Many of you have asked me for recommendations on a router (or mesh system) with "excellent Parental Controls." It's tricky because I don't use this feature. (And I'm a dad -- a pretty good one, mind you!)
If you know how things work, you'll note that even the best home networking Parent Controls feature is not as effective as you'd think. Also, some might even do more harm than good. I'll explain all that briefly in this post.
Parental Control vs. online protection
While these two sound like one, they are not. At least in what I mean within this post. So first, let's get on the same page.
(By the way, the terminologies used here are mine. They are not universal. You'll note that many vendors lump Parental Controls and online protection into one or put one as the subset of the other.)
Router online protection: Keeping everyone safe
Online protection generally applies to the case where you want to keep everyone safe. It's obvious stuff like phishing, ransomware, malware, or even misinformation, and so on. But you can add more -- like social media or pornography -- to the list.
It's the type of protection you want to apply to the entire home network. And that's the key. It's the protection or web-filtering mechanism for all. Once turned on, everyone within the network can avoid the content/parties in question.
This type of catch-all protection generally works well. The filtering and blocking use your WAN IP address as the base and apply locally to your Internet gatekeeper, the router, or a firewall device.
That said, you should always use online protection if that's available.
Many routers come with this feature. A good example is the Network Protection of Asus routers -- it's part of the free-for-life AiProtection suite.
Keep in mind that there's no complete protection, and you will need to let the party that protects you look at your traffic -- privacy risks implied.
In the end, you're always the last line of defense. But a router with built-in online protection sure helps.
But the point is that online protection is transparent, straightforward, and democratic. All network members are in it together, and therefore all local network devices share the same treatment. It's also effective since there's no exception.
Router Parental Controls: It relies on the MAC address -- questionable effectiveness
On the other hand, Parental Controls are complicated.
In this case, you want to let stuff in but keep it from select members of the family. It's the type of do-what-I-say-but-not-what-I-do kind of enforcement.
Here's the thing: Even if you can make that work technically and the moral high ground is well-justified, it can still be problematic.
The system doesn't know the difference between John and Jane as two individuals. It only knows the devices they use. So if you want to block John from something, Jane will also be affected if they share the same machine.
Think about it, how often do you need to borrow your kids' computers? That's not to mention the hurt feelings.
But most importantly, it doesn't always work.
That's right. The only way for a system to identify a device for parental controlling purposes is via its MAC address, which is supposed to be unique -- and it's indeed unique.
However, you can change your device's MAC quite easily. Many smartphones randomize their MAC address by default. Also, most Wi-Fi extenders automatically assign a virtual MAC address to a connected device.
Pre-teen and older kids can probably figure out how to bypass web filtering after a few Google searches. Younger kids, who don't know how to use a search engine yet, won't do anything crazy online anyway.
The privacy issues
If you wonder why MAC spoofing is so prevalent and even endorsed by mobile vendors, that's because it has a lot to do with privacy. Give somebody your device's MAC address, and they can spy on you.
Your router gets all the MAC addresses of all connected devices at home, and they generally stay there. However, when you turn on a third-party Parental Controls feature -- like Circle, which is an add-on software of many Netgear routers -- all things break loose.
For a third-party service to work, it will also have to handle your network's DNS, which works as the directory of your Internet access. Effectively, you surrender the online traffic of your entire network or at least the device with the Parental Controls app to the vendor.
Again, that's the case with all online protection, web-filtering, and firewall services -- you can't have a bodyguard without having somebody accompanying or looking at you. There's no absolute privacy -- it's a matter of degrees.
After that, the software, again, uses the MAC address to apply the filtering. As a result, while the mobile app might look fancy and intuitive, its effectiveness is always hit or miss. But the privacy risks are a sure thing. The whole thing is not a very good trade.
Parental Controls: Picking the right hardware and approach
So using an umbrella Parental Controls solution for the entire home network is generally not a great idea. But that doesn't mean you should give up on parenting -- not that we ever can.
That said, strictly from the tech point of view, here are my recommendations on this front:
- Set up Parental Controls at the device level. Each device, a computer, media streamer, phone, etc., generally have this option. It's a bit more work but much more effective.
- Use the online protection feature on your router, if available, and block stuff that's bad for everyone. If the router has built-in Parental Controls, you can try that, too, but don't count on it.
- Refrain from using an online service that uses a mobile app and a login account. You'll pay a lot more for it than the monthly subscription. Most importantly, you can't count on it, either.
- Set up a family time when no one uses any device.
- Keep devices off the bedrooms.
- Be a role model.
And with that, you know why I'm not big router-based Parental Controls features. And I've worked with hundreds of networking devices.
The point is, don't use Parental Controls as a criterion in picking a router. You will end up with a Wi-Fi machine designed primarily to make money off of you and your privacy that only gives you the illusion of being in control or a good parent in return.
The takeaway
Online protection, Parental Controls, and parenting itself are about the nuances and degrees. You can use a mix of what you think is most effective for your situation without going overboard.
Your kid is another human you're dealing with, not another device.
Instead, get a good router (or mesh system) with an excellent set of networking features, and then, if need be, add a firewall device on top of it. I'd recommend Firewalla Gold or Blue Plus. Neither requires a monthly subscription.
Hi Dong
I am using synology safe access with very excellent results , simply I let my kids just use guest network and I applied the default web-filter so whatever the MAC address it will be under the default parental control scheme even for the schedule , other smart devices are using the regular network . I am using mech of synology.
👍
{…} The thing missing from most of these parental controls is what is sometimes called “homework time”, where only specified (whitelisted) websites are allowed during specific time periods. My kids do some of their schoolwork from home and I need this to keep them on track. They are teenagers, sometimes working at home alone, and the temptation to play during schoolwork time is too strong for them to overcome without my “help”. {…} So far, the only other router I have found that can do this is the Synology (using Safe Access) but they don’t call it “homework time” and I haven’t tried it. If ASUS, Netgear, TP-link or any of the other major players can do it, I haven’t found it yet. I’m still looking …
Generally, that’s called “schedules”, and it’s available in many routers. I don’t review this feature, however. Don’t look for the wording, but how things work.
Dong, thanks for the reply. They all can do schedules, only some can do multiple schedules per profile (user) AND limit access on a particle schedule to specified websites. For example, “Bedtime” (all WiFi off), “Homework” (WiFi on, but whitelisted sites only), etc. I know Parental Controls aren’t your thing, but you have a great web site here. Keep up the great work!
Wi-Fi scheduling is generally not part of Parental Control in most routers — it’s in the Wi-Fi section — but it’s the same thing.
Regarding this portion of the article:
“Online protection generally applies to the case where you want to keep everyone safe. It’s obvious stuff like phishing, ransomware, malware, or even misinformation, and so on. But you can add more — like social media or pornography — to the list.”
And ASUS RT-AXE7800 in particular… It seems that the AI protection is only for the malicious stuff, but to get to the site content based protection, its all done through the parental controls which is MAC address specific and has to be individually entered. Am I missing something? Is there a way to globally protect site content for the ASUS?
Thanks…
You’re correct. You can try the DNS route, much more effective. And it’s super easy with an Asus router.
I’ve been using NextDNS and am quite happy with it. I would have to go over 20 years to get an ROI vs the Firewalla Gold and then I would be capped at 1Gbps (I have a 2Gbps connection). Maybe the next version of the FWG will have 2.5Gbe ports for almost $500.
Dong,
Thanks for the article. Have you reviewed the parental controls offered by Gryphon? Currently, we are using {link removed} for DNS, parental controls on our router, and parental controls like Apple ScreenTime on each device.
No, I haven’t tested it, Jeff.
I must say Dong, your reviews of the Asus network offerings have really helped me to decide on a way forward in upgrading my home system. I just have one question in relation to creating an AiMesh system.
I currently have 2 XT8’s that are running great. I had initially struggled to get them working correctly until i found out that our paid for TV system over here in the UK – Sky Q, was creating a ‘mesh system’ to connect all 4 boxes around the house. This was causing drop outs and all manner of issues on our new Asus home wifi system. I have had to disable the wifi feature of the TV boxes and resort to ethernet. I need to add 2 additional nodes to my network and wanted to ask what the impact would be in i added 2 x CT8’s instead of the XT8’s?
Currently have 1 XT8 router on top floor with 1 gig fibre coming in, one on ground floor and speeds are excellent. the 2 tv’s i need to ethernet in are in the middle floor and i’d thought of using CT8’s to save a few bucks, but would this impact negatively my network overall – would it be worth paying the extra to get XT8’s? We currently haver approx 6 wifi6 devices in the house.
thanks in advance Dong
Kind regards
Jon
You need another XT8 box, Jon. Mixing the two standards will create all sorts of unexpected issues. More in this post.
Dong,
You always nail the “elephant in the room” nail right on the head. I love my Asus routers but i bought them due to features / performance. Of course, i also really wanted / hoped it would be good enough for parental controls, basic firewall protection, and maybe even limited AV. However, that has not been the case. In my research, only the Gryphon router even attempts to enter the battle arena and properly tackle the parental control / firewall Kraken by injecting software on to all connected devices and thereby possibly doing a decent job at family filtering. (At least in theory, i haven’t played with a Gryphon router to actually know – and am not sure if it would work in conjunction with my existing Asus routers, which i don’t want to part with).
However, the Gryphon router doesn’t offer any of the powerful Asus GT-AC5000 gaming router features i so enjoy anyway:
8 gigabit LAN ports (should be 8x 2.5GbE ports, but oh well – i can buy an Asus 10GbE switch someday i guess)
dual Link Aggregate (LAG – more like “anti”lag) ports for my Asustor NAS to connect to
dual WAN ports for fail-over or increased speed (like a double barrel shotgun! – not)
dual-link gaming ports
acceptable GUI / web interface for VPN control, whitelist by MAC filtering, etc. etc.
third party firmware (Merlin) support (oh wait, except, not on this Asus model – due to hardware encryption – DOH! …should have bought the AX86u, for same $250, and then added a $300 Asus 10GbE switch)
I was so excited about the recently released Asus remote VPN feature (Asus Instant Guard) where you can connect any Android device back to your home router and protect yourself while using either public WiFi hot-spots or 4G Data (or 5G Data of GHz death if you’re lucky enough to nuke yourself with one of those microwave-oven antennas). Here’s a link highlight it’s features: https://www.asus.com/content/Instant-Guard/
..however, any device that uses it gets 0% of Trend Micro’s protection via Firewall or Parental Controls. So it’s a hit…and then a miss, for this add-on feature, but it’s free and better than nothing i guess.
Again, moot point considering what you are pointing out as obvious: you just can’t beat a dedicated device, like a firewall, for doing the better job at security since none of the routers company do a good job – which is probably because the don’t build and sell firewall so they don’t really know anything about high-level security. If i had a good firewall (subscription free is ideal) then using something like the Asus Instant Guard would be a lot more appealing for sure.
My question to you is: would the Ubiquiti Unifi Security Gateway (USG) for $120 be decent enough for the average family or is the Firewalla Gold for $420 really the only serious contender if a person really wants to adequately protect and shield their family. I never block anything except for the adult category, but would love to find one that also blocks horror, satanic (guess that would, by default, include all politicians), gore (especially Al Gore), torture, and other serial-killer training material. However, i’ve never seen a firewall that does that – so our military family either has to block all guns / violence along with the horror genre; or just leave violence off on any parental controls or firewalls (yeah, it’s a conspiracy i’m sure 😉
Also, please consider doing a review of what i consider to be next-level / next gen security of what is arguably the only truly impressive VPN, except TOR, but still hopefully as fast as a subscription VPN service. It’s known as dVPN and that small d in the front might make all the difference, but i would like to read a review from a tech savvy user who loves all things hardware and uses them from a uber geeky consumer perspective instead of from an enterprise-user’s take on it: https://mysterium.network/
God bless, and thanks again for all of your hard work for us common folk!
Sure, Sam. I’ll keep your suggestions in mind. 🙂