How To Setup Time Based Firewall Rules on Mikrotik RouterOS

A simply way to create firewall filter rules that are only active at certain times without needing to use scripts, is to utilize the built in “Time” field that can be found in the “Extra” menu when configuring a firewall filter on Mikrotik RouterOS.

Its important to make sure your routers system clock is correctly recording time. The easiest way to do this is to use an NTP server. You can find my guide on how to do this 👉 here.

Create a New Firewall Filter:

In this example I’m going to create a filter rule that stops devices on the network from reaching thesebytes.net from 12AM till 6AM each day, Monday to Sunday. However, the time feature works for any filter rule and can be applied to a number of different scenarios.

To get started navigate to IP > Firewall.

Once inside the Firewall window, make sure you’re on the “Filters” tab, and then click on “New” to add a new firewall filter.

A new window will pop up, which we use to configure our time based firewall rule in. Starting from the top, make sure the filter is enabled, and leave a helpful comment describing what the rule is for.

In my case, I’m dropping all traffic on the forward chain (traffic getting forwarded to) thesebytes.net, which has the IP address 41.222.34.15 – It’s worth pointing out that you can also make an address list which will allow a DNS addresses to be used instead of having to manually type in an IP address.

Scroll down to the “Extra” menu, and in there you will will see a field called “Time”. This is where we will set the start and end time, and the days that our filter rule will be in effect. 00:00:00 being 12AM – hh:mm:ss (hours, minutes, seconds). So 00:00:00 – 06:00:00 is from 12AM to 6AM Monday through Sunday.

After all of that is configured, we just need to head over to the “Action” menu, set the appropriate action (in my case drop), then hit “OK”. Be sure to drag your new filter rule into the correct order required, otherwise the intended traffic might never hit this filter.

Now my PC that is connected to this router for internet is unable to ping thesebytes.net during the times that the filter rule is active. Notice how the bytes counter is increasing, this indicates that the traffic is hitting correctly. Why is this working? Its very simple, I added a firewall filter telling the router that any traffic on the forward chain destined to the thesebytes.net web server IP must be dropped during 12AM to 6AM, Monday to Sunday. Because I’m trying to ping to thesebytes.net from my PC, which uses the router to forward it traffic, the router recognises the dst address, and drops the traffic.

There isn’t much else to it, and this can be appended to any filter rule. Its very handy in certain situations and can definitely simplify your config when required.

Create a New Firewall Filter:

Related Articles.

Daily Mikrotik Backups with Files Delivered to Your Email – Fully Automated Setup:

WireGuard VPN with MikroTik and Windows Setup Guide

MikroTik V7 NTP Client Setup: Connect and Sync to Global Time Servers

MikroTik DHCP Server Setup Guide

MikroTik: Block All Traffic Except Whitelisted IPs With Firewall Filters