I've set up two (soon three) TP-Link Archer C7 v2 routers configured as Wireless APs. They're connected to the router over Cat6.
It works well but I need to be able to regulate the kids' usage. Before this we were using a turnkey mesh system (Mercku). It was awful but it did give us a simple way to block individual users.
Since OpenWRT doesn't really have a quick and easy way to block individual devices (especially now that MAC spoofing is a thing) I was thinking that I'd set up a kids' SSID which I could turn on and off from LUCI. The problem is that I don't want to have to do this across three APs twice a day.
I have less time than I'd like to mess with networking stuff so I'm looking for a solution with a minimal learning curve.
I'm rather hoping there is a creative solution that can be implemented with stock OpenWRT but if it has to be Omada or Unifi (or whatever) then I guess I'll bit the bullet and open the wallet.
p.s. Solution must be normie-friendly.
p.p.s The ultimate solution would still be granular per-device access control but SSID control seemed more realistic.
you need to:
- create a new network (instead of "lan" you can call it "kids")
- assign it to lan firewall zone
- enable the dchp in a new ip range
- create a vlan and assign it Eg .20 or something
- create a new master wifi (AP) in the "kids" network to broadcast over wifi that network you can put Eg SSID "kids-wifi"
having the vlan tagged on the network switch interface on the main router you will enable it to travel those packages over the network wire.
then on the other routers acting as AP, you need to grab that vlan so:
- create a new network "kids"
- make it client as dhcp would be on the main router.
- (assign it to lan firewall zone or have just disabled at all the firewall anyways it's a no-op in AP mode)
- set the vlan .20 and assign it to the "kids" network
- create a new master wifi (AP) in the "kids" and put the same SSID "kids-wifi" as the main ap.
from here you will see that you have like a sort of separate wifi network, you can disable internet from the main ap with cron task and firewall rules, devices will continue to be able to connect to the wifi network though, you can set up a captive portal or a firewall rule to redirect traffic to a custom page (that could even live in the main router itself as it happens with the captive portal) and show kids a page "you have internet disabled" message.
also this way you can use MWAN3 (or pbr or just the firewall rules if you want to have it trickier) and set-up rules there to allow them only to have push notifications or certain website but not access to entire internet. or allow them to use youtube only, etc. I found mwan3 to be easier to do that kind of stuff. also useful if you manage to put a 2nd internet connection even if it's a crappy mobile 4g lte/5g one.
I'm not sure how MWAN3 fits into this.
In the same way you can use PBR (Policy Base Routing) packages for rules based routing decisioning, you can do the same with MWAN3, it demonstrated to be more straightforward, resilient and reliable than pbr.
1 Like
Cool, this should be easy to implement, thanks.
I'm not sure how MWAN3 fits into this. From what I can tell it's used for load balancing.