Parental controls through firewall

Hello, my kid is using its laptop for distance learning and I want to block certain websites during school hours.
So essentially I want to block www.example.com from source IP 192.168.1.10 (or MAC ff-00-00-00-00-00) during weekdays 9am-4pm.
How can I do this without much pain or mess?
I have Archer C7 with Openwrt 19.07

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls

2 Likes

I have already read that but I cannot find a way to block example.com for specific hours and for specific IP/MAC. Maybe there is a combination of those rules but I am not comfortable with them and asking for the specific rule to avoid a mess.

1 Like

Copy-paste the code from these 2 links:

Then edit the time restrictions for the firewall rules Filter-IPset-DNS-Forward similar to:

Then edit domains on the DNS settings page.

1 Like

So to make sure I understand correctly: I run the following code in my terminal. If something goes wrong, will a router reboot recover?

#First link

# Install packages
opkg update
opkg install dnsmasq ipset ipset-dns
 
# Configure IP sets
uci -q delete firewall.filter
uci set firewall.filter="ipset"
uci set firewall.filter.name="filter"
uci set firewall.filter.family="ipv4"
uci set firewall.filter.storage="hash"
uci set firewall.filter.match="ip"
uci -q delete firewall.filter6
uci set firewall.filter6="ipset"
uci set firewall.filter6.name="filter6"
uci set firewall.filter6.family="ipv6"
uci set firewall.filter6.storage="hash"
uci set firewall.filter6.match="ip"
 
# Filter LAN client traffic with IP sets
uci -q delete firewall.filter_fwd
uci set firewall.filter_fwd="rule"
uci set firewall.filter_fwd.name="Filter-IPset-DNS-Forward"
uci set firewall.filter_fwd.src="lan"
uci set firewall.filter_fwd.dest="wan"
uci set firewall.filter_fwd.ipset="filter dest"
uci set firewall.filter_fwd.family="ipv4"
uci set firewall.filter_fwd.proto="all"
uci set firewall.filter_fwd.target="REJECT"
uci -q delete firewall.filter6_fwd
uci set firewall.filter6_fwd="rule"
uci set firewall.filter6_fwd.name="Filter-IPset-DNS-Forward"
uci set firewall.filter6_fwd.src="lan"
uci set firewall.filter6_fwd.dest="wan"
uci set firewall.filter6_fwd.ipset="filter6 dest"
uci set firewall.filter6_fwd.family="ipv6"
uci set firewall.filter6_fwd.proto="all"
uci set firewall.filter6_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
 
# Configure ipset-dns
uci set ipset-dns.@ipset-dns[0].ipset="filter"
uci set ipset-dns.@ipset-dns[0].ipset6="filter6"
uci commit ipset-dns
/etc/init.d/ipset-dns restart
 
# Configure domains to filter
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#53001"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#53001"
uci commit dhcp
/etc/init.d/dnsmasq restart


#Second link

# Reorder iptables/ip6tables rules
cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
| sed -e "/FORWARD.*ESTABLISHED/d;
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED/p")" \
| ${IPT}-restore -c -T filter
done
EOF
 
# Enable the reordering script
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
 
# Back up the reordering script
cat << EOF >> /etc/sysupgrade.conf
/etc/firewall.estab
EOF

#Third link
uci add firewall rule
uci set firewall.@rule[-1].name="Kids weekdays"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].src_mac="78:BB:AA:3A:88:14"
uci set firewall.@rule[-1].dest="wan"
uci set firewall.@rule[-1].start_time="21:30:00"
uci set firewall.@rule[-1].stop_time="07:00:00"
uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri"
uci set firewall.@rule[-1].utc_time="0"
uci set firewall.@rule[-1].target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

I've added the preresolve script and reorganized the wiki content, so now everything you need is in this article:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset

It should be fine, but to be sure you can make a backup beforehand:
https://openwrt.org/docs/guide-user/troubleshooting/backup_restore