As per the diagram, I have a Mercku M2 mesh base station plugged into a LAN port on my TP-Link router.
The M2 can be switched between bridging and routing. Right now I have it set to routing, which has its pros and cons.
Pro:
Provides one level of isolation between kids' computers & WiFi devices and work PCs.
Ability to use inbuilt parental controls with simple per-device scheduling and block lists. This is very important.
Con:
I can't monitor individual device traffic on the main OpenWrt router.
The Pros and Cons of bridging mode are the inverse of those of routing mode, that is, I can monitor individual device traffic through the Mercku but there's no network isolation and I lose easy scheduling and blocklists.
My question, therefore, is as follows:
Can I set up OpenWrt to see the traffic from individual devices on the Mercku mesh even while it's in router mode?
If not, is there an OpenWrt extension that provides easy parental controls?
I can set up firewall rules without too much trouble but
a) this is going to be used by my sister and her husband, who will never in a million years learn to use OpenWrt but can manage the friendlier Mercku UI, and
b) Around here schedules are only a suggestion so quick access to blocklists is essential for moderating internet access.
Routed or bridged, unless the Mercku router is adding NAT, the upstream openwrt router should see the traffic either way. As a design preference, I would always try to minimise broadcast domains, so routing has that. But for simplicity I'm using bridging for my network that's fairly similar to yours.
As for parental control, I can speak from direct experience on that. OpenWRT has all the facilities to do the job but they are not well integrated for this specific purpose. Here's what I've got:
adblock on the LAN, banIP on the WAN
kids devices get static leases from a specific subnet
traffic rules with time restrictions. These are very effective but not simple to use for non-technical users - just navigating to the time restrictions is tedious on a phone and even more so when I'm not at home. At least having the kids devices assigned addresses by subnet means I can target either or both.
time restrictions do not span days well. I have one non-negotiable rule "kids must sleep" from 00:00 to 6:30
Perhaps you can get the best of both of each device
The horrific part is that this is an option they're considering.
On a blog somewhere I found a post describing a homebrew solution using OpenHAB on Android to control WRT firewall rules. It looks doable although it would probably be a lot of work on my end.
A thoughtfully-implemented, comprehensive, GUI-based parental control system for the technically challenged strikes me as the kind of thing that would have an almost universal appeal in households and I'm a little surprised nobody's come up with a solution that dovetails nicely with OpenWrt and/or LuCI.
I don't know, I mean, many of us in the community are probably parents who would like their technically-unsavy partners to be able to control internet access for the kids.
The horrific part is that this is an option they're considering.