Hi to All,

I am trying to control the time my children spend on internet but I am facing some problems (since I am a newbee).
The project has as below:
I have two children and I want to set time limitation. For duration 2 or 4 hours) and for schedule (from 10:00 to 22:00).
As for schedule I have achieved it. I set schedule per day in "Kid Control"
The problem is that I want my older child to spend 4 hours per day on onternet (maximum duration) and for my younger 2 hours per day between 10:00 - 22:00 (this is the schedule I set in "Kid Control").
Do you have any idea how can set this combination of limitation ?
May it is a silly question for you but is hard enough for me. I made a search in forum but I couldn't find something relevant.

Any help is welcome.
Thanks

Welcome.
It's good you think about reasonable usage of internet by your kids.
What you want is good! Unfortunately ROS is not giving you simple way to do this.
But it offers a couple of different tools which can achieve almost what you want. Maybe even more (at least you will learn routing and have lot of fun...)

I will try to give you some hints how to do this in a "relative" good way.

Kid Control:
Good : Easy to limit specific times and time periods which can be different per day.
(allows also to add "rate limit", means when they watch Youtube (bahhh) they don't steel you all bandwidth...)
Bad: It creates dynamic Drop/Accept rules at beginnig of firewall.
This means you can not do anything else with firewall on those clients... (see my "workaround" later on).
In addition, kids need to do connection test to see if they are allowed to "internet" or not (like open a web page and enter an address)
it is not that much of a problem, kids learn fast. But once kids are used to this, whenever they can't connect, a web page not loading,
they come to you and think internet time is exceeded
--> I found kid control is quit good for older kids, or these days under COVID lock down, when they do allday school work online.
Once that is finished I will go back to my other method...

Wireless / Access List:
Good: Allows access or not on specific times to Wifi (this is physical refusal, so kids see they can get on "WIFI" or not...)
For kids, they try to access say "Kids-Wifi" and they can't. They easily understand that its time to do something else...
Bad: You can only set the same time and choose which day of the week this applies.
Workaround: You can do several Access List entries per device, but it becomes quickly cumbersome to manage that.

Hotspot package
Good: Allows access as you want per user base with data limit, daily time limit etc. This can be a good solution if kids share a device
with parents. You have a code and password and your kids could have a different one...
Bad: Needs special package = competence how to manage users, etc. Its not too complex but might be a bit "too much" for a beginner.
I only tried it for some basic tests. The main issue I had is that the kids needed to "login" each day (user name + password).
And it also only allows to set a "duration" like 4h! I did not want my kids to stay 4h in a row connected.

I played around with above tools... and what I wanted is something that none of above gave me:

• I wanted kids to not connect early morning or late evening (simply done with Wifi/Access list)

• I did not want kids to spent to much time in a row on internet; After say 30 minutes connection closes (this is done via firewall)
  I also wanted to make sure once internet time over, they do something else (and not just ask "daddy I want more"). So the system had to block them for some time (I choose 30 minutes) before they could again connect (again done via firewall)

I noticed that when kids had no internet and knew they would not go online again in 5-10 minutes they start to do other things and forget about it...

Below will need some learning on firewall rules, but its great way to learn this. Don't hesitate to ask questions.

How to implement above
Limit hours when internet is available Use Wireless Access list for the phone of the kids, I assume you get this done easily.
Limit the time your kid spent in a row on the internet
Here you can use firewall. I do have DHCP Static leases defined for each device, which allows to know the IP address of each device... The first two rules allow UL and DL traffic for those IP addresses that are in the "kids-internet-ok" address list
The rule afterwards does following: This rule is only hit once the IP address has been purged automatically after 35minutes from the address list.
While the address is still in the "kids-internet-overtime" list their traffic is thus blocked. That address list is also purged after 59 minutes.
That means 59 minutes after kid connected first time, it can again connect (and stay online for 35 minutes). then has to wait for 59-35 = 24 minutes to go online again.
This is done in the last two rules, which add the IP address to the two lists: kids-internet-ok and kids-internet-overtime.

It has been the best way I found to limit the usage. You can change the values as you want and do it for each IP individually or for a group of addresses.
I found that the fact kids know it is over, they do other things... and learn to live with the limitation that internet is not the whole day...

Hope this can help. Maybe not exactly what you want to do but it limits internet usage quit well, which is the final goal.

PS: Once you know how firewall works, you will be able to add rules for web pages like wikipedia. etc. something
your kids might need to use for real school work and which you can exclude form the internet blocking

Hi WeWiNet

I really thank you for your detailed information shared with me. I agree that children want to have a standard margin to "play". This make them feel secure and safe. I will try your suggestion even if is needed a lot of read from my side. I think that is an opportunity to learn something more.

Hi WeWinet, I looked into your filter rules and have a question:
#2 "dst-address=kids-ip-address/24 dst-address-list=Kids_Internet_ok"
#4 src-address=!0.0.0.0 src-address-list=kids_Mobile

under#2 , Is it necessary to have "kids-ip-address/24" while you have "dst-address-list=kids_internet_okay" ?

under #4, is "kids_mobile" the address list for the kids' devices ? also, why you specify "src-address=!0.0.0.0" ?

Thank you !

under#2 , Is it necessary to have "kids-ip-address/24" while you have "dst-address-list=kids_internet_okay" ?

under #4, is "kids_mobile" the address list for the kids' devices ? also, why you specify "src-address=!0.0.0.0" ?

Thank you !

Indeed in #2 might not be needed to have both, but I preferred it that way
For #4: kids-mobile is an address list I create for the various mobile devices kids have. You could use an individual IP address if you do not want to create
an address list. (I started with individual IP/24 and then as more kids had mobile phones I migrated to an address list pool. Throughout my rules this might not have been
done consequently and sometimes you see still individual IP/24.
If you do not exclude 0.0.0.0 it will somehow end up as well being blocked, which is broadcast traffic.

Hi Weweinet, thank you so much for the quick reply. It helps a lot ! I tried the above. Kids device IP successfully added to the internet_ok and internet_overtime address list. But it seems once the kids device IP address has been purged from the "overtime" address list, it starts over again (both okay address list and overtime address list), no matter if the kids device is connected or not. Any opinion on that ?