Parental controls through firewall

Hello, my kid is using its laptop for distance learning and I want to block certain websites during school hours.
So essentially I want to block from source IP (or MAC ff-00-00-00-00-00) during weekdays 9am-4pm.
How can I do this without much pain or mess?
I have Archer C7 with Openwrt 19.07


I have already read that but I cannot find a way to block for specific hours and for specific IP/MAC. Maybe there is a combination of those rules but I am not comfortable with them and asking for the specific rule to avoid a mess.

1 Like

Copy-paste the code from these 2 links:

Then edit the time restrictions for the firewall rules Filter-IPset-DNS-Forward similar to:

Then edit domains on the DNS settings page.

1 Like

So to make sure I understand correctly: I run the following code in my terminal. If something goes wrong, will a router reboot recover?

#First link

# Install packages
opkg update
opkg install dnsmasq ipset ipset-dns
# Configure IP sets
uci -q delete firewall.filter
uci set firewall.filter="ipset"
uci set"filter"
uci set"ipv4"
uci set"hash"
uci set firewall.filter.match="ip"
uci -q delete firewall.filter6
uci set firewall.filter6="ipset"
uci set"filter6"
uci set"ipv6"
uci set"hash"
uci set firewall.filter6.match="ip"
# Filter LAN client traffic with IP sets
uci -q delete firewall.filter_fwd
uci set firewall.filter_fwd="rule"
uci set"Filter-IPset-DNS-Forward"
uci set firewall.filter_fwd.src="lan"
uci set firewall.filter_fwd.dest="wan"
uci set firewall.filter_fwd.ipset="filter dest"
uci set"ipv4"
uci set firewall.filter_fwd.proto="all"
uci set"REJECT"
uci -q delete firewall.filter6_fwd
uci set firewall.filter6_fwd="rule"
uci set"Filter-IPset-DNS-Forward"
uci set firewall.filter6_fwd.src="lan"
uci set firewall.filter6_fwd.dest="wan"
uci set firewall.filter6_fwd.ipset="filter6 dest"
uci set"ipv6"
uci set firewall.filter6_fwd.proto="all"
uci set"REJECT"
uci commit firewall
/etc/init.d/firewall restart
# Configure ipset-dns
uci set ipset-dns.@ipset-dns[0].ipset="filter"
uci set ipset-dns.@ipset-dns[0].ipset6="filter6"
uci commit ipset-dns
/etc/init.d/ipset-dns restart
# Configure domains to filter
uci add_list dhcp.@dnsmasq[0].server="/"
uci add_list dhcp.@dnsmasq[0].server="/"
uci commit dhcp
/etc/init.d/dnsmasq restart

#Second link

# Reorder iptables/ip6tables rules
cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED/p")" \
| ${IPT}-restore -c -T filter
# Enable the reordering script
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
# Back up the reordering script
cat << EOF >> /etc/sysupgrade.conf

#Third link
uci add firewall rule
uci set firewall.@rule[-1].name="Kids weekdays"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].src_mac="78:BB:AA:3A:88:14"
uci set firewall.@rule[-1].dest="wan"
uci set firewall.@rule[-1].start_time="21:30:00"
uci set firewall.@rule[-1].stop_time="07:00:00"
uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri"
uci set firewall.@rule[-1].utc_time="0"
uci set firewall.@rule[-1].target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

I've added the preresolve script and reorganized the wiki content, so now everything you need is in this article:

It should be fine, but to be sure you can make a backup beforehand: