Getting parental control to work

It is a most common question that seems unanswered everywhere here: how to get Parental Control to actually work, not in theory, but practically.

Each thread I've read shows, like I did, that the user used the excellent thread here (https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls#web_interface), but no one seems to get it to work, as written there, without writing complicated rules, etc.

Does it really work? If so, how?

Thanks a lot for your response.

Hi,

I would say they work perfectly fine here. However, with one caveat! You have to disable Routing/NAT Offloading:

I have my rules defined in such a way that a script can process then after each change, so they get added to the beginning of the user rule chain forwarding_lan_rule. And, I reckon, this is the tricky part, making sure they are before the conntrack rules.

This is my script, you can place it in /etc/firewall.user:

# Process any new rule from fw3 front-end that is tagged to $RULE_TABLE
#
RULE_ORIG="zone_lan_forward"
RULE_TABLE="forwarding_lan_rule"
RULE_MARK="##$RULE_TABLE##"

# Add any marked rule in the rule origin to our user rule table
for ipt in ip ip6; do
    ${ipt}tables-save -c -t filter | while IFS= read -r line; do
        if [ -z "${line##*$RULE_MARK*}" ]; then
            printf "%s\n" "$line" | sed -e "s/$RULE_MARK//g;s/$RULE_ORIG/$RULE_TABLE/g"
        else
            printf "%s\n" "$line"
        fi
    done | ${ipt}tables-restore -c -T filter
done

To let it work properly I tag my rules description with ##forwarding_lan_rule## so they get processed by /etc/firewall.user, see an example:

And, this a snippet of how firewall rules look after processing:

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
26566 2123K forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    0     0 zone_wan_dest_REJECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853 /* !fw3: Block DNS, port 853 */
    0     0 zone_wan_dest_REJECT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353 /* !fw3: Block mDNS, port 5353 */
26086 2092K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
 1536 95863 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
   42  3696 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 10:29:59:0C:E3:36 TIME from 07:00:00 to 12:00:00 /* !fw3: Allow Kids' devices (7am to 12pm)  */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC DC:A4:CA:60:14:74 TIME from 07:00:00 to 12:00:00 /* !fw3: Allow Kids' devices (7am to 12pm)  */
   81  5292 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 10:29:59:0C:E3:36 TIME from 14:00:00 to 17:00:00 /* !fw3: Allow kid's devices (2pm to 5pm)  */
  399 25668 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC DC:A4:CA:60:14:74 TIME from 14:00:00 to 17:00:00 /* !fw3: Allow kid's devices (2pm to 5pm)  */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 10:29:59:0C:E3:36 /* !fw3: Block Kids' devices  */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC DC:A4:CA:60:14:74 /* !fw3: Block Kids' devices  */

I hope this helps. Connections get dropped instantly after the allowed time.

Kind regards.

2 Likes