Parental Monitoring and Time Restriction

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
viking2
DD-WRT Novice


Joined: 09 Jun 2015
Posts: 18

PostPosted: Sat Aug 29, 2020 21:53    Post subject: Parental Monitoring and Time Restriction Reply with quote
I would like to monitor and later restrict my kids web access. They use school chrome books and I am not able to install software or modify their connection to use a proxy (e.g. so that I could install a local proxy server).

I have a Linksys WRT-1900ACS with original firmware. If I install DD-WRT firmware, would I be able do the following:

1. Monitor which websites have been visited, when and how long (daily reports).
For example:
8/29/20:
A. Local IP= 192.168.2.35: youtube.com total 3 hrs 15 min
10:15 - 12:15
13:00 - 14:15
B. Local IP= 192.168.2.40: roblox.com total 2 hrs 0 min
15:00-17:00
etc...

2. Set time restrictions for each device (based on IP) and website so that it stops connecting after time is up.
For example:
A. 192.168.2.35 - Youtube max 2 hrs total/day (any time of day)
B. 192.168.2.40 - Youtube max 1 hrs total/day (any time of day)
etc.

If not possible with DD-WRT firmware alone, are there other ways to accomplish the above?
(I have struggled with this for many months w/o finding a solution...)
TIA!!
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Aug 30, 2020 4:27    Post subject: Reply with quote
Don't feel you're alone; the very nature of how the internet works makes this VERY difficult to accomplish. The internet was built to be fault tolerant. And thus all those attempting to control/limit access are necessarily fighting an uphill battle. In the end, given enough expertise and determination, nearly all attempts to control/limit access can be thwarted. And while I'm NOT an expert on the alternatives, what I can say is that most routers (including dd-wrt) do NOT have the capabilities you seek. Such capabilities would require "session management", where the router actively tracks users and their activities over time. Most manufacturers and developers will not invest the effort to add those kinds of capabilities. They consider it beyond the scope of what a router is expected to do. And to a great extent, they have a good argument. In the business world, a router would *never* be used as an applications platform. And the kinds of things you seek require the equivalent of an application.

A router is ultimately about *one* thing; moving packets from one network interface to another (typically between the WAN and LAN, but there could be others as well, like a VPN) as fast and efficiently as possible. Period. And that mentality (as justified as it may be) is the reason it's so hard to find what you seek. You'd have to find a router which was completely committed to this goal, and at the moment, I don't know of any (could be one, I just don't know of it).

All that said, the only thing I'm aware of that comes even close to your needs w/ dd-wrt is YAMON.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=314467

But I'm not an expert on YAMON. I know it has a lot of reporting capabilities, but I don't know if that includes parental controls and session management. I suspect not, but it might still be worth checking out.

Btw, in the case of dd-wrt, AR (Access Restrictions) *used* to be somewhat helpful (but nothing close to what you need). But w/ the proliferation of https and encryption, AR is far less effective than it used to be (some might even say, approaching uselessness).

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
viking2
DD-WRT Novice


Joined: 09 Jun 2015
Posts: 18

PostPosted: Sun Aug 30, 2020 5:20    Post subject: Reply with quote
Thank you for your response. I will head over to the YAMon thread and ask the monitoring question.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Sep 02, 2020 19:10    Post subject: Reply with quote
yep, your task is quite complex...and as eibgrad noted, you will need a complex solution...
with DDWRT your hands are quite tight, unless you are familiar with different packages via entware...and how to use those, to sort a complex task like yours..
Yamon will help you with monitoring a lot, as well you can use DNSmasq logging to see what DNS requests ware made trough the network...but than limiting and timing is a sketchy job..very prone to fail...

On the other side, session management is quite good on another 3rd party firmware like Gargoyle, where you can do quotes, as well other type of time/data based limitations...so you might need, a combination of both...but even thou, it will be sketchy... there might be, a better parental control on enterprise level systems, where price will be way too high...or there might be an app for a PC who knows....

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
msoengineer
DD-WRT Guru


Joined: 21 Jan 2017
Posts: 1782
Location: Illinois Moderator

PostPosted: Wed Sep 02, 2020 20:09    Post subject: Reply with quote
if only there was a wiki...

https://wiki.dd-wrt.com/wiki/index.php/Parental_control

There are specific packages out there to install on the router to help with parental controls, but the master at that left our group: <KONG>. He was a master at packages and helping out with that.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=902698#902698

Here are some other topics you can find by searching:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=279062

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1063800

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316991

_________________
FORUM RULES

TIPS/TRICKS: Best QCA Wifi Settings | Latency tricks | QoS Port priority | NEVER USE MU-MIMO |
Why to NOT use MU-MIMO | Max Wifi Pwr by Country | Linux Wifi Pwr | AC MCS & AX MCS | QCA 5Ghz chnls to use | WIFI Freq WIKI | TFTP R7800 | Don't buy AX | IPERF3 How-To

[R9000]52396 nightly (Main Router)
[EA8500]43192 & 45493 (2xOffsite)
[R7800] resting
[WDR3600]BS 44715 (Offsite)
[A7v5]BS 43038 (Offsite+spare napping)
Tetmohawk
DD-WRT Novice


Joined: 03 Apr 2020
Posts: 3

PostPosted: Wed Sep 02, 2020 21:48    Post subject: How I monitor school Chromebooks with dd-wrt Reply with quote
Hey, I noticed this looking for another topic. I've spent a fair bit of time figuring out how to monitor and protect my system from school Chromebooks. I have four children in school and they all have school issued Chromebooks with GoGuardian installed by the schools.

The schools monitor a lot. Email and chat conversations are monitored. I know this because my daughter and a friend were joking about suicide and the school notified us.

What I wanted was a method for monitoring and filtering activity as well as protecting my privacy from school computers and other non-personal devices like TVs, Roku, and gaming systems. Here's how I do it.

I've purchased a subscription to CleanBrowsing.org which gives my the ability to have multiple DNS addresses with different filters on each. I have a kid profiles, parent profile, IoT profile, etc. Each profile has its own IP address.

Next I have dd-wrt configured to use dnsmasq configured with the following options:
no-resolv
server=185.228.168.64
server=185.228.169.64
cache-size=300

The above IP address is my most restrictive filter and is issued by CleanBrowsing.org.

Next, I have firewall rules that segregate out the different machines in my home to their respective CleanBrowsing profiles. I maintain a spreadsheet of every mac address of every computer that we own and of visitors that come in often. I have a bash script that creates the firewall rules. See the attachment for my firewall rules.

Now I can log into CleanBrowsing.org and see the activity on my network.

Next, I needed to isolate the school Chromebooks. This was hard to figure out, but I have process for doing it now. My instructions will be terse, but you should be able to do this with an up-to-date build of dd-wrt.

1) Create a virtual, wireless interface. Make sure it is UNBRIDGED. I say this because I had massive problems with the bridging that I haven't worked out yet. But I don't need bridging to isolate the Chromebooks. Give it an IP address and subnet mask. You can do all this on the Wireless -> Basic Settings tab. My device is called wl0.1 and is given on the page after you hit the apply button.

2) On the Wireless Security tab implement whatever security you want. I'm WPA2-PSK, CCMP-128 (AES).

3) Now go to the Setup -> Networking tab. There you should see your virtual interface with the IP address and subnet mask you put in on the previous page. Now look at the very bottom where there is the "Multiple DHCP Server" section. Click the add button and attache your device to it. After you hit the apply button you should see something like Interface wl0.1: IP 192.168.9.1/255.255.255.0.

You can also ssh into your router and look at /tmp/dnsmasq.conf and you will see that it has automatically given the following dnsmasq options:
interface=br0,wl0.1
dhcp-option=wl0.1,3,192.168.9.1
dhcp-range=wl0.1,192.168.9.100,192.168.9.149,255.255.255.0,1440m

4) Now things didn't work for me so I had to add the following to the top of my firewall rules:
iptables -t nat -A PREROUTING -i wl0.1 -p tcp --dport 53 -j DNAT --to-destination 185.228.168.64
iptables -t nat -A PREROUTING -i wl0.1 -p udp --dport 53 -j DNAT --to-destination 185.228.169.64

5) Now it all worked for me. But the subnet isn't isolated. To do that I had to add the following to the firewall rules:
iptables -I FORWARD -i wl0.1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j DROP

The first rule prevents anything in the subnet from getting to the other computers and the second rule does the opposite. In principle, the second rule isn't needed if you don't care about your personal computers getting to the school computers, but in this case I do.

6) Finally, I prevent the school computers from getting into the main wireless network because my kids know the SSID and passphrase for it. Here is a sample firewall rule for one of them:
iptables -I INPUT -i br0 -m mac --mac-source 10:...:45 -j DROP
iptables -I FORWARD -i br0 -m mac --mac-source 10:..:45 -j DROP

There are probably some ways this can be done better. Apparently you can't do logging with dnsmasq in dd-wrt so that's a minus to me as I want to have finer grained knowledge of what the kids are doing. One idea I have is to create a virtual machine with dnsmasq on one of my servers and forward dnsmasq requests there. With logging turned on there I can see what they are doing. But this is just an idea and I haven't tested it yet.

Feel free to make some useful recommendations. And if you want more details just ask.



dd-wrt_example_firewall.txt
 Description:

Download
 Filename:  dd-wrt_example_firewall.txt
 Filesize:  1.93 KB
 Downloaded:  202 Time(s)

Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Sep 03, 2020 10:36    Post subject: Re: How I monitor school Chromebooks with dd-wrt Reply with quote
Tetmohawk wrote:
Hey, I noticed this looking for another topic. I've spent a fair bit of time figuring out how to monitor and protect my system from school Chromebooks. I have four children in school and they all have school issued Chromebooks with GoGuardian installed by the schools.

The schools monitor a lot. Email and chat conversations are monitored. I know this because my daughter and a friend were joking about suicide and the school notified us.

What I wanted was a method for monitoring and filtering activity as well as protecting my privacy from school computers and other non-personal devices like TVs, Roku, and gaming systems. Here's how I do it.

I've purchased a subscription to CleanBrowsing.org which gives my the ability to have multiple DNS addresses with different filters on each. I have a kid profiles, parent profile, IoT profile, etc. Each profile has its own IP address.

Next I have dd-wrt configured to use dnsmasq configured with the following options:
no-resolv
server=185.228.168.64
server=185.228.169.64
cache-size=300

The above IP address is my most restrictive filter and is issued by CleanBrowsing.org.

Next, I have firewall rules that segregate out the different machines in my home to their respective CleanBrowsing profiles. I maintain a spreadsheet of every mac address of every computer that we own and of visitors that come in often. I have a bash script that creates the firewall rules. See the attachment for my firewall rules.

Now I can log into CleanBrowsing.org and see the activity on my network.

Next, I needed to isolate the school Chromebooks. This was hard to figure out, but I have process for doing it now. My instructions will be terse, but you should be able to do this with an up-to-date build of dd-wrt.

1) Create a virtual, wireless interface. Make sure it is UNBRIDGED. I say this because I had massive problems with the bridging that I haven't worked out yet. But I don't need bridging to isolate the Chromebooks. Give it an IP address and subnet mask. You can do all this on the Wireless -> Basic Settings tab. My device is called wl0.1 and is given on the page after you hit the apply button.

2) On the Wireless Security tab implement whatever security you want. I'm WPA2-PSK, CCMP-128 (AES).

3) Now go to the Setup -> Networking tab. There you should see your virtual interface with the IP address and subnet mask you put in on the previous page. Now look at the very bottom where there is the "Multiple DHCP Server" section. Click the add button and attache your device to it. After you hit the apply button you should see something like Interface wl0.1: IP 192.168.9.1/255.255.255.0.

You can also ssh into your router and look at /tmp/dnsmasq.conf and you will see that it has automatically given the following dnsmasq options:
interface=br0,wl0.1
dhcp-option=wl0.1,3,192.168.9.1
dhcp-range=wl0.1,192.168.9.100,192.168.9.149,255.255.255.0,1440m

4) Now things didn't work for me so I had to add the following to the top of my firewall rules:
iptables -t nat -A PREROUTING -i wl0.1 -p tcp --dport 53 -j DNAT --to-destination 185.228.168.64
iptables -t nat -A PREROUTING -i wl0.1 -p udp --dport 53 -j DNAT --to-destination 185.228.169.64

5) Now it all worked for me. But the subnet isn't isolated. To do that I had to add the following to the firewall rules:
iptables -I FORWARD -i wl0.1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j DROP

The first rule prevents anything in the subnet from getting to the other computers and the second rule does the opposite. In principle, the second rule isn't needed if you don't care about your personal computers getting to the school computers, but in this case I do.

6) Finally, I prevent the school computers from getting into the main wireless network because my kids know the SSID and passphrase for it. Here is a sample firewall rule for one of them:
iptables -I INPUT -i br0 -m mac --mac-source 10:...:45 -j DROP
iptables -I FORWARD -i br0 -m mac --mac-source 10:..:45 -j DROP

There are probably some ways this can be done better. Apparently you can't do logging with dnsmasq in dd-wrt so that's a minus to me as I want to have finer grained knowledge of what the kids are doing. One idea I have is to create a virtual machine with dnsmasq on one of my servers and forward dnsmasq requests there. With logging turned on there I can see what they are doing. But this is just an idea and I haven't tested it yet.

Feel free to make some useful recommendations. And if you want more details just ask.


Great replay, time devouted and approach to the subject...
Ive donne something similar to a school set up..and all gone down to toilet, once the clever kids find/know, how to use browser DOH, Stubby DoT, DNSCrypt, tor, vpn, change their mac adddress, force IP's and so... that's why i said its a sketchy job and no win situation...
of sourse there are some tricks to prevent the use of DOH, DOT, DNSCrypt, but you still have to battle with clever kids that will spread the mitigations like covid....
best bet cut off all stuff via iptables rules and allow only those services sites that you want... Wink and even thou...VPN, TOR will blast you off...kids are the best hakers belive me...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Tetmohawk
DD-WRT Novice


Joined: 03 Apr 2020
Posts: 3

PostPosted: Thu Sep 03, 2020 14:55    Post subject: Reply with quote
Oh yeah, DoH and DoT is something I've also anticipated. I probably should have told you another aspect. While I can't do anything with their school Chromebooks, I've given them all refurbished Chromebooks with ChromeOS wiped and GalliumOS (Ubuntu for Chromebooks) put on. There do several things. I forward to CleanBrowsing in case they aren't in my router. I also use the firewall to block DoT and force the browser through e2guardian. By forcing them though e2guardiann you can do content blocking and URL blocking even though it gets through DoT and DoH. Someone please correct me if this is wrong, but I've tested it to my satisfaction.

And another thing. I use Qustodio on their phones, Kindles, etc. for blocking incoming stuff. And those devices are also connected to CleanBrowsing through the Private DNS settings on Android. So basically every computer has CleanBrowsing and some sort of incoming filter like e2guardian or Qustodio.
cwoodhouse
DD-WRT Novice


Joined: 16 May 2021
Posts: 1

PostPosted: Sun May 16, 2021 12:54    Post subject: Parental Monitoring and Time Restriction Reply with quote
I use HomeAssistant to control the house and it can SSH into any device. All I need it the shell command on dd-wrt to activate or deactivate a parental control profile. Does anyone know what command that might be? Thanks.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum