How to create time based/scheduled blocking methods [Tutorial]

I wanted to share how to create time based schedules for pihole.
Please note, that although dns doesn't last forever, there could be some delays in the exact times you set. for example, if your kid tries to go to a blocked site at 1229, and you turn off blocking at 1230, then they may not get access until 1235 or so. but generally it'll be fine.

Why use this method over others? Most methods use either very complicated database modifications, or they use scripts that add and remove domains and lists. this method specifically has one command to enable and disable it in the database, which simplifies the linux side of it. And all blocks/allows are done through the web portal, so now I just have to add whatever to the group, in the web portal, instead of having to remember where I saved a script and so on.

With that out of the way, this is actually very simple. (if you already have your kids on grouped blocklists, you can skip straight to step 5 to enable the schedule)

Step 1. go to "groups" in the main web admin portal.
Create the group you want.  For this example, we will use a group named "School_Hours"
(A group ties all the rules and devices together)
Step 2. go to "clients".
Add all the clients by mac address that should belong to this group, and assign them to the default group (for ad blocking) as well as the "School_Hours" group for time based website blocking.
Figuring out what device belongs to what mac address can be tricky. there are a lot of tricks online, but generally you will only have a couple "hp" or "dell" devices as well as "apple" devices etc...
(A client is, for example, your childs laptop)
Step 3. go to "domains"
add all the rules you want to block and assign them to the group "School_Hours"
An example might be 
.*\.io$
(A domain is, for example, www.google.com, can be blocked or allowed)
Step 4. go to "Adlists"
add any adlists you may want to block during school hours.
a good example is
https://raw.githubusercontent.com/8layer8/pihole-games-list/main/games.txt
(an adlist is a list of domains - can be blocked or allowed)
Step 5.
This is the "tricky part" of this whole thing.
So for the example above, here is how I add time based changes. 
Step 5a. 
Use SSH to log into the pi-hole, I prefer the program putty. but you can use default ssh in linux OR powershell with something like:
ssh pi@192.168.0.100 
but replace 192.168.0.100 with your pi-hole ip address
and enter your admin password (username is "pi" if it asks)
Step 5b.
edit the crontab... to do this, you enter the command
sudo crontab -e
(if you don't use sudo, you will not have root privileges to edit the database, and it won't work)
Step 5c.
Enter the following 2 lines into the end of your crontab file
0 15 * * 1-5 sqlite3 /etc/pihole/gravity.db "update 'group' SET enabled = 0 where name = 'School_Hours'" && pihole restartdns reload-lists
0 22 * * 0-4 sqlite3 /etc/pihole/gravity.db "update 'group' SET enabled = 1 where name = 'School_Hours'" && pihole restartdns reload-lists

the first line disables the group by setting enabled to 0 (off) in the database, and then forcing pihole to revalidate it's lists - same way it does if you click disable in the webpage
The second line does the same, except sets enabled to 1 (on)
the numbers at the beginning define "times" to run, and I give more examples below

Step 5d.
once you have edited the file...
Press ctrl+x to quit. it will ask to save,
Press "Y" key to say "Yes I want to save changes"
Press enter to overwrite the same file name.
NOTE: if you press "N" instead, it will close and make no changes. and if you change the file name, it won't have an effect.

let me explain the above times and how it works just for your information

0 15 * * 1-5 = 1500 or 3pm on monday through friday
0 22 * * 0-4 = 2200 or 10pm on sunday through thursday

so I just block everything between 10pm and 3pm, but your hours may differ here are some examples that may help you out

30 7 * * * = 730 am
45 12 * * * = 1245 pm
15 0 * * * = 1215 am (15 mins past midnight)

* 3 * * * = every minute between 3am and 359am
0 * * * * = every hour on the hour. 

there are crontab time helpers out there a good one is crontab.guru
but you can use anyone you want

If your pihole is off, it will not run these commands, so if that concerns you, you can set it to run multiple times. for.example

0 22-23 * * 0-4 = run at 10pm and 11pm sunday-thursday 
0 0-14 * * 1-5 = run at midnight, 1am, 2pm...through 2pm monday through friday
*/20 15-21 * * 1-5 = run every 20 minutes from 3pm to 9:40pm on monday through friday

This way if the device reboots or is off, it would catch it on the next hour. it's sort of overkill, but incase you wanted to know, or be extra safe.

if the above isn't helpful enough - here is how it works -

there are 5 positions in the time bar
(1) (2) (3) (4) (5)
1 is minute of hour, 2 is hour of day, 3 is day of month, 4 is month of the year, 5 is day of week...
examples are: 
a star denotes ALL 
EXACT: 0, 20, 30
REPEAT: every 20 minutes = */20 --- every 5 minutes = */5
RANGES: 1-20, 20-30
SEPERATE-EXACTS: use a comma 0,20,30 (every 0, 20 and 30)

so the example:
0 15 * * 1-5 means 0 minute of the hour. at 15th hour of the day. every day of the month, every day of the year, when the day of the week is monday-friday (0=sunday,1=monday,5=friday, 7=sunday)

REMEMBER: This is time based, so if you want to block, say adult websites, make sure you have a DIFFERENT group for the kids, or whoever, that is always on, and their "Clients" are ALSO a part of.

There are similar answers out there, but they all tell you how to disable specific clients, or specific domains etc.. and are very cumbersome due to that method especially if they focus on ALL domains tied to a group. The reason I believe they didn't disable the "Group" instead of ALL the domains tied to that group forexample, is because when you navigate the database, there are issues with asking for the group data base by name. This is due to sql having a command "Group BY" and it gets confused, but if you use single quotes to tell it that you are giving them the ENTIRE name, it then works as expected.

Being extra safe:
To be safe in iphones, disable "Private Wifi Address" for your home wifi network (on their phone) to ensure you can manage it.
also for EXTRA security (and headache):
Set your router to mac address filtering and only ACCEPT the listed mac addresses.
This is time consuming but will hard force their mac's to be filtered, and trying to swap mac addresses or use an external device will not connect to your wifi. the down fall is that your friends will have to be added to your mac address list in your router. - or use a guest network if possible

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.