Welcome.
It's good you think about reasonable usage of internet by your kids.
What you want is good! Unfortunately ROS is not giving you simple way to do this.
But it offers a couple of different tools which can achieve almost what you want. Maybe even more (at least you will learn routing and have lot of fun...)
I will try to give you some hints how to do this in a "relative" good way.
Kid Control:
Good : Easy to limit specific times and time periods which can be different per day.
(allows also to add "rate limit", means when they watch Youtube (bahhh) they don't steel you all bandwidth...)
Bad: It creates dynamic Drop/Accept rules at beginnig of firewall.
This means you can not do anything else with firewall on those clients... (see my "workaround" later on).
In addition, kids need to do connection test to see if they are allowed to "internet" or not (like open a web page and enter an address)
it is not that much of a problem, kids learn fast. But once kids are used to this, whenever they can't connect, a web page not loading,
they come to you and think internet time is exceeded
--> I found kid control is quit good for older kids, or these days under COVID lock down, when they do allday school work online.
Once that is finished I will go back to my other method...
Wireless / Access List:
Good: Allows access or not on specific times to Wifi (this is physical refusal, so kids see they can get on "WIFI" or not...)
For kids, they try to access say "Kids-Wifi" and they can't. They easily understand that its time to do something else...
Bad: You can only set the same time and choose which day of the week this applies.
Workaround: You can do several Access List entries per device, but it becomes quickly cumbersome to manage that.
Hotspot package
Good: Allows access as you want per user base with data limit, daily time limit etc. This can be a good solution if kids share a device
with parents. You have a code and password and your kids could have a different one...
Bad: Needs special package = competence how to manage users, etc. Its not too complex but might be a bit "too much" for a beginner.
I only tried it for some basic tests. The main issue I had is that the kids needed to "login" each day (user name + password).
And it also only allows to set a "duration" like 4h! I did not want my kids to stay 4h in a row connected.
I played around with above tools... and what I wanted is something that none of above gave me:
- I wanted kids to not connect early morning or late evening (simply done with Wifi/Access list)
- I did not want kids to spent to much time in a row on internet; After say 30 minutes connection closes (this is done via firewall) I also wanted to make sure once internet time over, they do something else (and not just ask "daddy I want more"). So the system had to block them for some time (I choose 30 minutes) before they could again connect (again done via firewall)
I noticed that when kids had no internet and knew they would not go online again in 5-10 minutes they start to do other things and forget about it...
Below will need some learning on firewall rules, but its great way to learn this. Don't hesitate to ask questions.
How to implement above
Limit hours when internet is available Use Wireless Access list for the phone of the kids, I assume you get this done easily.
Limit the time your kid spent in a row on the internet
Here you can use firewall. I do have DHCP Static leases defined for each device, which allows to know the IP address of each device...
/firewall filter
add action=accept chain=forward comment=\
"Kids: Accept if still in time limit : UL traffic" connection-state=\
established,related,new in-interface=Bridge_kids out-interface-list=\
WAN src-address-list=kids_Internet_ok
add action=accept chain=forward comment=\
"Kids: Accept if still in time limit : DL traffic" connection-state=\
established,related dst-address=kids-ip-address/24 dst-address-list=\
Kids_Internet_ok in-interface-list=WAN \
out-interface=Bridge_kids
add action=drop chain=forward comment="Kids: Refuse as time limited exceed AND until again allowed (no more in overtime list) " \
in-interface=Bridge_kids src-address-list=\
kids_Internet_overtime
add action=add-src-to-address-list address-list=kids_Internet_ok \
address-list-timeout=35m chain=forward comment=\
"kids: add to allowed list" connection-state=\
established,related,new in-interface=Bridge_kids src-address=!0.0.0.0 \
src-address-list=kids_Mobile time=15h30m-19h,mon,tue,wed,thu,fri
add action=add-src-to-address-list address-list=kids_Internet_overtime \
address-list-timeout=59m chain=forward comment=\
"kids: add to forbidden list" connection-state=established,related,new \
in-interface=Bridge_kids src-address=!0.0.0.0
The first two rules allow UL and DL traffic for those IP addresses that are in the "kids-internet-ok" address list
The rule afterwards does following: This rule is only hit once the IP address has been purged automatically after 35minutes from the address list.
While the address is still in the "kids-internet-overtime" list their traffic is thus blocked. That address list is also purged after 59 minutes.
That means 59 minutes after kid connected first time, it can again connect (and stay online for 35 minutes). then has to wait for 59-35 = 24 minutes to go online again.
This is done in the last two rules, which add the IP address to the two lists: kids-internet-ok and kids-internet-overtime.
It has been the best way I found to limit the usage. You can change the values as you want and do it for each IP individually or for a group of addresses.
I found that the fact kids know it is over, they do other things... and learn to live with the limitation that internet is not the whole day...
Hope this can help. Maybe not exactly what you want to do but it limits internet usage quit well, which is the final goal.
PS: Once you know how firewall works, you will be able to add rules for web pages like wikipedia. etc. something
your kids might need to use for real school work and which you can exclude form the internet blocking