openHAB and openWRT for parental control of internet access

Having set up openWRT to disconnect the wifi network when everyone is asleep and also to disconnect the kids from the internet at set hours, it was a natural step to setup openHAB to actually have buttons to turn and turn off internet access for each of our kids devices.

This proves valuable as a ‘removal of internet privileges’ tool or at dinner time when no-one appears as they are chatting on line. Tun off the internet and everyone emerges…

With openHAB and openWRT my wife and I both have buttons on our iPhones to enable and disable internet access for each device in the house.

Every parent we have shown this to loves it so I thought it would be worth to share the setup.


  1. Add a rule to the firewall in /etc/config/firewall
config rule
        option src 'lan'
        option dest 'wan'
        option src_mac 'XX:XX:XX:XX:XX:XX'
        option target 'ACCEPT'
  1. restart the firewall using
/etc/init.d/firewall stop
/etc/init.d/firewall start
  1. use iptables -L to examine the number of the rule you have just added. You’ll need to do the same with ip6tables -L for ipv6 firewall too.

You’ll find lines like these:

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             ID: /* user chain for forwarding */
zone_wan_dest_ACCEPT  tcp  --  anywhere             anywhere             MAC XX:XX:XX:XX:XX:XX 
zone_wan_dest_ACCEPT  udp  --  anywhere             anywhere             MAC XX:XX:XX:XX:XX:XX

This means that lines 2 and 3 are the new rules we’ve added to the chain zone_lan_forward

Now create a shell script on the openWRT which looks something like this:

# Script to close firewall
/usr/sbin/iptables -R zone_lan_forward 2 -p tcp -m mac --mac-source  XX:XX:XX:XX:XX -j zone_wan_dest_REJECT
/usr/sbin/iptables -R zone_lan_forward 3 -p udp -m mac --mac-source  XX:XX:XX:XX:XX -j zone_wan_dest_REJECT
/usr/sbin/ip6tables -R zone_lan_forward 2 -p tcp -m mac --mac-source  XX:XX:XX:XX:XX -j zone_wan_dest_REJECT
/usr/sbin/ip6tables -R zone_lan_forward 3 -p udp -m mac --mac-source  XX:XX:XX:XX:XX -j zone_wan_dest_REJECT
date >> /etc/config/mylog
echo "Closed One" >> /etc/config/mylog

That script will change rules 2 and 3 from ACCEPT to REJECT and the device with MAC address XX:XX:XX:XX:XX will no longer have internet access.

Create an identical script with REJECT replaced by ACCEPT.

My scripts are called and and placed in /etc/config - you’ll need this in a while

chmod the scripts to enable them to be executed.

It’s worth to test that you can enable and disable the internet for the device by running these scripts on the openWRT box.


The next part of the configuration is on the openHAB device.

On this device there is another script which will be executed when we slide the slider in the openHAB interface:

/usr/bin/ssh root@ "cd /etc/config; id;  pwd; /etc/config/"
echo "Open One" >> /opt/openhab/test.dat
date >> /opt/openhab/test.dat

You’ll need to set up secure shell (ssh) access from the openHAB device to the openWRT device and I leave that as an exercise for the reader.

In openHAB I have set up a series of switches, one for each device and also one for the wifi in general:

Group:Switch:OR(ON, OFF)        Internet "All Internets [(%d)]"

/* Internet */
Switch Internet_One "Dave's iPod" <network> (Internet) {exec="ON:/opt/openhab/,OFF:/opt/openhab/"}
Switch Internet_Two "Bill's Surface" <network> (Internet) {exec="ON:/opt/openhab/,OFF:/opt/openhab/"}
Switch Internet_Three "Tom's iPhone " <network> (Internet) {exec="ON:/opt/openhab/,OFF:/opt/openhab/"}
Switch Internet_Four "Jamie's iPhone" <network> (Internet) {exec="ON:/opt/openhab/,OFF:/opt/openhab/"}
Switch Internet_Five "Bert's Laptop" <network> (Internet) {exec="ON:/opt/openhab/,OFF:/opt/openhab/"}
Switch Internet_Six "Fred's iPad" <network> (Internet) {exec="ON:/opt/openhab/,OFF:/opt/openhab/"}
Switch Wifi "Wifi" <network> (Internet) {exec="ON:/opt/openhab/,OFF:/opt/openhab/"}

Then in the sitemap I’ve just added a frame:

 Frame {
           Group item=Internet label="Internet" icon="computer"

I’ve also set up rules to turn all the devices off at bedtime and on again in the morning:

rule "Turn On Internet"
        Time cron "0 30 6 * * ?" or
        System started

There are still some improvements, for example, remembering the state if the router reboots.

The nice feature is that it works remotely too.

And that’s about it.