Description:
This document describes the configuration of a LANCOM router to block access to the Internet either globally or for a specific range of IP addresses.
Requirements:
Scenario 1:
Each day, Internet access should be blocked globally from 2:00 PM to 5:00 PM.
Scenario 2:
Each day, Internet access should be blocked for a range of IP addresses from 8:00 AM to 10:00 AM.
Common approach for both scenarios:
Time-dependent blocking of Internet access is controlled by the CRON table under Configuration -> Date & Time -> CRON table. CRON table operations are time dependent, so it is necessary to synchronize the time via the router's NTP client.
1) You can configure an NTP server in the router under Configuration > Date & Time > Synchronization.
2) Select the option Synchronize to a time server using NTP at regular intervals.
3) Click on the Time server button. In the dialog that follows, add a time server (e.g. ptbtime1.ptb.de).
Scenario 1:
1) First, create a new firewall rule under the menu item Configuration -> Firewall/QoS -> Rules.
2) Enter the name of the firewall rule.
Caution: If the item This rule is active for the firewall is activated and the configuration is written back to the device,
communication with the Internet is no longer possible.
3) Here you select the packet action Reject.
4) For this scenario, all traffic from the intranet to the outside and vice versa is to be blocked; thus, on the Stations tab, neither source nor destination have to be entered.
6) This rule should apply to all protocols/services. For this reason keep the default settings.
7) Now confirm the firewall rule with OK and exit the Firewall dialog.
8) To block or release Internet access at certain times, the rule has to be switched on or off accordingly. This is achieved with the CRON table.
9) Navigate to the menu Configuration -> Date & Time -> CRON table.
10) Create an entry in the Cron table that activates this firewall rule at 2:00 PM.
Enter the following parameters:
Use the following syntax for the command: set /setup/ip-router/firewall/rule/DENY_ALL {fire} yes
Note:
This rule only applies for new sessions. Existing connections can continue to be used. To interrupt these open sessions, we recommend that you program an Internet connection disconnect.
To do this, create another entry in the Cron table as follows:
Use the following syntax for the command: do /other/manual-dialing/disconnect "Name of Internet connection"
11) To ensure that access functions normally after 5:00 PM, the firewall rule has to be deactivated.
To do this, create another entry in the Cron table as follows:
Use the following syntax for the command: set /setup/ip-router/firewall/rule/{fire} no
An overview of all three CRON jobs should now appear like this:
Variations for scenario 2:
In order for Internet access to be blocked for a limited pool only, there is just one change to make to the firewall rule configured above.
1) Go to the firewall rule, access the tab for Stations, click on Connection source and enter the IP address range for which Internet access is to be blocked.
2) Confirm the changes with OK and exit the Firewall configuration dialog.
3) In the CRON table, add an entry that activates this firewall rule at 08:00 AM and deactivates it at 10:00 AM.
The Internet connection has to be disconnected after the firewall rule is activated.
Activating the firewall rule:
Use the following syntax for the command: set /setup/ip-router/firewall/rule/DENY_ALL {fire} yes
Deactivating the firewall rule:
Use the following syntax for the command: set /setup/ip-router/firewall/rule/{fire} no
4) Close the Cron table and write the configuration back to the LANCOM router.
Notice:
· Each item is described by pop-up help text. Just click on the question mark at the top right of the dialog.
 |
|
