Kids Filtered Separate Wi-Fi

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Contributions Upload
Author Message
ciscodlink
DD-WRT User


Joined: 13 May 2014
Posts: 273

PostPosted: Sun Apr 03, 2022 17:52    Post subject: Kids Filtered Separate Wi-Fi Reply with quote
First of all I want to say that I am 100% against censorship in all its forms except the in the case of what you present to your own young children on your own internet connection and before setting this up ask yourself these questions:

1. Is it too late? (Have your children already had massive unfeathered access to internet? Do they have their own cell phone data plans on their devices? Do they have passwords for their friends and neighbors wifi?)

2. Do you want to limit a reasonable amount of internet access or ALL of the internet? (No system is 100% effective. Something is eventually going to leak through. Children can be quite smart and determined.)

3. Is this really going to be worth the fight that it inevitably causes?

4. When do you plan to Undo this?

With those consider points considered I will now tell you how to set this up and pray that it is used only for good.


First thing you're going to have to have DD-WRT installed for the any of these instructions to make any sense play. (I set this up on the beta version of 3.0-r47822)

I'm also assuming that you already have a working/properly configured router and have logined in to the management webpage.

Click on the "Wireless" tab on the top banner.
Determine whether you want to offer a 5GHz or 2.4 GHz guest network. (I would recommend 2.4 GHz for the slower speed and compatibility)

Click on the associated "Add Virtual AP" blue box.

Enter a WiFi name into the box to the right of "Wireless Network Name (SSID)"

Click the check box to the right of "Advanced Settings"

At the bottom of the newly-revealed options:
Click the "Unbridged" round button to the right of "Configuration".

Click the "Enable" round button of "Multicast Forwarding". (Although this seems to not work with the built-in MiniDLNA server.)

Click the "Enable" round button to the right of "Masquerade/Nat".

Click the "Enable" round button to the right of "Filter WAN NAT Redirection".

Click the "Disable" round button to the right of "Net Isolation".

Click the "Enable" round button to the right of "Forced DNS Redirection". This will reveal a new set of boxes below labeled "Optional DNS Target".

In those boxes enter "185 228 168 168"
(This is a special public DNS server that tries to filter the internet to make it all family friendly and locks YouTube to "restricted mode" and Google to safe search.) (You could replace it with any other DNS service you wish).

In the boxes to the right of "IP address" you will define a separate "Subnet" for the rest of the this guide I will assume that you entered "192 168 2 1 / 24".

Click the "Apply Settings" blue button and wait for the WiFi networks to reset. (Don't click "Save" on this page as it can cause errors)

It is important to point out that in modern times "Forced DNS Redirection" is easily defeatable by enabling "Secure DNS/DNS over HTTPS/DNS over TLS" in browsers that support those features. The only way to prevent this is to use manually block Secure DNS Servers. (see below for a list of DNS servers you might consider blocking)
OR you could enable Secure DNS for "Clean Browsing (Family Filter)" on the kids devices so that even when not connected to the wifi the internet is filtered; at least until the disables the feature.


Click the "Wireless Security" tab on the 2nd banner.

In the associated newly created WiFi box:
Select "WPA" from the pull down option to the right of "Security Mode"

Check the box to the left of "WPA2 Personal"

Check the box to the left of "CCMP-128 (AES)"

Type in a password of reasonable quality in the box to the right of "WPA Shared Key" (Reasonable quality in modern times is probably 8+ characters with lower case letters, numbers, symbols and upper case letters)

Passwords should be rememberable or you can make qr codes with WiFi credentials.

It might be tempting to have no password however don't because that means that there would be no encryption between the Wi-Fi connections and anyone in the neighborhood could spy on your internet browsing.

Click on the "Apply Settings" blue button at the bottom again.

Click on the "Setup" tab on the 1st banner.

Click on the "Networking" tab on the 2nd banner.

For my router and setup the "Virtual AP" was labeled wlan1.2 so I'll be using that as the example going forward.

You might consider changing the "MAC Address" in the box labeled "Network Configuration wlan1.2" to something like "AA:AA:AA:AA:AA:AE".
(I recommend changing default MAC/Ip addresses, ports and usernames/passwords as anything left as default gives a hint to hackers)

In box labeled "Multiple DHCP Server" click the "Add" blue button.

Select "wlan1.2" in the box directly to the right of the new added line. (It is probably labeled "DHCP 0")

Click "Apply" blue button at the bottom.

At this point you should have a fully functioning separate WiFi being filtered by the DNS server and it would be a good time to connect to it and test it out for both sites that should and shouldn't be allowed.

(Take note that network services directly offered by the router, like SAMBA, might still be accessible, while devices like network printers probably won't be accessible without special extra configuration)

Click the "Access Restrictions" tab on the top banner

Click the "Enable" button to the right of "Status"

Enter "Kids Filters" in the box to the right of "Policy Name"

The "Interface" option seems not to work so instead we will:

Click the "Edit List Of Clients" blue button. This will open a pop-up window.

Enter "192 168 2 1~192 168 2 254" in the boxes to the right of "IP Range 01"

Click the "Apply Settings" blue button.

Click the "Close" blue button.

Click the check box to the right of "Catch all P2P Protocols".

The selection box directly below the previous check box would allow you select a specific service to TRY to block. (I say try because things like YouTube are now encrypted so it doesn't work). This option is probably overkill and might slow down your network speeds.

The "Website Blocking by URL Address" section is probably useless in modern times because it can't block HTTPS connections.

The "Website Blocking by Keyword" section allows you to enter words like "minecraft" to specifically block any website with "minecraft" in any part of the URL. (Again probably useless because of HTTPS)

Click the "Apply Settings" blue button.

The next two policies will block the internet during bedtime.

Select "2()" in the pull down menu to the right of "Policy"

Click the "Enable" button to the right of "Status"

Enter "Kids Bedtime Morning" in the box to the right of "Policy Name"

Edit the list of clients as described above.

Click the button to the left of "Deny".

Click the button to the right of "From".

In military time enter 0:00 To 6:00 in the pull down menus to the right of the previous button. (you can replace 6:00 with your preferred wakeup time)

Click the "Apply Settings" blue button.

Select "3()" in the pull down menu to the right of "Policy"

Click the "Enable" button to the right of "Status"

Enter "Kids Bedtime Night" in the box to the right of "Policy Name"

Edit the list of clients as described above.

Click the button to the left of "Deny".

Click the button to the right of "From".

In military time enter 21:00 To 23:59 in the pull down menus to the right of the previous button. (you can replace 21:00 with your preferred go to sleep time)

Click the "Apply Settings" blue button.

The following is the a policy example to implement a rudimentary "screen time" limitation by disabling the internet on the odd hours. (To be fully implemented follow this example for every odd hour in between the bedtimes.)

Select "4()" in the pull down menu to the right of "Policy"

Click the "Enable" button to the right of "Status"

Enter "Kids Off During Odd Hours 7AM" in the box to the right of "Policy Name"

Edit the list of clients as described above.

Click the button to the left of "Deny".

Click the button to the right of "From".

In military time enter 7:00 To 8:00 in the pull down menus to the right of the previous button. (you can replace 7:00 To 8:00 with any range of time)

Click the "Apply Settings" blue button.

(Note: The router's clock must be accurately maintained with NTP for schedules to be accurate)

Click the "Summary" blue button.

If you correctly followed the previous example the summary should look like this:

1.Kids Filters SMTWTFS 24 Hours.
2.Kids Bedtime Morning SMTWTFS 00:00 - 06:00
3.Kids Bedtime Night SMTWTFS 21:00 - 23:59
4.Kids Off During Odd Hours 7AM SMTWTFS 07:00 - 08:00
5.Kids Off During Odd Hours 9AM SMTWTFS 09:00 - 10:00
6.Kids Off During Odd Hours 11AM SMTWTFS 11:00 - 12:00
7.Kids Off During Odd Hours 1PM SMTWTFS 13:00 - 14:00
8.Kids Off During Odd Hours 3PM SMTWTFS 15:00 - 16:00
9.Kids Off During Odd Hours 5PM SMTWTFS 17:00 - 18:00
10.Kids Off During Odd Hours 7PM SMTWTFS 19:00 - 20:00

These access restrictions will not disconnect your devices from the network, however many cell phones are configured by default to disconnect or use cell data when internet access is not available on the WiFi.

This last addition is to specifically block YouTube via the website and the app.

Many parents many would say it has far too much of an influence their children with it's massive amounts of advertisements, unboxing videos, ceaseless amounts of overstimulation and many other problems.

If you do not apply this extra blocking and still use the DNS server above YouTube will still be locked in "restricted mode" which is more middle ground approach.

Click the "Administration" tab on the top banner.

Click the "Commands" tab on the second banner.

Click the "Edit" blue button in the "Firewall" box. (More than likely this box is empty.)

At the bottom of the "Commands" box enter this long line:

Code:
iptables -t filter -I FORWARD -s 192.168.2.1/24 -d 64.18.0.0/20,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,173.194.0.0/16,207.126.144.0/20,209.85.128.0/17,216.58.208.0/20,216.239.32.0/19 -j DROP


Click the "Save Firewall" blue button.

Everything should be working now so it would make sense to connect to the WiFi and make sure everything is working correctly. Remember based on the time the internet sometimes won't be available.

Obviously this process could be far more automated. There is probably some room for improvement in the settings choices; In particular I would like dnsmasq to handle both subnets and minidlna to work on both networks.
I would even dare to suggest that a long "nvram" command one liner might be called for so people can set this up more easily.

The following is a a good selection of dns servers to block (a few of which also support Secure DNS/DNS over HTTPS/DNS over TLS) (Presented in Dnsmasq format which admittedly is not that useful for dhcpd)

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331307
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Apr 04, 2022 10:08    Post subject: Reply with quote
Sorry I didnt read though this massive wall of text, Im not going to complain because kudos to you for actually detailing what you want and steps etc.

Its possible it works no additional iptable configs needs.

See https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1260059#1260059 that's it, no more is needed. and also on that post I link a wiki page that details this setup.

It works on both 2.4 and 5Ghz VAPs as long as the setup shown on screenshots is done as shown.

NOTE: I have since then set `Wireless GUI Access` to disabled.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
ciscodlink
DD-WRT User


Joined: 13 May 2014
Posts: 273

PostPosted: Mon Apr 04, 2022 13:07    Post subject: Reply with quote
the-joker wrote:
Sorry I didnt read though this massive wall of text, Im not going to complain because kudos to you for actually detailing what you want and steps etc.

Its possible it works no additional iptable configs needs.

See https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1260059#1260059 that's it, no more is needed. and also on that post I link a wiki page that details this setup.

It works on both 2.4 and 5Ghz VAPs as long as the setup shown on screenshots is done as shown.

NOTE: I have since then set `Wireless GUI Access` to disabled.


Brevity and Writing aren't my strong suit and I would welcome anyone who wants to try a revision.

Your link uses 1.0.0.1 as dns server which doesn't filter content, so it achieves a different goal.

The iptables command is to specifically block YouTube only and can be skipped.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Apr 04, 2022 13:18    Post subject: Reply with quote
Yes the DNS is optional to which suits your usage/type of setup better, there are many more suitable to filter adult and other content spyware etc, etc, etc.

As for the revision, not necessary, My post includes all the brevity and setup with screenshots.

I also turn the radios off during certain hours, I dont have kids to worry about, however shutting the radios off, or one in particular depending where the VAP is setup while leaving the other radio ON for adult usage is also of interest.

I turn both radios off when everyone is asleep, so during those times any drive by opportunists find nothing to possibly try to hack in.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum