Parental Control for Certain MAC

kretzu77 · April 20, 2017, 3:52pm

Hi all,

Can you help me please to set some parental control for certain IP/MAC?
It is a setup problem or openDNS doesn’t work?
I don’t want parental control for all router. I want for one IP/MAC (my kid’s tablet). I think is behind NAT of some sort.

HW: hEX RB750Gr3
ISP interface: PPPoE with fixed IP

What I have done and didn’t work:

Created a new IP Pool “parental_control”
Created new Adress for parental control
Created DHCP Server Lease for tablet with it
Created a new network with openDNS IP in DNS Server: 208.67.222.123

IP is from openDNS site: https://www.opendns.com/setupguide/?url=familyshield

And … … doesn’t work. I have no internet on tablet

If I replace DNS IP with 8.8.8.8, everything is fine.

Can you tell me what I do wrong?

There is some alternate solution?

Please help.

Thanks’

kretzu77 · April 22, 2017, 4:30pm

No ideas?

Sob · April 23, 2017, 4:27pm

Start by checking if you can access OpenDNS server at all, i.e. if ISP is not blocking it. For example from Windows device you can use:

nslookup - 208.67.222.123

Then enter some hostname and see if you get address.

kretzu77 · April 25, 2017, 12:50pm

Works

I receive the respunse

default server: resolver1-fs.opendns.com
address: 208.67.222.123

the problem is I don’t know how to setup mikrotik router

kretzu77 · May 5, 2017, 3:35pm

Nobody tried this or there is no solution for this kind of parental control?

Sob · May 6, 2017, 6:41pm

There’s probably some small error in your config. Either post complete export (run “/export hide-sensitive” in terminal) or just forget what you did and force all DNS requests from given MAC address to right server with dstnat:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether2-master protocol=udp \
    src-mac-address=6C:5F:1C:DB:F5:E9 to-addresses=208.67.222.123
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether2-master protocol=tcp \
    src-mac-address=6C:5F:1C:DB:F5:E9 to-addresses=208.67.222.123

kretzu77 · May 10, 2017, 8:31pm

I disabled all firewall rules and still nothing.

The only idea I have is to make a king of sub network from Mikrotik to another router (connected in WAN port), who has build in parental control.

There is some step by step tutorial for something like this?

freemannnn · May 10, 2017, 8:46pm

forget about different dhcp,pool,address for the tablet.
try these rules. i just tested them to my rb and they are working great. place them on top before other nat rules.

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-mac-address=\
6C:5F:1C:DB:F5:E9 to-addresses=208.67.222.123 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-mac-address=\
6C:5F:1C:DB:F5:E9 to-addresses=208.67.222.123 to-ports=53

kretzu77 · May 12, 2017, 4:14am

And where I setup custom DNS, IP … for tablet?
I setup them manually on the tablet?

freemannnn · May 12, 2017, 5:47am

ip and dns is already specified in my rules.

th0massin0 · May 12, 2017, 6:39am

Simple test: set that dns directly on client (disable firewall o ROS) and check if it works. If not, your ISP blocks it.

reinerotto · May 12, 2017, 7:53am

I did a (commercial) clone of openDNS. Which also can be tailored for individual MACs. However, needs private server, and special router (non-MT; but openwrt/LEDE)

doneware · May 12, 2017, 8:13am

you mean like “dnsmasq --add-mac” ?
it is there in oWRT codebase since feb 2015. also part of dnrd (http://dnrd.sourceforge.net/)
the thing is that you can run it in a metarouter w/o problems, otoh metarouter is kind of limited with regards to overall deployment throughout the mikrotik ecosystem.

reinerotto · May 12, 2017, 8:49am

Yes, that is part of the story.

BartoszP · May 12, 2017, 11:05am

Freemannn rules just redirect any DNS queries made from particular MAC-address to 208.67.222.123 address so even your kids change DNS settings in their computer then DNS queries still be redirected to 208…
Just copy these rules and change MAC address … that’s a small “problem” that ROS has no MAC-ADDRESS lists, just IP address lists but … if you have managed to make static IP assigments in DHCP server or you know the IPs list you want to have under control then change rules Freemannnnn rules to

add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=Parental-Control-List-IPs to-addresses=208.67.222.123

kretzu77 · May 12, 2017, 3:31pm

I connected my laptop directly to ISP’s media converter, setup pppoe on laptop, changed DNS & worked. With Mikrotik doesn’t work if I change DNS on it (laptop with LAN connection).

I have my old Router (Asus RT-AC68U) and it has build in parental control. But only in router mode, of course.

Can you teach me how to create from Mikrotik router a kind of WAN for AV-68U? If this is possible
Now, I use it in AP only mode (I don’t think it will work in router mode if I use WAN port with cable from Mikrotik)

Otherwise, I’m forced to return it to seller and use my old Asus unfortunately.

Later:
I just discovered that, If I setup static IP on tablet (with default 8.8.8.8 DNS, nor openDNS), I have no internet.