tool kid-control

jp1 · December 29, 2017, 5:07pm

Found it playing with command line completion in the CLI of 6.41

Nothing in search results or official documentation.

I’m very interested. Anyone played with it or have further documentation?

rjscomms · December 30, 2017, 11:24am

Hi jp,

I had a look myself but got stumped on the user part under the device section.

I tried adding a normal user and a hotspot user (although the hotspot server was not running) and it did not accept the name I tried to enter for the user part.

It does look interesting though. I’ll try to remember to keep an eye on the wiki recent pages link.

Dave.

jp1 · January 9, 2018, 8:38pm

It’s been updated in the wiki!

doneware · January 15, 2018, 8:39pm

https://wiki.mikrotik.com/wiki/Manual:Kid-control

btw, the last 42rc (rc9) refers to it as /ip kid-control.

to be honest, identifying devices by their IP address is kind of dumb. especially since dual stack is not a thing and most of our kid’s devices support seamlessly IPv6. i learned it on a hard way - got my fine-tuned parental control stuff running ~2yrs ago and next day they were still watching youtube videos instead of doing their homework. iOS just uses whatever it is available, so the videos fell back to IPv6 as the browser realised the v4 content is accessible no more, without any user intervention.

and since all the devices implement IPv6 privacy extensions, a simple v6 capable terminal can have multiple v6 addresses simultaneously.

so my approach is based on mac address: i set up a mangle rule both for v4 and v6, where i assign all the device’s mac addresses to a marked connection, then in both firewalls (v4/v6) i can easily match on the flow and apply the necessary enforcement.

 6    chain=prerouting action=mark-connection new-connection-mark=kid1 
      passthrough=no src-mac-address=48:D7:05:AB:CD:EF 

 7    chain=prerouting action=mark-connection new-connection-mark= kid1 
      passthrough=no src-mac-address=88:CB:87:AE:12:34 

 8    chain=prerouting action=mark-connection new-connection-mark= kid2 
      passthrough=no src-mac-address=AC:87:A3:EF:53:D1 

 9    chain=prerouting action=mark-connection new-connection-mark= kid2 
      passthrough=no src-mac-address=5C:F5:DA:C7:F2:13

then scheduled events can enable & disable the respective firewall rules based on their “comment” value using regex matching.
i hope the kid-control will also utilise mac addresses soon.

normis · January 16, 2018, 12:39pm

Fixed the manual. It was moved to IP in last RC

pe1chl · January 16, 2018, 1:29pm

I agree, and it is a bit discomforting that even today such a feature is moved from “tool” to “ip”, apparently not recognizing the fact that there is “ipv6” as well.
IPv6 still appears to be very low on the MikroTik priority list. Most of the existing features and all of the new stuff only supports IPv4.

AlainCasault · January 16, 2018, 2:35pm

To be honest, what is it that we couldn’t do before by using fw filters and other facilities? I’ve been doing kid control for years.

Sent from Tapatalk

normis · January 16, 2018, 2:36pm

That’s not the point. It’s an interface for easier management of firewall rules. There will also be an App for this. More features will come too.

jp1 · January 16, 2018, 9:57pm

Much appreciated Normis. I think this could help us bring Mikrotik more into the residential market, where it’s mostly mikrotik==business for us at the moment.

Regarding using mac address instead of IP would not solve anything.. Many devices can produce a random mac address for security purposes. If they don’t do that, there is a good chance you can alter the mac address.

reinerotto · January 19, 2018, 2:32pm

Regarding using mac address instead of IP would not solve anything.. .<
No. Because it depends upon, how to use the MAC.
ALmost 2 years ago I did a commercial parental control device (AP/router) on openwrt, based on MAC-control. And DNS-hijacking. Unknown MACs have everything blocked, so faking the MAC addrs does not help.
Again, trying to put an application on top of RoS, which is too limited in functionality to achieve the goal perfectly.
Similar to hotspot functionality.
Open RoS, and the scenario changes.

netbus · February 4, 2018, 10:55am

Currently it is not working in 6.41.rc15.
No matches in dynamic Rules

Edit: I mean 6.42.rc15

lewekleonek · February 9, 2018, 1:04pm

How come that everyone including MikroTik’s wiki site: https://wiki.mikrotik.com/wiki/Manual:Kid-control says that kid-control is done under:

/ip kid-control

in 6.41.

hAP ac here with 6.41.1 upgrade (both RouterOS and Routerboard firmware) and I still see that kid-control is under:

/tool kid-control

Am I missing anything here?

netbus · April 19, 2018, 1:32pm

because ROS 6.42 is out I tried to give /ip kid-control a chance but I didn’t figure out how it works
I tried diffrent time windows but there is no dynamic reject policy set. when I manual pause some kid then ROS is setting dynamic reject policy.

And the second thing I don’t unterstand is “time for rate limited”
when I set some time window then this schedule is working reverse. for example I set 20:00 - 07:00 but queue is triggered from 07:00 - 20:00
Can anybody confirm?

gotsprings · April 19, 2018, 3:35pm

Testing it for the first time in 6.42.

I don’t see a dynamic firewall rule anywhere… and the “blocked device” is not blocked at all.

maidinekhalid · April 24, 2018, 9:20am

It’s the same for me

rasak · May 14, 2018, 11:30am

Hi, been trying to setup the Kid Control, however, it seems not to be working at all via WebFig

Kid added, Device added. But its impossible to create a schedule and Rate Limit via WebFig. Even manually pausing the kid doesn’t work - no FW rule created

but:

it works (limited functionality) when this is set via ssh. Then Im able to limit the schedule, devices and stuff. But Rate limit doesn’t work at all.
Data in WebFig is not updated at all (time schedule). I need to apply the rate limits, any ideas?

Tried on 6.42.1, the upgraded to 6.43rc11 - no change
Screen Shot 2018-05-14 at 13.29.08.png

etienneschwiz · May 15, 2018, 1:09pm

There already is an Android App that works with Mikrotik for kid control using standard FW rules.

Its called LANwize.

www.lanwize.com

netbus · May 15, 2018, 1:41pm

thanks for sharing this nice app but this app is independet from the mikrotik kid-control feature.
so we want to get the kid-control feature fixed.

netbus · May 25, 2018, 9:45am

Now with 6.42.2 it looks a litte bit better but there is a problem with the dynamic Policies which are generated.
They are added to the bottom of the Filter Rules wich means, they never will get traffic.
Whereas for example Hotspot is adding his Policies to the top of the Filter Rules.
Please Mikrotik, get this fixed.

nichky · May 25, 2018, 11:25am

I found some strange i want to share with you.

I’ve got issues with limitations the traffic. Simple i can specify the time e.g. 15:00:00 17:00:00, and if i set up same on Time For Rate Limited: 15:00:00 17:00:00 it will no work. I have to set up like 15:00:00 15:00:00

Rate Limit=1M

Anyone can shere experience about that.

Thanks