While I admit that the idea would be useful for some (or more during these troubled times) it won't work for the majority on the long run. The only good "Parental Control" is a android/IOS app that should also work when connected to public hotspots or mobile data.
I guess, that could be the second step.
Anyway, MAC-based or like a captive portal ?
MAC-based. By the time my kids can spoof MAC, I'll need an entirely different set of tools.
1 Like
Mobile and laptop devices can use MAC randomization for privacy, and this tendency is likely going to escalate in the future to be enabled by default.
Thus, although you can provide MAC-source based restrictions, you should consider using a separate SSID to make it reliable.
Client OS and browsers can use encrypted DNS, and in many cases this is already a problem to restrict client devices to exclusively local DNS.
So, content filtering that solely relies on DNS cannot be considered reliable nowadays.
1 Like
I was thinking this as well. In the future I suspect Android and iOS devices will use a different MAC every time they connect.
I really think SSID/network/vlan level filtering is the only thing you're likely to get good results from.
3 Likes
So it looks like, MAC based access control is the favored method. Makes a few things easier.
2 Likes
Your args are valid, but I do not agree on your conclusion. Yet.
...in many cases this is already a problem to restrict client devices to exclusively local DNS....
In which cases ? Chrome and FF both provide methods to avoid encrypted DNS. Which is very "suspect" in corporate environments. Or schools. Or ...
This bypass, to be enabled by the parent only, upon childs request, or by the child itself ?
I would think parent only
Correct. Already taken care of 
Problematic, in case child is "on the road". Assuming, same type of control possible for mobile connection. But I see your point, which is reasonable.
How about a TOTP type code is required. A parent can text this to a child or tell them over the phone etc
Sounds good. In general, I have to say, I have already all "bits and bytes" for the MAC-based solution, also taking care of the mentioned potential issues. However, the "Bypass" is missing, because new functionality to me. The real problem left is to assemble it into an openwrt-package. Anybody open for some type of coop ?
This can be non-trivial and requires additional administrative measures:
- Disable DoH in all installed browsers explicitly.
- Prohibit installing other software/browsers.
- Lock browser configs from change/reset.
However, it should be possible to solve the problem by utilizing DNS + IP sets.
Yes. But it would be the second line of defence, as IP sets have to be maintained.
I'm currently using the parental controls with synology routers. they are per device which works okay, but it is really hard to figure out which random name each device has. And every time they bring home a new device from school I need to update settings. I don't know how to do per user in a useful way, once a device is connected the kids do share with each other. the accounts they log into are school accounts so I can't really snoop that. (I don't think I can successfully man-in-the-middle when the device is admined by the school)
What I really need it a way to whitelist what they are allowed on youtube. Too often the teacher assigns something which they watch, and the next thing I know they have been following suggestions and watching Thomas the train. (you can now guess their age) This probably isn't possible, but it is what is really needed. I don't worry much about blocking porn as they are too young to be interested (check back in a few years for a new tune!), I worry about blocking all but the videos allowed on youtube.
1 Like
Thank you very much for your valuable input. "Per user" requires a captive portal, like in public hotspots. So the kid has to login, before getting access to the web, according the individual access policy. Which will not work with wifi-speakes, for example. So it is a trade-off. Unless a lot of work is invested, for a combined solution, both user-based, and MAC-based.
Your request regarding youtube nowadays most likely is impossible to fulfil, as the URL for the movie is dynamically generated, depending upon resolution, location of client etc. and even changes over time, to invalidate caching of videos. Which I could do in the past
How does the teacher specify the video to watch ?
Long term I think that both MAC and user based controls are needed. Each has a different set of pros and cons. I'd recommend you start with MAC based, because it should be far easier and get something working (just a better UI on the existing firewall). That is my opinion though, I'm not doing the work.
I'm with you in that there seems to be no way to limit youtube to whitelisted videos. If someone knows the right person at google...
Teachers are putting links to the video in google classroom, or an email. I've talked to them about this, and they all respond that youtube is the only way they have of getting videos to students that works when the entire district is doing remote learning. (the school doesn't have the bandwidth)
If I controlled the devices I can see doing a man-in-the-middle, using youtube-dl to download only the allowed videos. This is the only thing I've been able to come up with, and it doesn't work since I can't get my custom certificate on devices controlled by the school.
I can only imagine a half-baked workaround: Block youtube completely, always. And allow definition of some time-based exception to this blockage.
There might be a better workaround to the youtube issue. Block all yotubbe, and use a REDIR to allow access to certain youtube.