Firewall Time feature - I can't get this to work..Need Help!


I Setup VYOS on a Virtaul box with the following configuration:

eth0 - DHCP - WAN
eth1 - - LAN

I want to block virtual machine at a specific time of day. The default will drop any connections going into LAN IN. I’m only allowing to go through LAN IN at a specific time. Before entering the time command the rule will work. It will allow to bypass the LAN in. So this rule is working.

I check the date on router:
date -> Wed Aug 29 19:13:26 EDT 2018

Here is my rule:
set firewall name block rule 10 action accept
set firewall name block rule 10 source address
set interfaces ethernet eth1 firewall in name block
Default action is to drop

At this point My device can ping and the web is working.

Next I will add the time:
set firewall name block rule 10 time starttime 19:20:00
set firewall name block rule 10 time stoptime 19:30:00

I’m assuming at this point that the should be blocked until 19:20:00 arrives.
Wed Aug 29 19:17:26 EDT 2018 can still ping and still has access to the internet. nothing is being blocked.
This is where I’m lost. Need help please.



Is rule-set applied to an interface?
Please, provide output # sh interfaces ethernet

Oleksandr Mamenko


HI, Yes it is applied to the IN on eth1. I will send you the output as soon I get home.

Also, I would like to note that the rule should be called UNBLOCK which would make it more clear.



Here is the output requested:

vyos@vyos# sh interfaces ethernet
ethernet eth0 {
address dhcp
ethernet eth1 {
firewall {
in {
name block
hw-id 08:00:27:bc:04:68



First of all, you need to use UTC time in firewall rules.
Try to enable logging in your rule
set firewall name block enable-default-log
set firewall name block rule 10 log enable
Generate traffic and check logs
sh log firewall name block


Thanks for your quick response.
I checked the UTC time on my VYOS router and adjusted the time rule to match the UTC time. That seems to have resolved the issue. This allows the PC access to the internet at the correct time and disconnects it at the correct time. Awesome!!

Can the firewall only use UTC?
Thanks again


I think is good candidate for feature request
maybe this should be inline with system timezone settings