Looking for mid to high end router with specific access control/parental control features

[rak1983]

I just unboxed an Asus RT-AXE7800 and am pretty annoyed to find out it doesn't have controls to block client access to specific domains. I am trying to upgrade from a TP-Link AC1750, which doesn't have very complex configuration but it does have this basic kind of control. I currently use the AdGuard DNS with safesearch/parental filtering along with the AC1750 access control to block youtube and reddit as well.

I guess I misread the AXE7800 user guide before purchasing and confused the parental controls and firewall settings. The firewall settings can block a domain/URL but it applies to all clients, I don't want that.

I want to basically be able to create a few groups of clients and have different allow/deny lists for each. One group is parents devices (IP assigned by MAC address), those can access anything. Another group is public devices, those have youtube/reddit/etc. blocked, this is the default DHCP group. Another group I'd like to have is a device with a short allowlist of just kids websites we're ok with essentially unmonitored access.

I don't like that the Asus Parental Controls doesn't provide enough control. Whenever I see a device advertise Parental Controls it makes me think it's will be similar - something that attempts to do it all for you without providing any control. I am a software/IT professional, I am not afraid of doing my own configuration, I'm not afraid of custom firmware, writing scripts, etc. What options do I have for a router that lets me have the level of control I'm describing?

 

[Tech9]

A fast learning kid will go around your restrictions in 30 seconds or it can happen without any intentions. You have to block all known VPN/proxy servers, all known DNS-over-HTTPS servers, intercept and redirect DNS queries on port 53, block DNS-over-TLS port 853. Some popular browsers do auto DoH now, iOS devices have iCloud Private Relay, Android devices may use DoH and DoQ to Google, your IoTs may have factory preset DNS servers, etc. The minimum you need is Asuswrt-Merlin supported home router. It allows running 3rd party scripts - DNS and IP blockers are available. This firmware also has DNS interception and redirection called DNS Director.

Popular around models with Asuswrt-Merlin support are RT-AX86U Pro, RT-AX88U Pro, GT-AX6000, etc.

Of course you can do all of the above on pfSense/OPNsense appliance plus much more advanced SSL proxy and packet inspection with application filtering.

You also have to restrict access to mobile networks. All of the above is useless if the device can connect to a mobile operator and has data plan. One click and done.

 

[sfx2000]

A $10 sim card in a $30 smart phone w/hotspot...

Kids are pretty smart these days...

 

[glens]

I guess I misread the AXE7800 user guide before purchasing and confused the parental controls and firewall settings.

Investigate similarly though perhaps more carefully the gl-inet flint2 and see if it'll offer more control for you.

 

[rak1983]

A fast learning kid will go around your restrictions in 30 seconds or it can happen without any intentions. You have to block all known VPN/proxy servers, all known DNS-over-HTTPS servers, intercept and redirect DNS queries on port 53, block DNS-over-TLS port 853. Some popular browsers do auto DoH now, iOS devices have iCloud Private Relay, Android devices may use DoH and DoQ to Google, your IoTs may have factory preset DNS servers, etc. The minimum you need is Asuswrt-Merlin supported home router. It allows running 3rd party scripts - DNS and IP blockers are available. This firmware also has DNS interception and redirection called DNS Director.

Popular around models with Asuswrt-Merlin support are RT-AX86U Pro, RT-AX88U Pro, GT-AX6000, etc.

Of course you can do all of the above on pfSense/OPNsense appliance plus much more advanced SSL proxy and packet inspection with application filtering.

You also have to restrict access to mobile networks. All of the above is useless if the device can connect to a mobile operator and has data plan. One click and done.

Some of these things I just learned about browsing this forum. My kids are smart but still pretty young. I know it's an arms race but this stuff I mentioned will buy me at least a few years. I appreciate your response though, I also gathered from this forum that custom firmware seems to be the way to go. Does merlin have the kind of granular control I mentioned? For the models you listed are there any that are obviously better performance wise? I've seen the AX6000 mentioned a lot so that's what I'm learning towards now. Thanks!

 

[rak1983]

Investigate similarly though perhaps more carefully the gl-inet flint2 and see if it'll offer more control for you.

Thanks, the Flint 2 looks very comparable, has OpenWRT pre-installed, and is cheaper on Amazon. This might be the winner for me.

 

[ColinTaylor]

Does merlin have the kind of granular control I mentioned?

No. Parental controls in Merlin's firmware is the same as stock firmware.

 

[Wistuplu]

Parental control is the same, same user interface.
Merlin also allows scripts. Scripts can do anything, for instance parental control. A few years ago, I could write a script that was closer to my needs. It took significant learning though.
And the context was different. For instance, there was not so much mac 'randomization' on Wi-Fi client side. And data plans were not so frequent for kids/teens.