Parental controls

• This article describes common methods to perform parental control of internet access.
• Be sure to apply restrictions to all source zones if you are using a firewall-based method.

Follow: Firewall rule to block a site

If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. It is the quickest and most efficient way of blocking websites and is well supported even in the web interface. Assuming OpenWrt operates with a LAN and WAN zone a filter in the FORWARD chain that rejects packets is enough. ASN lists could be used to block large numbers of IPs belonging to certain companies. A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly.

Drawbacks:

• To circumvent these IP based restrictions an internet proxy or Tor could be used.
• Dynamic hosts change their IP on a regular basis, invalidating the blacklist

Follow: Ad blocking, DNS filtering

This method voids DNS lookups so, for example, www.youtube.com does not generate the desired IP address. Adblock can be used to blacklist certain domain names and prevent the DNS server handing out the right IP. Alternatively Dnsmasq can be configured to return a NXDOMAIN answer in case a blacklisted domain name is queried. Another option is to use Pi-hole in the LAN and divert DNS requests to Pi-hole.

Drawbacks:

• If the IP of the server is known, it can be reached directly without using DNS altogether.
• These restrictions can be foiled quite easily by using another internet site to lookup the IP address for the site and bypassing DNS altogether.
• If several DNS are in the LAN just changing the local settings to the unfiltered DNS renders this control useless.

Follow: banIP, Filtering traffic with IP sets by DNS

Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. This is essential if a single domain might resolve to several IPs. For instance websites that operate with a CDN can be blocked by their name instead of finding out each and every IP the CDN might be using.

Drawbacks:

• This will block all sites sharing the same IP with the targeted, so use carefully for domains which rely on CDNs.
• Completely blocking sites that use localized domains is problematic.

Follow: Proxy server overview

A proxy server like Squid or Tinyproxy can be used to block access to websites. It can check HTTP(S) specific details. The huge benefit of this option is to have the finest level of control. It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once.

Squid offers many features like SNI HTTPS based filtering, SSL-bump and splice. However, for typical resource constrained devices, Tinyproxy offers the most important options (filtering websites) as well. For parental control, due to ease of setup and low RAM/Flash requirements, consider Tinyproxy first.

Drawbacks:

• If not everything else except the proxy is blocked, it can be circumvented. The firewall must block the client-device from accessing the internet directly.
• The clients need to configure the proxy in their browser.

Block internet access for MAC or IP addresses (or everyone) on week days during specific time interval.

Adjust the parameters according to your configuration.

1. Navigate to LuCI → Network → Firewall → Traffic Rules.
2. Click Add and specify:
   • Name: Filter-Parental-Controls
   • Protocol: Any
   • Source zone: lan
   • Destination zone: wan
   • Action: reject
3. (Optional) If you want to add a MAC or IP limitation, on the Advanced Settings tab specify:
   • Source MAC address: 00:11:22:33:44:55
   • Source IP address: 192.168.1.2
4. On the Time Restrictions tab specify:
   • Week Days: Monday, Tuesday, Wednesday, Thursday, Friday
   • Start Time: 21:30:00
   • Stop Time: 07:00:00
5. Click Save, then Save & Apply.

You can add another rule to apply time restrictions on weekend.

Add a new firewall rule. Edit the following example code block to suit your needs and then copy-paste it into the terminal. Check for errors the service restart output!

# Configure firewall
uci add firewall rule
uci set firewall.@rule[-1].name="Filter-Parental-Controls"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].src_mac="00:11:22:33:44:55"
uci set firewall.@rule[-1].dest="wan"
uci set firewall.@rule[-1].start_time="21:30:00"
uci set firewall.@rule[-1].stop_time="07:00:00"
uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri"
uci set firewall.@rule[-1].target="REJECT"
uci commit firewall
service firewall restart

Restrict access to your Wi-Fi by MAC address. The primary motivation for this capability is a family member gives out the SSID and passphrase to a friend while in your home. Later you no longer want to allow the person to use your Wi-Fi.

There are several solutions to this problem with decreasing labor and effectiveness.

1. The most comprehensive is to create a guest Wi-Fi.
2. Change the passphrase for the interfaces.
3. Only allow/deny LAN access for devices with matching MAC addresses.

This section focuses on the last option using the wireless interface MAC filter option. This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device.

1. Navigate to LuCI → Network → Wireless.
2. Click Edit on a selected interface.
3. On the MAC Address Filter tab specify:
   • MAC Address Filter:
     • Allow listed only
     • Allow all except listed
   • MAC List:
     • 11:22:33:44:55:66
     • aa:bb:cc:dd:ee:ff
4. Click Save, then Save & Apply.

# Use allow-type or deny-type filter
uci set wireless.@wifi-iface[0].macfilter="allow"
uci set wireless.@wifi-iface[0].macfilter="deny"
 
# Append the MAC address to the list
uci add_list wireless.@wifi-iface[0].maclist="11:22:33:44:55:66"
uci add_list wireless.@wifi-iface[0].maclist="aa:bb:cc:dd:ee:ff"
 
# Check settings
uci show wireless.@wifi-iface[0]
 
# Save and apply
uci commit wireless
wifi reload

You need to apply this for all wireless interfaces accessible by the user. Typically the 5 Ghz band is @wifi-iface[0] and the 2.4 Ghz band is @wifi-iface[1].