Yes, that looks perfect for my simple needs.
Many thanks!
Should this work with wireless connections?
I have no devices connected wired, and one device connected wirelessly.
But this doesn’t appear in the list of MAC addresses….
Am I doing this right?
Nick
From what I tested, the application supports wireless connections as much as possible, I tested on the S7 Edge phone, the phone was detected and had access to the Internet blocked. You're doing everything right anyway ..
I made some progress in development and have a first version running on a WE826 from ZBT. Now looking how to put this stuff on github, which is new for me.
However, the issue is, that I am very reluctant to prepare a "real" openwrt-package from my stuff. As I violated some "standards", which I consider "bloatware" on openwrt, i.e. messing around with the firewall setup, using simple, plain, well-documented iptables rules, instead.
My idea is, to put the .config for my WE826 onto github, expecting onther, interested parties to provide compatible .config for other hardware.
Another solution would be a volunteer, to create official package, but this would need regular maintenance.
Feedback(s) welcome.
First glance at the main features:
- blocking of inappropriate content for minors.
- whitelist/blacklist of domain names
- blocking of (many) ads
- blocking of fb,tw
- scheduling internet access
These features are configurable into 4 different user profiles, using simple GUI.
1 Like
Placing a package on github is very simple. So we are waiting for the publication / presentation. 
Bump.
Any questions ?
1 Like
Android App to be used in combo with openwrt router running PCS is done.
However, I hesitate to donate it to FOSS, as it needs a public server as helper, to be paid for.
And it would be a free-of-charge alternative to a commercial product.
maybe you can request sponsorship to a cloud hosting company like scaleaway as their lowest offer is €1.80 with unlimited traffic 100mbps port
It's a great project! Thanks for looking into this. I checked out your github repo which contains only the readme for now. I'll bookmark it and wait eagerly for your code 
Let me answer your questions, from my perspective.
This does not matter too much, as long as your setup allows grouping devices under one alias.
I believe MAC based is not a good option at all. MAC addresses are a client-based setting, so very easily bypassed. Even if you think your users will not try to bypass it (which I would argue against, if you are using parental control, you should guard against very basic work-arounds), you need to be aware that operating systems are now starting to automatically spoof mac addresses for you, whether you asked for it or not. Specifically, Windows 10 and iOS 14 are spoofing mac address now, to protect user privacy.
So IMHO you have to have a different way to do user authentication. Is it via 802.1X? IP? SSID? Each of these have significant downsides.
Good luck with this project!
I am not familar with this github stuff. Probably, because of this, you find the sources here:
MAC addresses are a client-based setting, so very easily bypassed.
In general, your remarks are correct. BUT ...
for a certain SSID either the real MAC is used (i.e. for older Android versions), OR the faked MAC will be stable, always the same, AFAIK. And this is I am relying on.
Have not tested on Windows 10 or iOS 14, because of lack of devices, so feel free to proove the opposite.
2 Likes
I set a firewall rule for known mac addresses that can access my lan (not my guest network) for ethernet and WiFi. If somebody spoofs it mac address it has simply no internet access at all.
So I tel all known users on my network that they disable this mac address spoof function. It's network based, so on other networks they can still spoof mac addresses if they want to.
Not waterproof offcourse, the still can spoof a mac address that is known by my firewall, but in general, they only know there own mac address and not that off the other users/devices.
Like this;
(for vpn access)
config rule
option dest 'vpnclient'
option src 'lan'
option name 'Allow LAN access'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
list src_mac '12:34:56:AB:CD:01'
list src_mac '12:34:56:AB:CD:02'
list src_mac '12:34:56:AB:CD:03'
list src_mac '12:34:56:AB:CD:04'
(For normal WAN access)
config rule
option dest 'wan'
option src 'lan'
option name 'Allow LAN access'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
list src_mac '12:34:56:AB:CD:01'
list src_mac '12:34:56:AB:CD:02'
list src_mac '12:34:56:AB:CD:03'
list src_mac '12:34:56:AB:CD:04
And block anyone on WAN and VPN that is not on the list.
config rule
option dest 'vpnclient'
option src 'lan'
option name 'Reject LAN access'
option target 'REJECT'
config rule
option dest 'wan'
option src 'lan'
option name 'Reject LAN access'
option target 'REJECT'
1 Like
Sorry, there's a demand, this is how someone suggested this link and I'm here to say there's a demand. I asked for precisely this a few minutes ago. I can't wait to try it.
Actual implementation is based on DNS manipulation, not Captive Portal, which did not get so much interest. Changing the actual implementation method would be quite some work, I do not feel worth for very few requests.
However, what do you want to achieve, from a functional standpont of view ?
I read something about switching on and off, but please be more detailed, from users standpoint of view only.
OK. Thank you so much. It has not been easy to explain. Let me try again.
First, two ideas: Parental Control. I have not question on how to get this done. Second idea, an application that can allow me to override Parental Control settings. An example.
You set Parental Control from 9 am to 6 pm. But at 2 pm, decided, OK, I will give access to a certain number of devices for a hour, or whatever. These devices are on the parental control settings and identified there by mac addresses. So, what do I want: log into Luci, go to such an application, select the devices and either give them immediate access.
Thanks a lot.
Sorry, but I still do not catch it. May be, because of different understanding of "Parental Control". For me, it means, first of all DNS filtering (i.e. no porn), and then scheduled web access only, i.e. weekdays from 14:00-20:00, or during 10:00-20:00 on weekends.
Such rules are pre-defined.
You want to disable internet access by default, and enable access for certain period of time, like 1h, by command ?
Yes, you 'catch it' this is what I want. The only difference is, by default, means the rules I have set in Firewall. I want to be able to override these 'by command' when and if I need to. This would mean I do not go into the Firewall and change the rules, by changing the time.
Thanks a lot.
I suspect that if this were available in LuCi it would be quite popular
1 Like