I share here the parental control that I have begun to use at home for my student siblings, in case it can be useful to any other person. It may also serve as more examples of iptables – ipsets and traffic control.
It is based on the available Merlin’s parental controls, to which I’ve added some simple, but I think interesting extensions (based, as Merlin’s, on linux iptables-ipsets and traffic control).
Requirements
What I was mainly looking for was some kind of restrictions which could allow my siblings to use Internet for study or investigation (even for normal navigation or leisure), but that dissuaded them from playing on-line games (like League Of Legends), which are their strongest time-stealer. To the Merlin DNS filtering (like OpenDNS), that helped with that, I have added a Periodic Speed Limiting which complements it (in case, of DNS-bypassing and allowing temporary DNS filtering releasing).
My second requirement was the possibility (offered by other published parental controls) to issue “timed tickets” which released the restrictions (individually and to individual sets of clients) for a limited time. Those tickets had to be very quickly and simply issued (for example, in the middle of a meeting) from outside home (when somehow the clients “justified” to me their need). It is this ticketing feature which would allow me to keep a stable restriction configuration, but with the flexibility to adapt to frequently-arising special needs.
And my third requirement was to be able to “group together” router clients to receive common treatment, independent from the other groups.
Features
Then, this parental control allows Internet access restrictions, flexibly tailored for each set of clients of the Asuswrt-Merlin-equipped router. Each client is internally identified by its MAC or by the IP address forcefully associated to its MAC. But, the user controls it by a short and easy to remember set name.
This parental control includes 4 main restrictions, (which cover also the wired connections):
1.- Timed-Releasable Periodic Speed Limiting: alternating intervals of unlimited speed (50 sec) and of limited speed (10 sec) (configurable). The limited speed intervals make the gamer lose her games, while not cutting her internet connections. The restriction may be temporarily suspended. It may also be useful (maybe changing the parameters) to jam-dissuade chat connections, like skype.
2.- Timed-Releasable IP-MAC client white list: any client whose IP-MAC pair is not included in the list is rejected. This makes it difficult for a client to fake by manually assigning itself an IP with less restricted access.
3.- Timed-Releasable DNS Filtering: Exactly the same DNS Filtering restriction offered by Merlin, but with the possibility of temporarily suspending it. It easily could also be made subject to a time-schedule, independent from the general Time Scheduling.
4.- Timed-Releasable Time Scheduling: similar to the same restriction offered by Merlin, but programmed in a script with linux iptables, which allows quite more flexible and compact schedule definition, common treatment sets and temporary suspension.
Each of these 4 restrictions is independently releasable for a specified number of minutes (“0” minutes means permanently), for any pre-defined set of clients, by remotely (SSH) issuing a timed ticket (which can be modified later), after which the restriction is re-applied again.
The Periodic Speed Limiting, "game-jamming" approach saves the router administrator the need for finding out and updating the blocking mechanism (like huge sets of IPs or of Ports) of most current and future fast interactive games, which I find to be the most addictive to my siblings.
Installation and configuration
The set of files is in enclosed JuglarParentalControl.zip file (please rename .pdf to .zip).
In the JuglarParentalControl_instructions.doc instructions document, included in the zip, I explain how to install and configure it.
How I use it
After installation and configuration, the restrictions are kept in-place even after Merlin’s rebooting or reconfigurations.
If any of my sibling tells, phones or whatsapps me and convinces me that she now needs any restriction released, I “issue a ticket” for the IP set that contains her desired client and for a number of minutes (0 means indefinitely, until next reboot). The ticket may be for one of the 4 restrictions. Or for 3 of them at the same time, which grants her full unlimited internet access. Any time after, I can modify the remaining timeout, by issuing a new ticket for the same IP set. I easily remember the IP set name, because it is named with her name initial letter.
To issue the ticket, I connect to the Merlin router (from home or outside) through SSH (I use JuiceSSH from my android mobile, which has all the login info, so, I just have to press my most used connection and it takes me to the linux root prompt), in subdir /tmp/home/root. There, I type one of five available ticket commands, and a first argument with the set name and, sometimes, a second argument with the number of minutes. The following examples better explain how. As you see, using short-named commands and sets allows the least possible keystrokes on my mobile.
Example Command - Commentary
ts j 180 - Ticket Speed to IP set “j” for 180 minutes (j, for Joan)
td dm 60 - Ticket DNS to IP set “dm” for 60 minutes (dm for Dan’s mobile, etc)
tt t - Ticket Time to IP set “t” for default (30) minutes
tk v 90 - Ticket to set “v” for 90 minutes for the three restrictions simultaneously: Speed, DNS and Time
tm 12 - Ticket MAC for 12 minutes (to any new IP).
- This “tm” command doesn’t use the “set” argument, as it releases the IP-MAC pair restriction, which grants Internet access to any new unconfigured, even unknown, IP-MAC client
Of course, these commands are entered by the “Enter” key.
DNS filtering might also be made Time-Scheduled by a simple modification. I don’t need it, but, if anyone is interested and does not see how from the code in the scripts, please ask me.
If you use it, I would like to know your experience, thanks.
Hope you enjoy it and my apologies to your siblings. Hope they don't hate it too much.
Juglar.
It is based on the available Merlin’s parental controls, to which I’ve added some simple, but I think interesting extensions (based, as Merlin’s, on linux iptables-ipsets and traffic control).
Requirements
What I was mainly looking for was some kind of restrictions which could allow my siblings to use Internet for study or investigation (even for normal navigation or leisure), but that dissuaded them from playing on-line games (like League Of Legends), which are their strongest time-stealer. To the Merlin DNS filtering (like OpenDNS), that helped with that, I have added a Periodic Speed Limiting which complements it (in case, of DNS-bypassing and allowing temporary DNS filtering releasing).
My second requirement was the possibility (offered by other published parental controls) to issue “timed tickets” which released the restrictions (individually and to individual sets of clients) for a limited time. Those tickets had to be very quickly and simply issued (for example, in the middle of a meeting) from outside home (when somehow the clients “justified” to me their need). It is this ticketing feature which would allow me to keep a stable restriction configuration, but with the flexibility to adapt to frequently-arising special needs.
And my third requirement was to be able to “group together” router clients to receive common treatment, independent from the other groups.
Features
Then, this parental control allows Internet access restrictions, flexibly tailored for each set of clients of the Asuswrt-Merlin-equipped router. Each client is internally identified by its MAC or by the IP address forcefully associated to its MAC. But, the user controls it by a short and easy to remember set name.
This parental control includes 4 main restrictions, (which cover also the wired connections):
1.- Timed-Releasable Periodic Speed Limiting: alternating intervals of unlimited speed (50 sec) and of limited speed (10 sec) (configurable). The limited speed intervals make the gamer lose her games, while not cutting her internet connections. The restriction may be temporarily suspended. It may also be useful (maybe changing the parameters) to jam-dissuade chat connections, like skype.
2.- Timed-Releasable IP-MAC client white list: any client whose IP-MAC pair is not included in the list is rejected. This makes it difficult for a client to fake by manually assigning itself an IP with less restricted access.
3.- Timed-Releasable DNS Filtering: Exactly the same DNS Filtering restriction offered by Merlin, but with the possibility of temporarily suspending it. It easily could also be made subject to a time-schedule, independent from the general Time Scheduling.
4.- Timed-Releasable Time Scheduling: similar to the same restriction offered by Merlin, but programmed in a script with linux iptables, which allows quite more flexible and compact schedule definition, common treatment sets and temporary suspension.
Each of these 4 restrictions is independently releasable for a specified number of minutes (“0” minutes means permanently), for any pre-defined set of clients, by remotely (SSH) issuing a timed ticket (which can be modified later), after which the restriction is re-applied again.
The Periodic Speed Limiting, "game-jamming" approach saves the router administrator the need for finding out and updating the blocking mechanism (like huge sets of IPs or of Ports) of most current and future fast interactive games, which I find to be the most addictive to my siblings.
Installation and configuration
The set of files is in enclosed JuglarParentalControl.zip file (please rename .pdf to .zip).
In the JuglarParentalControl_instructions.doc instructions document, included in the zip, I explain how to install and configure it.
How I use it
After installation and configuration, the restrictions are kept in-place even after Merlin’s rebooting or reconfigurations.
If any of my sibling tells, phones or whatsapps me and convinces me that she now needs any restriction released, I “issue a ticket” for the IP set that contains her desired client and for a number of minutes (0 means indefinitely, until next reboot). The ticket may be for one of the 4 restrictions. Or for 3 of them at the same time, which grants her full unlimited internet access. Any time after, I can modify the remaining timeout, by issuing a new ticket for the same IP set. I easily remember the IP set name, because it is named with her name initial letter.
To issue the ticket, I connect to the Merlin router (from home or outside) through SSH (I use JuiceSSH from my android mobile, which has all the login info, so, I just have to press my most used connection and it takes me to the linux root prompt), in subdir /tmp/home/root. There, I type one of five available ticket commands, and a first argument with the set name and, sometimes, a second argument with the number of minutes. The following examples better explain how. As you see, using short-named commands and sets allows the least possible keystrokes on my mobile.
Example Command - Commentary
ts j 180 - Ticket Speed to IP set “j” for 180 minutes (j, for Joan)
td dm 60 - Ticket DNS to IP set “dm” for 60 minutes (dm for Dan’s mobile, etc)
tt t - Ticket Time to IP set “t” for default (30) minutes
tk v 90 - Ticket to set “v” for 90 minutes for the three restrictions simultaneously: Speed, DNS and Time
tm 12 - Ticket MAC for 12 minutes (to any new IP).
- This “tm” command doesn’t use the “set” argument, as it releases the IP-MAC pair restriction, which grants Internet access to any new unconfigured, even unknown, IP-MAC client
Of course, these commands are entered by the “Enter” key.
DNS filtering might also be made Time-Scheduled by a simple modification. I don’t need it, but, if anyone is interested and does not see how from the code in the scripts, please ask me.
If you use it, I would like to know your experience, thanks.
Hope you enjoy it and my apologies to your siblings. Hope they don't hate it too much.
Juglar.
Last edited:
