Functionality of "Parental Control" on OpenWrt

Planning to do some development in this area, may be a package similar to AdBlock, I would like to get some feedback regarding expected functionality, in a series of questions/answers to/from the community.

First of all: Should the policy (blocked domains, web access schedule, etc.) be individual for the controlled device (laptop, PC etc.) OR or to be individual to the user ?
In case, policy is individual to connected device, this will also cover connected TVs etc. But the controlled device should not be handled to another person.
Policy, individual to the user, would need some identification, i.e. similar to a captive portal. Allows a shared family PC, but does not handle a device like a TV.

What would you prefere ?

I find the idea of captive portal approach interesting, but I am not sure if there will be demand for it. I mean I belive these days most kids have their own devices or share devices among themselves (in which case they all probably require similar amount of control).

1 Like

Actually, I am only talking about devices, connected to the WiFi of the openwrt router. So, to go to the web, every user has to log-in on the captive portal, like in a public hotspot. And according to the log-in, the corresponding, pre-defined profile applies. I.e. Tom, 6 years, will get no access to facebook, and no access to porn sites. However, Mary, 16 years, is allowed to use facebook. Whether the device using the openwrt router, is private or shared, then does not matter.
As mentioned, this method will not work with TV via WiFi, for example.

Ah in that case I think it can be useful for community projects.

You could check the availability for tools for both approaches, and see where you can make a difference.

I am very acquainted to the methods to be used. I.e. on commercial basis, I did several hotspot projects, always using coova-chilli, which is the most advanced, and complicated tool for the captive portal. And I did few clones of openDNS, for various WISPs, who do not want to pay for a commercial license of openDNS.
So the kernel of parental control I have already. But I do not want to waste my time going into the wrong direction, regarding the usage.
AFAIK there are quite a few devices on the market, using WiFi, which will not be able to do a login via captive portal, like TVs, speakers. But in case the parental control is device based (MAC), this is a non-issue.
BTW: This parental control can do ad-blocking, too, of course.
Unfortunately, based on the amount of feedback, it looks like this topic "Parental Control" is not very interesting. Although quite a few commercial products on the market ...

I think the lack of response is because the question was posted in one of the most hidden corners of the forum, plus most users come here if they have issues.
If everything works as it should, they probably don't read/google it.

I too think it's a good idea, even though my kid is soon to old for the tools box you're describing.

1 Like

In case, your kid would be younger: User-based approach (similar to public hotspot) or device-based (MAC), which one would you prefere ?

This stuff works ok sort of... But its easy to wind up with exceptions. My kids have no access during such and such hours but now their teacher assigns some homework so I have to bypass all my controls anyway. Or there's a kindle book I want them to have. Or they want to video chat with a friend who is only available at certain time. Or they need to access some website because it's actually about Richard Nixon and it's legit for a school project or whatever. It's almost more trouble than it's worth... Almost. I'd suggest rather simple stuff and then an easy web page where you can click a button and do a 15, 30, 60, or 120 minute bypass. The bypasses are always the annoying part and there is just no way to go without them.

Note please don't click that link thinking it's about Richard Nixon I just made that up and never went to that site so I don't know where it goes :rofl::sweat_smile:


It's a parked domain, in case you are interested. But let's not discuss the suggested search results on the parking page.

I'd rather have a device based set up, with or without grouping, so I could easily block all the
devices jr have access to (phone, ipad, PS4 , laptop whatever ....)

What dlakelan wrote is also important - the possibility to increase by fixed values, or X mins, applied on device and/or group.

Site black list would be good to, but those would have to be maintained, unless there
are domain lists you could subscribe to. A disable/enable switch is probably a must here.

1 Like

For my family usage , I would prefer MAC (device based). Mostly because that is what I am most familiar with. My kids are still quite young and if they had to periodically type a password into a captive portal they would be furious with me.


While I admit that the idea would be useful for some (or more during these troubled times) it won't work for the majority on the long run. The only good "Parental Control" is a android/IOS app that should also work when connected to public hotspots or mobile data.

I guess, that could be the second step.
Anyway, MAC-based or like a captive portal ?

MAC-based. By the time my kids can spoof MAC, I'll need an entirely different set of tools.

Mobile and laptop devices can use MAC randomization for privacy, and this tendency is likely going to escalate in the future to be enabled by default.
Thus, although you can provide MAC-source based restrictions, you should consider using a separate SSID to make it reliable.

Client OS and browsers can use encrypted DNS, and in many cases this is already a problem to restrict client devices to exclusively local DNS.
So, content filtering that solely relies on DNS cannot be considered reliable nowadays.

I was thinking this as well. In the future I suspect Android and iOS devices will use a different MAC every time they connect.

I really think SSID/network/vlan level filtering is the only thing you're likely to get good results from.


So it looks like, MAC based access control is the favored method. Makes a few things easier.


Your args are valid, but I do not agree on your conclusion. Yet. many cases this is already a problem to restrict client devices to exclusively local DNS....
In which cases ? Chrome and FF both provide methods to avoid encrypted DNS. Which is very "suspect" in corporate environments. Or schools. Or ...

This bypass, to be enabled by the parent only, upon childs request, or by the child itself ?

I would think parent only