Restricting Internet Access to Specific Times with OpenWRT

As littluns start to (d)evolve into grumpy teenagers, the level of access that they have to internet-connected devices tends to grow.

I've written in the past about controlling access to Youtube from Android devices and we continue to find that the Microsoft Family Safety is an important tool for setting and enforcing limits on the devices that it supports (unfortunately that support is lacking on things like Nintendo's Switch, Linux Laptops etc).

One of the core things that I wanted to enforce was time bounds: not allowing devices to be used outside of specific hours of the day in order to reduce the likelihood of secret device usage impacting sleep. Whilst it's an easy rule to put in place, we found that the presence of an automatic and technically enforced cut-off greatly reduced the number of "5 more minutes.... pleeease?" type discussions.

Our router runs OpenWRT which, it turns out, makes it absolutely trivial to add time based rules to cut connectivity.

This post discusses the process for enabling those as well as a caveat or two that I've found along the way - those caveats aren't OpenWRT specific and will apply to most time-control regimens.

Overview

In this post we're going to log into OpenWRT's LuCI web interface and create a time-based firewall rule, applied only to certain MAC or IP addresses. The OpenWRT docs give an overview of this process here.

The Process

Visit your router's IP in a browser and log in, then

  1. Choose Network --> Firewall and then click the Traffic Rules tab.
  2. Click Add
  3. Give the rule a memorable name
  4. Set protocol to Any
  5. Set Source Zone to LAN
  6. Set Destination Zone to Any Zone
  7. Set Action to reject

Populating the rule creation dialog

If you want to block a device by IP, choose Source address and enter or select the device's IP(s).

If you'd prefer to block by MAC, choose the Advanced Settings tab and in the Source MAC address choose the relevant addresses

Blocking specific MAC addresses

Be aware that, with sufficient access to the blocked device, it is possible for either of these to be changed (changing the IP is more likely to be within a teen's skillset, but changing a MAC isn't a huge challenge).

Once you've listed the devices that you want the rule to apply to, click the Time Restrictions tab and then enter a start and end time.

Setting Firewall Rule times

If you want to apply different rules at the weekend you can select Mon-Fri in Week Days (and then create a second copy of the rule to apply to Sat/Sun).

Click Save, then click Save & Apply at the bottom of the firewall rules screen.

Devices to Apply To

The process of creating a rule is incredibly straightforward. What's not quite so straightforward, is considering what to apply it to.

The obvious temptation is to apply it to all of their devices. However, this may prove to be a mistake.

For example, if the rule is applied to an Android mobile device, then the device will show

This network has no internet access

and automatically switch back to using mobile data.

As a result, not only will the device in question continue to be able to access the internet, it'll do so without passing through any local filtering controls (such as Pihole with a porn blocklist) that you might have on your network.

So, far from restricting $kid's activity, you might actually have reduced the level of control that you have, leaving nothing but a false sense of security.

Limitations of Technical Measures in General

Technical measures can almost always be circumvented, so should only ever be used as a fallback.

This really isn't helped by the fact that Google's attempt at parental control on Android is... well... shit.

I've written before about my dissapointment with Google's efforts and in particular the fact that having the "wrong" kind of Google account prevents you from using Google's Family Link at all.

Even if your account can use Family Link, there are still some critical limitations to be aware of:

There doesn't seem to be a mechanism by which you can prevent kids from turning their phone's Wifi hotspot on (allowing other devices unrestricted access to the internet via the phone's data connection).

When your child turns 13 (or if they already are over), Google gives them the ability to "end supervision" at any time, negating whatever controls you've put in place the first time that they become inconvenient:

Google Family Safety lets kids over 13 turn it off unilaterally

Because, clearly, the need for parenting ends right at the beginning of their teens...

Apple's devices are much better in this regard.

For example, Hotspot usage can be controlled via Parental Controls along with a wide range of other settings and no screwing about with "oh, sorry you've got the wrong type of account".

As another example, both Apple and Android devices sometimes use a random MAC address (android docs here). The feature is intended to protect user's privacy (and is normally a good thing) and can rather frustrate your OpenWRT configuration attempts whilst active.

Both device platforms allow this behaviour to be disabled but, crucially, only Apple's parental controls prevent it from being turned back on.

Conclusion

Implementing time-based restrictions can provide a good technical backstop to help enforce ground rules about after-bedtime usage, but you do need to put a little thought into how each restricted device will react to a loss of connectivity over the local network.

It's definitely preferable, where possible, to enforce time bounds on device. For example Nintendo's Parental Controls app allows rudimentary control of the Switch and Microsoft Family Safety allows quite fine-grained control on the platforms that it supports.

Essentially, you only want to enforce time restraints at the network level for devices which lack a secondary means of connection, otherwise you might actually just be lifting the controls that are in place during daytime hours.

If you haven't bought a device yet, there's a strong argument in favour of avoiding anything Google/Android. Not only do they not provide meaningful parental control mechanisms, but the tools that they do provide are easily bypassed and come with the caveat that a kids locations will be tracked. If your intention is to protect your child, then Google really is the wrong answer.

No technical measure can be fool-proof, they'll all over and under-block, so it's important to ensure that they are part of a wider solution: clear and consistent ground rules accompanied by conversations about safety and appropriateness.

That said, if you are using a router running OpenWRT, creating time based rules is incredibly straightforward and easy.

Share this post on Twitter Share this post on Reddit Share this post on LinkedIN Share this post via Whatsapp Share this post via Telegram Share this post via QQ Share this post via Email