[SOLVED] Parental Controls on WiFi Network ?

[zeeshardware]

Greetings, All

My service-provider has installed a WiFi router, with very basic features for broadband internet. It does not have any reliable Parental Control features.
I am looking for an AFFORDABLE hardware device (router etc, not some Software Firewall) which offers minimum:-

1. Device (MAC-based) time scheduling to allow/ disallow internet access.
2. URL blocking (all types, I mean if I block youtube.com it should be blocked whether accessed through desktop browser, or youtube Android app or iOS app etc). I understand blocking VPN-based access is a difficult job

Please also guide me on connectivity. I mean, I will have to disable WiFi on my service-provider router and give WAN uplink to this Parental Control device? Whats the best way to connect it?

Also, I use another router (with a different DHCP IP subnet) as a range-extender in my home. How to de-conflict parental control vs devices connected through range-extender router?

If the Question is already answered in the Forum, can someone please share link to that thread?

Thanx

 

[Ralston18]

ISP?

Make and model of ISP provided WiFi Router?

What other routers (if any) do you have available? (You mentioned a "range-extender router" - do you actually have that device?)

 

[bill001g]

Tplink and asus routers have pretty good parental controls. Read the online manuals to see which you like better. This software tends to be the same on the whole line of routers.

If you have a separate modem you should be able to just swap out the ISP router. It can still be done if the device is modem/router combo but it is a bit more complex.

URL blocking does not work very well anymore. You can block IP addresses but this can be hard when a site has multiple. The problem with URL blocking is you can no longer see the URL it is encrypted by HTTPS. So the next trick is to try to intercept the DNS. There are 2 issues, first all the end user does it talk directly to the DNS rather than use the router DNS. Next these DNS packets are now starting to be encrypted. Things like chrome have support for encrypted DNS.

So you can block IP addresses but even that can have issues. Many servers share the same IP because of hosting sites so you may block other sites as well as the ones you want.

The part of parental controls that works good.....most the time... is the time of day access. This works best if you can turn it on and off for all devices. Mac addresses on many devices are easily changed so you would have to put in a rule that blocks all mac address and then allows certain one at different times. We will pretend the "hacker" does not try to duplicate the mac of the devices that are allowed after hours.

Your range extender can cause issues depending how you actually installed it. If it runs as AP or repeater then you main router sees the mac addresses of the actual devices. Since you mention another subnet that means the device is likely running as a router. Running in this mode makes all device appear to come from the mac and IP address of the router rather than the actual end devices. There is no way to fix this since that is what a router is suppose to do. You would either have to put the security on the second router also or change the way you use it so it is not running as a router.

 

[bill001g]

Another thought if you think someone may make a attempt to bypass you.

Maybe keep the ISP router but change the wifi passwords so only your trusted users know it. You would then put the new router with parental controls behind it. This router you would use a different wifi network and password. In this way you could put in more strict rules and since there would be no device allowed to bypass it would make it harder to hack past. All your trusted users traffic would go directly to the main router bypassing the second router. Then again nothing stops very determined teens that have physical access.

 

[zeeshardware]

ISP?

Make and model of ISP provided WiFi Router?

What other routers (if any) do you have available? (You mentioned a "range-extender router" - do you actually have that device?)

So, I have attached an overall layout at my place. There are in-effect 2 WiFi Networks working in the home (say SSID1 and SSID2).

• Both have different types of devices connected to them (directly or indirectly), which access internet.
• SSID1 has additionally a WiFi range-extender. And again, devices connect to SSID1 via the range-extender.
• SSID1 has LAN connectivity to SetTop Box, as well as a LAN uplink to Personal WiFi router.
• The personal router is hosting the 2nd network SSID2. Again, devices connect through it and access internet.

As per my meek understanding, I need a parental control device at the yellow-dotted line location. My colleagues here advised me to go for Archer AX50 (with HomeCare). They say that I hide the ISP router WiFi network and use Archer WiFi as the primary network.
The ISP router offers basic parental control measures. But they are primitive in nature, plus they do not work properly (or maybe I am unable to configure them properly 🤔). I need some reliable hardware which works seamlessly, meeting my networking requirements. I mean, I dont know whether AX50 would be able to block every type of YouTube access (PC browser or android app or iOS) with single click or check-box? or whether its time schedule for internet access model works good with Android or iOS devices effectively? Can I allow/ disallow specific URLs (or YouTube etc) on a particular device MACs? I mean, I want my kids to use Zoom on PC for their online schooling, but do not want their PCs to be able to access YouTube during school hours or to allow internet access on their tabs etc.

Thanx

 

[zeeshardware]

Another thought if you think someone may make a attempt to bypass you.

Maybe keep the ISP router but change the wifi passwords so only your trusted users know it. You would then put the new router with parental controls behind it. This router you would use a different wifi network and password. In this way you could put in more strict rules and since there would be no device allowed to bypass it would make it harder to hack past. All your trusted users traffic would go directly to the main router bypassing the second router. Then again nothing stops very determined teens that have physical access.

True...!!! Teens these days...!!!
An you are right, (just go through the uploaded image), I'd have to use the Personal WiFi router in the repeater mode. I think thats one of the reason that its Parental Control aint working properly.
Anyway, I'd still appreciate advice on Asus or TPLink model...?

Thanx

 

[bill001g]

So are any of the device you want to limit on the tenda router. These devices will all appear to come from the router and can not be separated. You would run this as a AP if you needed to restrict this. When it runs as a AP the mac addresses are passed through to the main router.

Anything connected via the range extender you will be able to see the mac addresses.

You can place the new router at the yellow line. I would leave the ISP router Wifi enabled so you don't have to put rules in the new router for device that can bypass the restrictions. You would connect the settop box directly to the main router also for the same reason.

It has been a while since I played with the parental controls. What you can do is define a pool of mac addresses let say called kidsdevices. You then place rules on this group of devices. I would also look at the merlin firmware it runs on many asus routers. It has a little more advanced firewall/parental rules. If you want a very advanced solution you can load third party firmware like dd-wrt on many routers. Be aware you get too fancy of rules and the router CPU will not keep up. For every packet it needs to scan all the rules.

This is also why if you can find a way to not run traffic that is not restricted though the router it will help.