Looking at the parental controls doc[1], it looks like you have to set up each device in a separate rule (selecting one device from the "Source MAC address" pulldown) is that right? my kids have 3-6 devices each, some wired and some WiFi, and I update their time restrictions often, so I want it to be easy and not involve ssh'ing in or changing lots of rules every time.
Also, I've seen some references to open connections not being closed when a time window ends. does that apply to rules from that GUI?
I'm coming from Advanced Tomato and am shopping for a new router by first considering what firmware I want to run, so I don't have OpenWrt installed anywhere yet.
I would set up a separate VLAN/SSID for your children's stuff, and then treat all devices that are connected on that VLAN as children's devices and apply the rules to the entire subnet.
The most useful form of parental controls over http/https (web) is using a squid proxy, the above advice is still useful when using squid too.
You should set up a "Guest WLAN" where you add wired ports, see this tutorial
and then put the "guest" zone you created for the guest WLAN as source zone in your parental control firewall rules.
Or through Squid, or whatever else.
Also, I've seen some references to open connections not being closed when a time window ends. does that apply to rules from that GUI?
Yes. The GUI works on the same firewall rules.
But once you make the script that reorders the firewall rules you don't need to touch it again when you change the firewall rule (from GUI or anything else).