Firewall Time Restrictions/Parental Controls Problems

My main question is what exactly you want to do.

Blocking access to internet for some particular devices during some hours/days based on MAC is almost useless alone. You basicaly need to put some restrictions to the devices that connect (if we talk about a laptop/pc it goes up to not allow it to boot from usb, dvd, etc.).

Allow only specific MAC and block everything else is a bit better... But even this is not perfect...

Basicaly taking down the interface during some hours/days is kinda the only way I see it working in a way that can't be bypass.

1 Like

Quick fix is to “Work around the problem by explicitly emitting capitalized weekday names” in your rules.

I'm trying to restrict WAN access at certain times of the day for children so they will go to bloody bed haha :grinning:

How is it useless? It actually works on every device that I have tested on, except when I add specific weekdays, but this has been confirmed as a bug and will hopefully be fixed soon. I guess I'll just have to keep an eye on things to see how they operate once the rules are successfully in place. I already have restrictions set on the device side too, but kids always seem to get around them.

Allowing specific MACs requires a lot more administrative work and I honestly don't see how that would be better.

If things don't work out, then this is likely the best solution. I'll have to add an extra SSID with all the other stuff and put the restricted devices on a separate SSID.

Yeah but the problem is, I'm not sure where to change these rules. I can't change them in the GUI and I'm not sure how to edit them over SSH. Thanks

Now i dont use the parental side but i do use the adblocking and client part. You can define clients and rules for them. So you could just do adblocking for all, but the kids get further controls etc.

Instructions for managing clients are here :

Might be bit easier than using firewall rules?

There are currently two ways to use/install AGH.

and the manual thread method

1 Like

Let's take a bit more harder restriction.

You have the AP having also a MAC white list. In that white list devices A1, A2, A3 and A4 are allowed to connect.
Now for devices A2, A3 and A4 you decide to block access between let's say 22:00 and 7:00.

The only thing that one of the devices A2, A3 or A4 have to do is to use the MAC of A1 before A1 is connected to the AP and everything has become useless.

Figuring out the MAC of A1 when they live in same house is relative easy. Also connecting before A1 is relative easy cause the kids might just poweroff/unplug the device A1. :slight_smile:

Now you need to block somehow devices A2, A3 and A4 from being able to change the MAC.

Entire idea is not to underestimate what the kids will do when you try to stop them.

Now let's look at another way.
We have AP1 for device A1 and AP2 for devices A2, A3, A4. If you disable AP2 during specific hours kids will notice it, if you cut access to internet to AP2 during specific hours kids will also notice it.
If they see AP1 when AP2 is not on, not working they might easily figure it out it's in same house (there are smartphone applications that show the signal power of APs and AP1 and AP2 will be close value even if it's separate devices).
Now the kids will just try to figure out how to connect to AP1 and if they can put their hands on A1 they will get the info needed.

L.E. 2: There is also another problem. If the kids have access to smartphones they might just use the data plan, make a hotspot with the smartphone and happy go on using the internet from their smartphone. You risk to end up with a not so nice bill cause of this.
So if they have smartphones you will have to deal with this problem too.


for SSH if you are using windows? get that will allow you to open an SSH console window to your router.

also i suggest using WinSCP for editing files on the router
It gives you an explorer type interface for editing and browsing files.

1 Like

There's a parental response to that. If they start messing with MAC address cloning. They loose their device. And it wont take long to spot it either, because while they may clone the mac? I bet they forget to change the device name and a mac with "daughters iphone" when it should be dads iphone is easy to grep from log files.


Thanks. Some great info there. You're absolutely right though. Its foolish to think kids won't work this out. I will be watching the logs very closely! Thanks! :blush:

1 Like

Excellent! I never thought of using WinSCP. Great idea. I'll check that later!

I'm currently using Ubuntu WSL terminal on Windows. I had a quick look and was getting permission denied to fw4.uc i think but didn't really have time to investigate why. Will look into it more later :+1:

1 Like

Yes exactly! I'll be making then aware that I'm watching :smiley:

On a side note, i also have AdGuard Home running. It's absolutely incredible how much nonsense comes in from TikTok. It is riddled with rubbish.

1 Like

ah well that makes it even easier. Check out the client config section and you can lock their net access down more with parental controls and then its just a "disobey and loose your devices" to enforce :slight_smile:

If you use AGH's dns service as your upstream you can set the kids to use the filtered DNS service while letting the adults use the unfiltered dns with just adblocking.

i use Cloudflare DNS so i dont get the blocked malware/adult blocking but you get the idea.

1 Like

Re-run below for current state of Rule Name 'Child-Weekdays' and post

uci show firewall.@rule[-5]
1 Like

Thanks! I'm just getting started with AdGuard Home and certainly plan to utilise it more. I've been using AdGuard for years on other devices and it has been great.

1 Like

Thanks again for this. That's exactly what I want to do as a matter of fact. Just haven't gotten around to it just yet :slight_smile:

I'll sort out the parental controls first, then move on to this and then probably VLANs next.

1 Like

they have a easier to use version thats beta testing now

from a look its aimed at being simpler but not as customisable?

Aimed more at not as experienced technically people. Certainly i like the look for better stats but some of the stuff is suppose to be getting folded into newer versions of AGH.

as i understand its just a matter of tagging the clients and then setting what rules you want applying to them. I've never done it as i dont have the need for it. but if you try it and get it sorted? I'd love if you added your experience / thoughts to my AGH manual install thread for others to see. (and then i can throw it into the AGH wiki for others.)

(edit) - Also there is some tips on dns hijacking and other pitfalls i highlight which may be of help for you. Enforcing all DNS queries to go via AGH stops those pesky hardcoded IOT and Smart TV's from leaking out your data.

Perflyst and Dandelion Sprout's Smart-TV Blocklist also worth using as some blocklists screw things up. This whitelists common domains to avoid issues. He also has a referral link version if the wife likes shopping sites to get coupons etc.

Thanks. I've yet to make the change to fix it but I think it looks correct as it is? Like I say, things only seem to go wrong if I create the rule with 'Any' day, then edit the days thereafter. I'll see if I can get the fix put in shortly and then provide the output again.

root@******:~# uci show firewall.@rule[-5]
firewall.cfg1092bd.src_mac='AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA'
firewall.cfg1092bd.weekdays='Sun Mon Tue Wed Thu'

This should set capitalized weekday names to:
uci set firewall.cfg1092bd.weekdays='Sunday Monday Tuesday Wednesday Thursday'

This should return the new changes applied
uci show firewall.@rule[-5] to verify

All good? Make the change and restart
uci commit ; /etc/init.d/firewall restart

Thanks! I tried that and the change does indeed show, however I am still not able to successfully restart.

Modified rule

root@*****:~# uci show firewall.@rule[-5]
firewall.cfg1092bd.src_mac='AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA' 'AA:AA:AA:AA:AA:AA'
firewall.cfg1092bd.weekdays='Sunday Monday Tuesday Wednesday Thursday'

And the restart

uci commit ; /etc/init.d/firewall restart
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
/proc/self/fd/0:90:153-160: Error: Could not parse Day of week of packet reception