Family profiles?

Hi there. I am pretty new to the project. I have installed OpenWRT on a Raspberry Pi 4, and it works very well.

I have a question - is there a way to assign user-profiles to certain devices, then set rules for each profile around what categories of sites they can visit, when they can access the internet, etc?

I know it is possible using mac-address filtering, etc, but it would be great if there was a higher-level interface that understood who owned what device, and the ability to set schedules.

Is this a package that doesn't yet exist?

On the subject of site categories, I haven't found anything that can do that in OpenWRT. There are several free site-categorisation APIs available, which means instead of creating manual black/white lists, you can just say block {gambling, pornography, drugs}, etc. Is there a plugin for that I haven't found yet, or is this yet another that doesn't yet exist either?

If we could link user profiles and site categories together, it would be a great sell. Happy to lend some Bash scripting dev time if needed (with help), but not so great on Java, etc...

Thanks.... :slight_smile:

You can do all these things that you mention, however there is no package or turn key solution. Content filtering should depend on some dns service, like cloudflare family.

1 Like

Thanks @trendy. This sort of helps. I have as a result configured a DNS HTTPS proxy to forward to CloudFlare family protection, and an "Intercept-DNS" rule which forwards all DNS requests to the local DNS proxy. Works fine!

What I think we could benefit from however is a way of grouping devices together into profiles. Ideally, a profile should contain a list of mac addresses. Then there should be the ability to write traffic rules, schedules, etc based on these profiles. I would be happy to contribute if anyone else thinks this is a good idea!

Looking into fw3, you have the option to use src_mac. Does anyone know if you can add multiple src_macs in a single rule? Thinking you could create a rule per device group, and then enable/disable them.

You can allocate each of the devices a static dhcp lease and then filter based on source ip address. No need to use the mac address.

You can also then setup time based iptables rules : add a bunch of ip addresses to an ipset to treat it as a "profile/group" and then create the relevant iptables rule to match against the ipset.


One way to do this is to create VLANs for the various groups, and different SSIDs for each VLAN. This is similar to how a company would classify say "developers" vs "accounting" vs "marketing" vs "DMZ" etc

So for example you could have:

VLAN 1 = trusted adults LAN... wired and wifi ssid = "mynet"

VLAN 3 = kids LAN... wired and wifi ssid "mynet-kids"

VLAN 4 = IoT LAN ... wired and wifi ssid "mynet-iot"

etc... then have different policies based on which subnet the packets come from / head to.


Thanks guys, great advice.

BTW, I am very aware of vlans, iptables, dhcp reservations, etc.

I am working on a project for a very large company that owns internet providers in multiple countries. They plan to bring out "family time", which effectively abstracts away mac filtering rules, etc into family profiles, where you can specify family members and group their devices, then set rules based on time, content categories, etc.

What I would love to see is an open-source version of this, which makes it "family friendly". No one wants to much around with vlans, iptables, dhcp reservations, etc - it needs to have a higher-level interface. It should ideally have an API which could be extended by home automation services, etc. Me, I am an architect rather than a developer, so I can offer design guidance, but need someone with some strong coding experience and willingness to help if we are to make this a real thing.

Thinking about the following scenario:

Devices screen:

  • You can see a list of known mac addresses and any existing profile associations
  • You can select one or more mac addresses and click "add to user profile"
  • You can create a new user profile or add to existing

Profiles screen:

  • You can see and edit a list of known user profiles
  • You can add a profile
  • You can edit a profile - change it's name, list of devices and assigned ruleset

Ruleset screen:

  • You can define a ruleset
  • You can edit a ruleset
  • When you edit a ruleset, you can:
    • Add website categories from an external website categoriser such as to a blacklist or whitelist
    • Add URL regex patterns to a blacklist or whitelist
    • Add a schedule

Schedule screen:

  • You can view and edit schedules
  • When editing a schedule, you can define:
    • A name for the schedule
    • A time/day pattern with on/off times, using a graphical point/click interface or time/day/date strings

Browsing history

  • Probably part of the user profile screen
  • You can check the website history of a user profile, showing which device, which website, time/date of access
  • You can see attempted access to sites blocked by time or content filter
  • You can see search results (might be tricky if search engine uses SSL)

Ultimately, it should be a good enough to tempt even less tech-savvy families to use it and expand the userbase of OpenWRT. Given suitable hardware is becoming cheaper and more easy to install (I am using a Raspberry Pi 4), it could be a good solution for lots of families!