Granting/Denying access to wifi using a switch

I don’t know where to put/ask this and possibly it’s not possible anyway but here’s what I want to do (I have a Fritz-Box-router):
Have a oh-switch that grants/denies a specific Computer/Smartphone access to our wifi (background: one of my kids spends too much online time and apart from the general kids settings like 3h/day, I’d like to give/take additional access just by switching a button).

I don’t think that this can be done but maybe one of you proves me wrong? :wink: Maybe with an additional piece of hardware?
I guess I’m not the only one interested in something like that.

First a disclaimer:

I am not familiar with Fritz-Box or its capabilities but I am a wireless Wi-Fi engineer.

You likely have your wireless network set up using a pre-shared key. That means the Wi-Fi network has no way of identifying one user from another. In order to be able to do what you want, there needs to be a way for the router to identify one user from another. That would be a starting point, I wpuld assume.

EDIT: You might be able to do something with parental controls that identifies at the device level.

1 Like

I have to deal with a similar problem and found a solution for older phones that are passed down to kids using Family Link. While it is a battle to get it setup on a phone (last one being LineageOS 16 or 17 on a Oneplus would not register withing nothing more generic then a basic failed. However once you manage to get something registered you can assign time on 15 min increments; and when the time limit is reached it locks down the entire screen. You can also limit times on a per app level, useful if they use the device for something like Khan Academy.

For iOS devices you can leverage Screen time (I think its called) and limit app usage; however it seems to only allow 15min/60min/all day to provide more time to the app if you wanted to provide more time using an app unless you change the limits in Screen time. While it has uses, controlling overall screen time requires more ‘admin’ time then I enjoy but that is opinion and am not a power user for Apple devices.

Now thats all fine and dandy, but what about laptops?
Last year in the early days of lock down I started working on a VM for pfsense, more of a bucket list task, however learned you can install FreeRADIUS and tie that into the captive portal technology. After learning how to whitelist certain things (like mobile devices as you can’t provide more time if devices can’t phone home to poll for the status change) there is a laptop that is used for YouTube time and a hard limit of 30 mins per young user. Again not something that is easy to change, but does provide an enforcement to limit network activity.
On top of this, I also wrote a quick hack using Ansible to insert a DNS block on youtube.com on pi-hole and a virtual switch in OH to blacklist it at a certain time and remove it when adult supervision is around.

1 Like

Which Fritz Box do you own ?
You know how to manually configure it in your Fritz Box e.g. Internetnutzung mit Kindersicherung einschränken | FRITZ!Box 7590 | AVM Deutschland ?
In case this can be configured via TR064 you may have a look at that binding.
In case that does not work you may use somthing like web scraping. This means you need to write a script to emulate a browser. As you ‘just’ asked to switch on/off the users access this could mean to switch between two profiles which means switching a drop down menu.
In case you don’t get it working by using a bare scripting / programming lanuguage have a look at selenium which is available for different programming languages. This uses a browser that is remote controlled by e.g. python script. Selenium works with different ( headless ) browsers.
In the company I am working for I am using selenium to get content from the ticket system as I do not have access via an API.

1 Like

Thank you for your ideas!
I own a Fritzbox 7490 and am familiar with its “child-settings” which enable specific time slots and internet-time on a device level. And I use them. The idea was to find a way to simply override that, e.g. when he needs some additional time to google something for school. ATM I either have to deactivate the “protection” in Fritzbox and then reactivate it again or give him a separate device for that purpose. Neither is very attractive …
I’d hoped there might be a way to change that without too much work or specific IT/Network-knowledge. By reading your ideas I get the impression that the job is not so simple, especially without major network/programming knowledge …
Due to a lack of expertise I’ll probably stick to the status quo for a while… Maybe there’ll be a Fritzbox function in a future update …

In case the child’s devices use the guest lan you can use TR064 binding to switch on/off guest LAN.

1 Like

Pretty good idea (if the child settings are still available in the guest network, I’ll check)!
I’ll just delete his current Wifi-settings, connect with the guest-network and hope he won’t notice (because he knows the wifi-password and could switch back to that) …

The network binding could be useful in this case by monitoring for the device’s original IP if he switches back and the switch flips to ON send notification to you (also assumes you set a static DHCP lease on the device). Word of caution, the network binding with arping does not cross subnets, so unless OH sits in both subnets you will be limited to the subnet OH sits in.

1 Like

I don’t know if you use a MAC address filter to only known devices into your network.
If that is the case you can remove the MAC address of your child’s computer/device.
According to WLAN-Zugang auf bekannte Geräte beschränken (MAC-Adressfilter) | FRITZ!Box 7590 | AVM Deutschland guest lan does not use MAC address filter. Thus that should continue to work.

1 Like