Restricting access to the internet based on devices mac address and times of the day

I have seen couple products the offers parental control but with a special twist.
The idea is to restrict access to the Internet to specific devices(by their mac address) at specific times and of the day on the week.
You create a "restriction" and add into it the mac address of the device.
Then the device is limited to the "restriction".
I believe it can be done using some customized iptables rules that will be used in a combination of some cron tasks that will close\open\restrict\allow the specific group of mac addresses from accessing the Internet.
What do you think?
(maybe redirect to a local "block" page?)

Hey there.

Of course at the end of the day all of that will be done with some kind of iptables.

You can do it with cron setting up rules, but i wouldn't. There's the "time" module that extends iptables to that exact feature.
http://ipset.netfilter.org/iptables-extensions.man.html#lbCH

Go and look at the LuCI Web UI section at "Network / Firewall / Traffic Rules". You can add those limitations right there. I don't know if the "time" module is added to default LEDE, but I'm pretty sure you can at least install it.

But: I wouldn't make it based on MAC addresses. If your child brings a friend that connects to your Wifi, or maybe changes his device or at least his MAC address, you constantly need to adjust. Children grow and get smarter :).

I'd suggest to create a dedicated "children" vlan. Give it a distinct IP range and apply a dedicated Wifi SSID to it. Instead of adding it to firewall group "LAN" create new one that is basically identical to LAN, except that it's "forward" defaults to "reject" instead of "allow". Then add some firewall rules that allow outgoing traffic from that childrens vlan on a timely basis.

Regards,
Stephan.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls

@golialive Thanks for the suggestions.
These are very helpful!!
Specifically in my network I can implement VLANs but not every device can do that.
I will not install lede on a device under warranty like many others.
Can you suggest on a device that can be used for LEDE like an arm64 based or x86_64 one?
Would a raspberry pi arm64 like RaspberryPi3 be supported by the firmeware:
https://downloads.lede-project.org/snapshots/targets/arm64/generic/ ?

@tmomas Thanks for the link.
I actually have seen something really amazing a year or more ago.
Many new mobile devices are faking and randomize their mac addresses as a measure of "security".
But I am not sure what grade of kids will do such a thing.
I have just seen a book "JavaScript for kids" and I believe that most of the kids are better with other things than JS as their language.

If you want to combat MAC faking, set the rules otherwise:

  • deny all traffic from all devices for the restricted period (night time?)
  • specifically allow selected devices (your own?)

Pick one: https://lede-project.org/toh/views/toh_available_864

More personal recommendations:


Ah, so you don't have an LEDE device until now?

Sure you can run LEDE on an RP3, but that's a quite slow device. Personally I run a BananaPi. It's nearly equally cheap but way more powerfull. But keep in mind: Those don't come with Wifi sufficient to act as an AP and you'll need a VLAN aware external switch.

Better go for a ready to go soho router. There's a couple of TP-Link for ~70€, and there's tons of others.

@golialive My build farm is compose of:

  • Xeon E3-1220 (4 cores)
  • Atom(TM) CPU C2758 (8 cores)
  • (2 RIP retired 8 cores other xeon based servers)
  • 10TB Storage system
  • 3 x Mikrotik Gbit routers (RB750Gr2)
  • EDGE Router lite
  • VDSL Modem
  • 4G MODEM\ROUTER
  • CRS125 Mikrotik Switch

and the LEDE is a VM inside the Xeon between a bunch of build nodes to the LAN.
Until now I have used a self composed Router based on VyOS\Debian\Ubuntu\CentOS\Alpine and many Others..
but I don't have time to type commands to make it all work.
So LEDE works and looks decent enough to let me forget about CLI for a very long time.

@tmomas thanks for the link.
@hnyman indeed it's a good approach!!!
I will probably implement it in the future.
Currently what I have done is added a vlan to a wifi access point ssid (from 4 of them) and I just block everything from this vlan when I want to.. so 1 ssid is unrestricted and the second is restricted administratively when needed(nights, other occasions).