RT-AX88U Parental Controls with Time Scheduling problems

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Ben Perkins

New Around Here
Over the holidays I finally took the plunge on upgrading my wireless network. I retired my old RT-N66Rs (also running Merlin) and and replaced them with an RT-AX88U (running Merlin 386.1_beta3 ) working as the main router, and then a RP-AC1900 (running stock 3.0.0.4.385_20630-ged5e4c3) serving as an AiMesh node to give me better coverage at the back of the house.

Overall, the solution is working great. Unfortunately, I did have an old issue with parental controls resurface though. When the time based controls for a given device kick in, new connections are blocked, but existing connections are not blocked (e.g. a Roku device that's streaming Netflix can keep on going for hours after the time when the controls are applied).

With older devices, there was a recommendation in the UI to disable NAT acceleration in order to make Time Scheduling work better. But with the AX88U, the recommendation has disappeared from the Parental Controls UI, and the option has disappeared entirely from the LAN->Switch Control section of the UI.

I've searched the forums and found:

- One thread confirming the option doesn't exist anymore: https://www.snbforums.com/threads/asus-ax88u-nat-acceleration-option.66145/
- One thread where @sturmstar indicates his AX88U parental controls work fine even with NAT acceleration on: https://www.snbforums.com/threads/p...on-for-more-precise-scheduling-control.63377/

Are others with AX88U seeing Time Scheduling work properly for existing connections? If so, can you give more information on what configuration options you have set?

Alternatively, can anyone suggest workarounds for this issue? For the moment I'm making use of the router reboot time scheduler to make sure no existing connections persist beyond midnight, but that's a little more brute force than I'd like.

Many thanks for any help or suggestions.

Ben
 

itpp20

Regular Contributor
When the time based controls for a given device kick in, new connections are blocked, but existing connections are not blocked (e.g. a Roku device that's streaming Netflix can keep on going for hours after the time when the controls are applied).
If thats the only issue you could add a scheduled script which runs conntrack to kill all connections, those that are not blocked will re-establish by them selves.
 

khg

Occasional Visitor
I have (and i think many of us) problem with parental control with time scheduling. I do not want to disable CTF because throughput declines to 100mb/s in that case. Very unfortunate situation at all (feature or speed :( )
Possible workaround would be a scheduled script which block/unblock the predefinied client set. I can do it in Asus mobile app: auto blocking is not working with CTF on, but i can click on the block and works well. Is it possible to automate that block command?

Thanks -Gabor
 

khg

Occasional Visitor
Thanks for the idea, seems very effective compared to continuous traffic analysis. I will try to implement however i am not good at linux scripting but working in IT. So i try. initial questions:
  • out into service-start but what happen i would like to make exception? simply delete and add new cron job?
  • not fully clear what is the blockall.sh and release.sh etc. would you please attach those files
thanks again
 

itpp20

Regular Contributor
The script content is in italic, you can copy/paste them in the files as mentioned by their names. This is a manual thing as you also need to chmod them to be executable.

In services-start you can add;
cru a blockdev "30 22 * * sun,mon,tue,wed,thu sh /jffs/scripts/blockdev.sh"
cru a relall "0 7 * * * sh /jffs/scripts/relall.sh"

as per example, relall.sh is created by blockdev.sh

If you don't reboot then you need to paste both cru lines in a shell to activate it.

When making time changes you have to remove and add the cron jobs, for other changes just wait one day.

blockdev.sh is the main thing, it takes a MAC address, searches the IP address and blocks that and also purges all active connections. The effect is immediate, accurate on 1 second and does not depend on accelerated nat to be off.
 

Ben Perkins

New Around Here
If thats the only issue you could add a scheduled script which runs conntrack to kill all connections, those that are not blocked will re-establish by them selves.

Thank you for the ideas and your example.

It looks like if I want to keep using the scheduling interface built into the ASUS app/Merlin Web UI, I could just replace my current strategy of "reboot shortly after parental controls are enabled" with a scheduled execution of the following for each of the devices being managed by PC:

conntrack -D --src=x.x.x.x

Is that correct? This is basically just dropping every connection that's passing over the WAN interface of the router, for each of the given IPs?

Thanks again,
Ben
 

itpp20

Regular Contributor
Correct, given that you can get all the IP's PC has identified.
And also until your kids get smart about MAC evasion ;) mine ain't that smart yet.
 

Suzib6sw

Occasional Visitor
Ok.. playing around with the Parental Scheduling.. I happened to notice there are two places to set scheduling on.. 1: the "main way" aiprotection-parental controls-time scheduling.
This is how I normally set mine up but as others have noted, it sometime doesn't seem to work on devices that are currently streaming/connected occasionally.
I was in the AI mesh section this morning, happed to click on the client tab on the right and then clicked on a client that IS in the parental section above and there is a Time Scheduling button in the client settings.. The Time scheduling button was off.. Toggling it and applying make it persistent. Doing the same for a client that isnt on the parental scheduling takes you to the scheduling page to set it up.. I havent played any more yet, but I wonder if this is the cause of the issues we sometimes see.. ?
 

khg

Occasional Visitor
Somehow i cannot get this into live. conntrack is not working, or not at least expected (for me). conntrack -L says: Operation failed: invalid parameters.
conntrack -D --src=192.168.1.67 says Operation failed: invalid parameters. I cannot cope with conntrack. Something wrong with my side or beta4 issue?
(tried from two different ssh client)
 

itpp20

Regular Contributor
Could be a router/firmware thing, here a RT-AC68U with Merlin RT-AC68U_384.17_0 firmware. Maybe beta4 uses something else for conntrack?
 

khg

Occasional Visitor
Maybe. But just for safe: conntrack -L or -D runs w/o error? i have a stock firmware AC59 (AP mode) but conntrack: not found (maybe due to AP operating mode).
 

pbc

Regular Contributor
Ok.. playing around with the Parental Scheduling.. I happened to notice there are two places to set scheduling on.. 1: the "main way" aiprotection-parental controls-time scheduling.
This is how I normally set mine up but as others have noted, it sometime doesn't seem to work on devices that are currently streaming/connected occasionally.
I was in the AI mesh section this morning, happed to click on the client tab on the right and then clicked on a client that IS in the parental section above and there is a Time Scheduling button in the client settings.. The Time scheduling button was off.. Toggling it and applying make it persistent. Doing the same for a client that isnt on the parental scheduling takes you to the scheduling page to set it up.. I havent played any more yet, but I wonder if this is the cause of the issues we sometimes see.. ?

Interesting, have you tried a schedule there vs the AI Protection?

FWIW, DD-WRT does the exact same thing where if the device is already on the network, it doesn't kick it off at the scheduled time, which renders the whole point of this somewhat useless given for most of us we are parents trying to force our kids off of their devices!

I never checked with stock Asus firmware if the time blocking did the same thing.
 

khg

Occasional Visitor
Solution introduced by itpp20 works perfectly. fast and stabile. Thanks for that.
One thing to add: would regularly run the iptables delete script due to when kids boot up device which was not active when the delete script was scheduled they can use internet with that new line in FORWARD table. but this is fine tuning and for experienced kids :)
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top