrictive content filtering

12:00 - 12:59: Less restrictive content filtering during the specified lunch hour

13:00 - 16:59: More restrictive content filtering

17:00 - 23:59: Less restrictive content filtering

This is achieved using two schedule entries, one that starts at 8am and ends at 12pm and another that starts at 1pm and ends at 5pm. These are linked to a firewall filter rule which has the more restrictive content filtering settings. There will also be a secondary rule to apply the less restrictive settings when the scheduled rule is inactive.


The first step is to set the router's time correctly - this is set from the [System Maintenance] - [Time and Date] settings page; on there, set the Time Setup section to Use Internet Time then click OK. If the router is connected to the internet then it will try to get the correct time from the time server configured. This can be checked by clicking the Inquire Time button which will then show what the current time is on the router:


The next step is to configure the two schedule entries that will be needed. The Schedule settings are located under the [Applications] - [Schedule] menu on the router, to configure the first entry, click on the link for Index number 1 from that page:

That will go into the schedule index settings; on there, configure the Start Time as 08:00 with a Duration Time of 4 hours.
The Action setting is ignored by the firewall so that does not need to be configured.

If the schedule only needs to be active on certain days of the week, tick the required Weekdays tick boxes for those days, the default has the weekdays selected while the weekend days are unselected.

Click OK to save that entry, the go back to [Applications] - [Schedule] to configure the second entry, which is Index Number 2:

In that entry, set the Start Time as 13:00 and the Duration Time as 4 hours so that the schedule entry would be active between 1pm and 5pm. Click OK to save that entry.


To configure the content filtering profiles that will be used, go to [CSM] - [Web Content Filter Profile] and select an unused entry on there by clicking on the number / link, this first example shows which types of sites would be blocked with the less restrictive NonOfficeHours web content filtering profile:

Click OK on that page to save the settings changes and go into another unused profile to set up the OfficeHours web content filtering profile, which has more options ticked to block more sites:

Click OK to save that profile.


With the Schedule, Router Time and Web Content Filter profiles set, this can now be applied using the Firewall.

To set up the necessary filter rules, go to [Firewall] - [Filter Setup] and on there, click the number / link for Filter Set 2, which is the first filter set processed for Data Filter (Firewall) rules:

From the filter set, select the first unused filter rule, in this case, Filter Set 2, Rule 2:

This rule will be used to configure the Scheduled Filter Rule, which will be active during the scheduled times of 8am - 12pm and 1pm - 5pm, this is set by entering the Index numbers from the [Applications] - [Schedule] page, in this case, those are entries 1 and 2.

It's important to tick the Clear sessions option in the filter rule so that the router clears active sessions when the filter rule becomes active, otherwise any existing sessions using the less restrictive content filtering would continue to work. This forces all sessions to be processed by the firewall using this scheduled filter rule.

The Filter Rule's Action is left on its default setting of Pass Immediately, which means that the IP firewall won't block it, but the CSM options selected are applied by the filter rule.

The Web Content Filter Profile has the OfficeHours profile selected to apply the more restrictive content filtering.

Click OK on the filter rule to save those settings, then go into the settings for the next available filter rule.


In the next filter rule, which is in this case Filter Set 2, Rule 3, the rule is configured without a schedule but with the less restrictive NonOfficeHours web content filtering profile selected, this is set up so that when the OfficeHours rule is inactive based on the schedule, the firewall will go to the next rule, which is this one and the less restrictive content filtering will be applied:

Click OK to save that rule which will then go back to the list of filter rules in Filter Set 2.


This is how the Filter Set 2 page will look, with the OfficeHours rule listed before the NonOfficeHours rule, these are processed in order so when the schedules are active, the OfficeHours rule will be processed instead of the NonOfficeHours rule:

With all of this configured, the content filtering used will change based on the hours.

This can be applied to other filtering types as well if necessary; the IP filter could be used instead to block access to certain ports during specified hours or block internet access completely.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1