Correct. Already taken care of
Problematic, in case child is "on the road". Assuming, same type of control possible for mobile connection. But I see your point, which is reasonable.
How about a TOTP type code is required. A parent can text this to a child or tell them over the phone etc
Sounds good. In general, I have to say, I have already all "bits and bytes" for the MAC-based solution, also taking care of the mentioned potential issues. However, the "Bypass" is missing, because new functionality to me. The real problem left is to assemble it into an openwrt-package. Anybody open for some type of coop ?
This can be non-trivial and requires additional administrative measures:
- Disable DoH in all installed browsers explicitly.
- Prohibit installing other software/browsers.
- Lock browser configs from change/reset.
However, it should be possible to solve the problem by utilizing DNS + IP sets.
Yes. But it would be the second line of defence, as IP sets have to be maintained.
I'm currently using the parental controls with synology routers. they are per device which works okay, but it is really hard to figure out which random name each device has. And every time they bring home a new device from school I need to update settings. I don't know how to do per user in a useful way, once a device is connected the kids do share with each other. the accounts they log into are school accounts so I can't really snoop that. (I don't think I can successfully man-in-the-middle when the device is admined by the school)
What I really need it a way to whitelist what they are allowed on youtube. Too often the teacher assigns something which they watch, and the next thing I know they have been following suggestions and watching Thomas the train. (you can now guess their age) This probably isn't possible, but it is what is really needed. I don't worry much about blocking porn as they are too young to be interested (check back in a few years for a new tune!), I worry about blocking all but the videos allowed on youtube.
Thank you very much for your valuable input. "Per user" requires a captive portal, like in public hotspots. So the kid has to login, before getting access to the web, according the individual access policy. Which will not work with wifi-speakes, for example. So it is a trade-off. Unless a lot of work is invested, for a combined solution, both user-based, and MAC-based.
Your request regarding youtube nowadays most likely is impossible to fulfil, as the URL for the movie is dynamically generated, depending upon resolution, location of client etc. and even changes over time, to invalidate caching of videos. Which I could do in the past
How does the teacher specify the video to watch ?
Long term I think that both MAC and user based controls are needed. Each has a different set of pros and cons. I'd recommend you start with MAC based, because it should be far easier and get something working (just a better UI on the existing firewall). That is my opinion though, I'm not doing the work.
I'm with you in that there seems to be no way to limit youtube to whitelisted videos. If someone knows the right person at google...
Teachers are putting links to the video in google classroom, or an email. I've talked to them about this, and they all respond that youtube is the only way they have of getting videos to students that works when the entire district is doing remote learning. (the school doesn't have the bandwidth)
If I controlled the devices I can see doing a man-in-the-middle, using youtube-dl to download only the allowed videos. This is the only thing I've been able to come up with, and it doesn't work since I can't get my custom certificate on devices controlled by the school.
I can only imagine a half-baked workaround: Block youtube completely, always. And allow definition of some time-based exception to this blockage.
There might be a better workaround to the youtube issue. Block all yotubbe, and use a REDIR to allow access to certain youtube.
One thing I forgot to mention, but should have: my biggest complaint with my synology parental controls is how long it takes to do anything. It takes several long seconds after submitting my password to load the web page, widgets, and navigate to where I can make changes. For parental controls changes - some way to make a limited exception, or add some new rule is a common occurance and it both the technically astute parent who knows who to install openWrt, and the "non-technical spouse" who just needs to get something done. Speed and ease of use for the non-technical spouse is important. You can trust the person who does initial setup to figure out net masks, but parental changes cannot get that level of commitment.
If you can work with the other commercial providers that would be good too. My school uses gogaurdian for controls (but it isn't powerful enough), so make it easy to add the firewall rules needed to make it work. I'm sure there are others. This is one place where firewalls have to work with something else.
Could you make rules to direct each device to a particular DNS based on the MAC (https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns_luci + add a MAC filter under the Advanced tab)? You could then direct the younger one to, say, cleanbrowsing.org's full "Family Filter", while the older one gets sent to the "Adult Filter", and others get sent to the "Security Filter" - see https://cleanbrowsing.org/filters
You might want to also look at the OpenWRT Wiki here;
The options do giving different DHCP options to different clients based on MAC address are very interesting for your use. I don't know if you need the VPN bits.
Thanx for your suggestion. Confirms actual, general functionality. However, I am using a smarter method of implementation for locally maintained blocklists. I (also) consider privacy to be an important factor here, not to rely to 3rd parties, unless (practically) unavoidable, i.g. to use 126.96.36.199 or 188.8.131.52 for final DNS resolution.
But, may be you can answer another question: I have 2 alternatives in mind, regarding the blocklists. Either to provide "ready-to-use" blocklists, to be downloaded to the router from a server, OR to do the processing of the raw blocklists on the router, before usage. Similar to adblock. First version has the advantage of using smaller openwrt-device (actual implementation needs 128 MB RAM, 16MB flash), whereas the second version needs to have more resources, either more RAM (256MB minimum, I guess) or external storage (i.e. MMC). Which alternative is preferred one ?
It kind of depends who you are aiming this at and both how price sensitive they are and how tech savvy they are.
If you are thinking home use, I would think many people would have routers that are limited in RAM, but if some sort of external storage could be involved, that might mitigate the problem. Many routers supported by OpenWRT can use USB storage.
If you're talking bigger than that, I think routers like the Netgear R7800 have the RAM, but are too expensive. Others like the TP-Link C2600/VR2600/VR2600V also have the RAM but are hard to find. The D-Link DIR-882 and DIR-1960 are both capable in terms of RAM, but are both still using snapshot builds, which may add a level of complexity.
For anyone interested in parental filtering, you might want to check out the following host sources;
Thank you for pointing out. Will check.
Actually, I am using the list from
which would also allow to add categories like "violence" or "games" etc. to the blocklist used in operation.
I have a prototype already, up and running. Which I consider a bit more sophisticated compared to the simple concept of using dnsmasq+hostfile(s). Actual requirements regarding resources are rather modest, 128MB RAM, 16MB flash.
However, it is running in custom image, eliminating/modifying some openwrt-standards, for ease of implementation. I.e. no usage of standard openwrt firewall, but basic protection based on custom iptables-script.
So the actual state of the system would require quite some work to be molded into a standard openwrt package.
Otherwise, it should not be difficult to port actual images .config and files to another device.
Could also try;
I am desperate for a decent parental block! 2 kids, 6 devices. Need to be able to block certain devices completely between 10pm and 7am on weekdays and 12pm and 7am weekends.
Have a TP-link Archer C50 V4 that I bought specifically because it advertised parental control capability but the scheduling is universal (not per device), it only controls 4 devices (I need 6) and the control just doesn't work reliably - if at all. TP-link useless, so I expected to flash OpenWrt and all would be good, only to find Parental Control doesntt seem to exist in this (or any) open source router software. Maybe it's just not a very sexy function....