Asus, when are you fixing parental control !!!

[masseth]

Missmatch/bug found in Parental Control code.

Hi!
Here is a case and workaround for when parental control is malfunctioning. I’m running a Asus RT-AC66U with
Asuswrt-Merlin - build 3.0.0.4.374.34_2 (30-Oct-2013). I’ve had my Asus for a month now and tried the factory firmware and the two latest Merlin builds.

The Parental Control always works fine for one device. But if several devices are used and one of them is denied access all the time then there are problems.
I did some code review on pc.c and www/fullcalendar.js. And did some tests and found that the following nvram variables are important:

MULTIFILTER_MAC=xx:xx:xx:xx:xx:xx>yy:yy:yy:yy:yy:yy>zz:zz:zz:zz:zz:zz
MULTIFILTER_MACFILTER_DAYTIME=NoTitle<000102>NoTitle<000102>NoTitle<002021<NoTitle<112021<NoTitle<222021<NoTitle<332021<NoTitle<442021<NoTitle<552021<NoTitle<662021
MULTIFILTER_DEVICENAME=device1>device2>device3
MULTIFILTER_ENABLE=1>1>1

The implementation of pc.c relies completely on that the above nvram variables/lists are sorted in the same way. Position 1 in all lists should always be referring to device1/xx:xx..., position 2 to device2/yy:yy... and so on. All entries related to a specific device are separated with > (ascii 62). Individual daytime rules for the same device are separated with < (ascii 60) if more than one rule is defined.

E.g.: xx:xx:xx:xx:xx:xx has the first position in MULTIFILTER_MAC. The filter for that MAC is enabled since the first entry in MULTIFILTER_ENABLE equals 1 (enabled). And the time rule for that MAC is the first entry "NoTitle<000102” meaning MAC xx is allowed day 00, start at hour 01, ends at hour 02. All other times it is denied access.

One problem with the current implementation is that when a device is denied the whole week 24/7, which is the default setting in the GUI, it doesn’t get an entry in the MULTIFILTER_MACFILTER_DAYTIME at all, not even an empty entry. Then the number of entries will not match with the other lists. pc.c will index itself wrong in the lists from the first missing daytime rule, the missing MAC will get the daytime rule for the next MAC and so on. I.e. all devices after the missing device will get wrong daytime rules.

Workaround: always have at least one one-hour ”allow” entry for all devices that shall be controlled by parental control, then it will work.

It would be good if Asus could fix this. But I don't know how to reach them. The fix should probably be done in www/fullcalendar.js which seems to build the MULTIFILTER_MACFILTER_DAYTIME list. I think it should always insert an empty daytime rule for all devices that otherwise should be missing.

Testcase, use 2 devices:
Action 1:
MAC1: xx:xx:xx:xx:xx:xx, deny all the time, 24/7.
MAC2: yy:yy:yy:yy:yy:yy allow all the time.
Apply the rules from the GUI.

Unwanted result: MAC1 will be allowed all the time, and MAC2 will be denied all the time!
Resulting rules can be viewed in /tmp/filter_rules on the asus.

/masseth

 

[Monford]

You can always use some third-party software, like NetNanny, PCWebControl or PCPandora. All of them have plenty of options and are easy to setup.

 

[bkttk2]

Was a confirmed fix for this issue ever found.

Like others that have posted I am not wanting or trying to limit site access but I would like to restrict time access.

Mainly want to keep them off when they should be sleeping. One of my kids occasionally has problems sleeping so wakes up early. She gets bored and many times will logon. No issues with the net surfing more the time.

Would prefer she read or at least try to rest/get some sleep instead of logging on at 3am

 

[RMerlin]

Was a confirmed fix for this issue ever found.

The issue originally reported in this thread was fixed months ago.

 

[bkttk2]

Thanks for the reply. I read thru the thread but was unable to determine the final outcome.

I am using latest Merlin firmware on my RT-N66U, but seem to be having the issue identified. I am just wanting to restrict access by certain wireless devices during set times.

No matter what I try it does not appear to work successfully.

Is there a different thread you might suggest or option I might be overlooking in settings?

Regardless of outcome I want to say thanks for your firmware. I have been using Asus-Merlin since I learned about it (approx 1 month after I obtained my router last fall).

 

[RMerlin]

Thanks for the reply. I read thru the thread but was unable to determine the final outcome.

I am using latest Merlin firmware on my RT-N66U, but seem to be having the issue identified. I am just wanting to restrict access by certain wireless devices during set times.

No matter what I try it does not appear to work successfully.

Is there a different thread you might suggest or option I might be overlooking in settings?

Regardless of outcome I want to say thanks for your firmware. I have been using Asus-Merlin since I learned about it (approx 1 month after I obtained my router last fall).

Double check the MAC address of the devices - some devices aren't always clearly labeled. The correct MAC should be visible on the router's System log -> DHCP page.

Also note that Parental Control sometimes has trouble terminating connections that were already established before the cutoff time happens, but it should still succeed in preventing new connections from being established.

 

[lbradio]

For what it's worth I am using parental control to disable our daughters wireless internet access at 10 - 11 pm, depending on the night, and re-enable it the next morning at 8 a.m.

It works perfectly.

Hi,
I really hope your daughters are not following this forum
Parental control (time managent) is working perfect for me. Even open connections are closed.
Force DNS to Opendns (drop udp53).

However, my son discovered a way to receive and send Whatsapp messages with disabled access in a very simple way.

Just turn off wifi on the smartphone, and enable it. 30 seconds of free internet . Enough to send and receive messages.
And yes, I AM the boss in the house, and took his phone for a while. But should it be this simple to override a time lock?

http://forums.smallnetbuilder.com/showthread.php?t=17337

 

[bkttk2]

Merlin,

I will look into your suggestions and see what I can figure out.

I believe the issue is as you described. If device is connected prior to the timelock it remains connected.

I think I saw a post, somewhere out there, discussing a script that could be loaded to reboot at a specific time. Think thread indicated the reboot would clear the connections thus enforcing the time lock.

Unfortunatly I am unable to locate the thread again to determing how to maybe incorporate said script.

Edit: Found the Read Me files and figured out the reboot option. Thanks.

 

[Dan Miller]

An idea for an "improved" version... Maybe for Merlin?

I have been following this thread for as long as it has been out. I have been searching far and wide for what seems to me to be a very simple idea. I don't want to schedule my kids' screen time. I want to limit the total. That's all.
Daughter 1 has three devices, phone, tablet, chromebook. Daughter 2 has two devices. I want to limit their access to x amount of hours per week. They can "earn" more hours doing chores, volunteering time to worthy causes or otherwise exhibiting good kid behaviors. Conversely I want to be able to take hours away if I need to. It will be up to them how they use the total. If they want to waste a day and use it all up in one day, so be it. They pay the price the other six.

So what it comes down to (in my non-coding simplistic view of things) is two additions:

1. Being able to "group" mac addresses so that they are treated as one.
2. Working within the existing scheduler (I still have all of their gadgets off at 10:00 PM and on again at 8:00 AM), one new column for a numerical input that says, "limit total time to:"

If anyone knows of ANY way to do this at the router level or even with a separate proxy (I have a bunch of old PCs laying around), I'm all ears. But NetNanny and all of the software programs can't deal with the phone/tablet/nook/etc... world.

 

[RMerlin]

I have been following this thread for as long as it has been out. I have been searching far and wide for what seems to me to be a very simple idea. I don't want to schedule my kids' screen time. I want to limit the total. That's all.
Daughter 1 has three devices, phone, tablet, chromebook. Daughter 2 has two devices. I want to limit their access to x amount of hours per week. They can "earn" more hours doing chores, volunteering time to worthy causes or otherwise exhibiting good kid behaviors. Conversely I want to be able to take hours away if I need to. It will be up to them how they use the total. If they want to waste a day and use it all up in one day, so be it. They pay the price the other six.

So what it comes down to (in my non-coding simplistic view of things) is two additions:

1. Being able to "group" mac addresses so that they are treated as one.
2. Working within the existing scheduler (I still have all of their gadgets off at 10:00 PM and on again at 8:00 AM), one new column for a numerical input that says, "limit total time to:"

If anyone knows of ANY way to do this at the router level or even with a separate proxy (I have a bunch of old PCs laying around), I'm all ears. But NetNanny and all of the software programs can't deal with the phone/tablet/nook/etc... world.

Take a look at the Guest Network support - it has the capacity of limiting one's time on it.

 

[DrTeeth]

@ Dan

How will you limit their data use from those devices that are data enabled?