🛒
Many of you have asked me for recommendations on a Wi-Fi router (or mesh system) with “excellent Parental Control.” This is tricky because I don’t use this feature—and I’m a dad of three.
If you pay attention, you’ll note that even the best Parental Control feature is not as effective as you’d like. What you might not be aware of is that it may often do more harm than good.
I’ll explain what the Parental Control feature is in simple terms below, but right off the bat, you shouldn’t use this feature as a barometer to judge a home Wi-Fi router.
What is Parental Control, and how does it work?
As far as home networking is concerned, Parental Control is a feature where the admin user (the parent) of a router can dictate what a user (a child) within a network can or cannot do online.
How does this happen exactly?
The job of a home router is to let the network traffic pass through—among other things, that’s how we can access the Internet. As such, it can also have a certain level of in-depth traffic management. Specifically, it can scrutinize the information flow and manipulate certain types of data in specific ways.
You can think of the home router as an airport security checkpoint before the boarding gates. In this case, the TSA officers are the programming designed to handle certain types of “traffic” accordingly.
The “Control” portion refers to programming the router’s firmware or third-party software to block or redirect certain types of traffic that meet pre-determined criteria. If you choose to apply the restriction to the criteria deemed to be “harmful” to your children, then that’s the “Parental” portion.
So, Parental Control is just the name for a specific type of action within the encompassing traffic management function. The term is used mainly for marketing purposes—it’s a “packaged” portion of a much larger function of a router similar to the Guest Wi-Fi network, which is a small part of VLAN.
Many routers—all business- and enterprise-grade hardware, in fact—don’t use this term for their in-depth and advanced traffic management. The need to handle the traffic goes far beyond parenting. For example, in a network, keeping devices safe from online threats and directing the flow efficiently are ubiquitously essential, whether or not there are parents or children involved.
And that brings us to another term you often hear when getting a home router: Online Protection (or Online Security).
Online Protection vs. Parental Control and Your Privacy
While Online Protection and Parental Control sound like one, they are not, at least in what I mean within this post. But the two indeed share the same root: both are part of traffic management.
In order to manage the traffic, the router—or any party handling the function—needs to look closely at the information being moved, including but not limited to what it entails, where it comes from, who uses it, where it’s going to, etc.
At the airport, TSA officers examine everyone’s stuff and their body using an X-ray machine and can scrutinize a particular person even more if necessary.
As a result, in a home router, turning on this type of traffic-related feature means you’ll likely need to surrender your privacy to a third party. We’ll talk more about privacy in a bit, but first, let’s see how Online Protection differs from Parental Control.
Router Online Protection: Keeping everyone safe
Online Protection generally applies to situations where you want to keep everyone safe from apparent threats like phishing, ransomware, malware, hacking, misinformation, and so on.
It’s the type of security you want to apply to the entire network. It’s the web-filtering mechanism for all. Once turned on, everyone within the network can avoid or be barred from the content/parties in question.
This type of catch-all traffic control generally works well. The filtering and blocking uses the WAN IP address or the DNS server as the base and applies locally to your Internet gatekeeper—your router or firewall device. It also imposes a minimum level of privacy risks since the traffic is applied to an entire network and not a particular device (person).
That said, generally, you should use Online Protection if it’s accessible. Many routers come with this feature. A good example is the Network Protection of Asus routers—it’s part of the free-for-life AiProtection suite. Ubiquiti and Synology also have similar features for free. Other vendors sell it as an add-on premium via a subscription.
There is no complete protection. You are always the last line of defense. However, a router with an excellent built-in online protection feature helps.
The takeaway is that Online Protection is transparent, straightforward, and democratic. All network members are in it together, and therefore, all local network devices share the same treatment. It’s also more effective and less intrusive since there’s no exception.
And that brings us to Parental Control.
Router Parental Controls: The hit-or-miss nature and the extreme privacy risks
Parental Control is complicated. It basically means you want to let stuff in your home network but keep it away from select family members. It’s a do-what-I-say-but-not-what-I-do kind of deal.
Here’s the thing: Even if the moral high ground is justified, making it work can still be problematic.
For example, in real life, you know the difference between John and Jane as two individuals. However, your system doesn’t. It only knows the connected devices. So if you block Jane from certain online materials via her iPad, when John uses the device, he’s blocked, too.
Things get very complicated when devices are shared within a family, which happens all the time. That’s if you can make the blocking work. In reality, it doesn’t always work, anyway.
That’s because, generally, the only thing unique about a particular device is its MAC address—similar to a car’s VIN. Your system uses that to distinguish one device from another. However, as I described in this post, the MAC address can be spoofed fairly easily.
To make matters worse, in recent years, for privacy reasons, by default, virtually all handheld devices—smartphones and tablets—automatically use a random MAC address when connecting to a Wi-Fi network. You have to manually change the settings if you want them to use their actual MAC.
Wi-Fi extenders also tend to assign a virtual MAC address to a connected device automatically.
The gist is that you might be able to enforce Parental Control on Jane’s iPad for a day. The next time she restarts the device or reconnects it to the network, it’ll register with a new MAC address and appear as a new device entirely that’s not on the controlled list.
The serious privacy issues
If you wonder why MAC spoofing is so prevalent and commonly practiced by hardware vendors, again, it has a lot to do with privacy. If you give somebody your device’s MAC address, they can track and even spy on you.
Your router gets all the MAC addresses of all connected devices at home, and they generally stay there. However, when you turn on a third-party Parental Control feature—the case of add-on subscriptions offered in many home mesh systems, such as Amazon eero, Netgear Orbi, or TP-Link Deco—you literally give your children’s data to that party.
The next time you turn on or opt for a Parental Control feature, make sure you read the entire “term of use” or “disclosure” on data collection before accepting it.
Additionally, to fight against the virtual MAC address, this type of app-operated Parental Control needs to be installed on your child’s device to be effective. As a result, while you might be able to control what your child can see or do online, the third party can keep track of everything, including your child’s whereabouts in real life, via the device’s GPS-based location. The whole thing is a terrible trade.
The market for the Parental Control feature and the data it mines is so lucrative that more and more networking vendors offer it as a premium add-on. In this case, you’ll pay a third party to mine your child’s data. Think about it!
Parental Controls: The alternative approach
Generally, the current state of Parental Control in home networking falls into two scenarios or somewhere in between:
- It’s ineffective: This is the case of the built-in Parent Control feature on a router. Pre-teen and older kids can probably figure out how to bypass web filtering after a few Google searches. All it takes them is to have one geeky friend. Younger kids who don’t know how to use a search engine yet won’t do anything crazy online anyway. Or
- Privacy risks: This is the case when you use an app to handle Parental Control. Those who can’t figure out how to bypass the system or disable the app face markedly higher risks of having their general activities monitored and data-mined by a third party.
That said, it’s generally not a good idea to use any packaged Parental Control solution. The effectiveness varies, and the privacy risk is always there by different degrees. Strictly from the tech point of view, here are my recommendations on this front:
- Set up Parental Control at the device level. This option is generally available on each device, such as a computer, media streamer, phone, etc. It’s a bit more work but much more effective. And it generally doesn’t require a third party.
- Use the Online Protection feature on your router, if available, and block stuff that’s bad for everyone. A router’s built-in and free Parental Control feature is worth a try if you don’t count on its effectiveness.
- Refrain from using an online Parental Control service that requires a mobile app and a login account. You’ll pay a lot more for it than the monthly subscription, and chances are you can’t really count on it, either.
Additionally, in terms of real-life parenting:
- Set up a family time when no one uses any device. Take your kids out for a hike or a bike ride regularly.
- Set up a mutually agreed-upon reasonable schedule for your kids to use the devices, then encourage and reward them for self-policing. It takes time, but it works much better.
- Be a friend and a role model for your children. Remember that they are intelligent creatures, and they learn fast. Hypocrisy only breeds resentment.
The takeaway
Online Protection, Parental Control, and parenting are all about the nuances and degrees. You can use a mix of what you think is most effective for your situation without going overboard, but be aware that your kid is another human you’re dealing with, not another device.
Think about your childhood. If you can’t learn from the way your parents raised you, at least learn from your experience as a child. Don’t do to your children stuff you wish had not been done to you. That’s a good start. Be a friend and spend time with your children instead of your own screen. That will help even more.
Making a child is a matter of biology. Being a parent is a lifestyle choice. It’s not supposed to be easy. There’s no app for it. And it never ends.
All the while, don’t use Parental Control as a criterion in picking a router. You might end up with a Wi-Fi machine designed primarily to profit from you and your child’s privacy. In return, it gives you the illusion of being in control or the fake feeling of being a “good” parent you’re a couple of apps and a few screens away from.
Dong’s note: I first published this post on February 21, 2021, and last updated it on February 8, 2024, to add up-to-date information.
Seems I’m not the only one quite happy with Synology’s Safe access and it indeed was the reason for not going for a UDR
“Younger kids who don’t know how to use a search engine yet won’t do anything crazy online anyway”
That’s a mighty assumption in a world where a mistyped keyword in a search engine or an over aggressive advert on some free game websites can get your kids exposed to the really wrong stuff.
There’s no one offer impervious to attacks/bypass but it’s better to have more layers than throw one’s hands in the air.
So far my 6-8yo haven’t found out about using a VPN or changing their DNS (not that they could given the restrictions on the local machine)
Additionally Safe access makes it very easy to disable/change the restrictions if a parent needs to use the device.
For us we have 1 laptop per kid with Router based restrictions and on device as well. Neither have screentime on any other device including our phones/tablets.
We have several restriction templates such as 1 for school term where they can go to specific education sites and not the gaming ones, one for weekends, one for vacation, etc and of course it’s all locally controlled and the management can be done via the web interface or the app.
To deal with randomized MAC addresses, I block new MAC addresses on my {…} WiFi router. My children know they have to turn off randomized MAC on their devices. A new MAC is blocked unless/until I assign it to a user, which I never do if I determine it’s randomized.
This type exclusive-access blocking can be a headache, Gary. I can’t imagine how it can work without you being bothered constantly. But if it works for you then it works. Almost all routers can do that by the way.
Hi Dong
I am using synology safe access with very excellent results , simply I let my kids just use guest network and I applied the default web-filter so whatever the MAC address it will be under the default parental control scheme even for the schedule , other smart devices are using the regular network . I am using mech of synology.
👍
{…} The thing missing from most of these parental controls is what is sometimes called “homework time”, where only specified (whitelisted) websites are allowed during specific time periods. My kids do some of their schoolwork from home and I need this to keep them on track. They are teenagers, sometimes working at home alone, and the temptation to play during schoolwork time is too strong for them to overcome without my “help”. {…} So far, the only other router I have found that can do this is the Synology (using Safe Access) but they don’t call it “homework time” and I haven’t tried it. If ASUS, Netgear, TP-link or any of the other major players can do it, I haven’t found it yet. I’m still looking …
Generally, that’s called “schedules”, and it’s available in many routers. I don’t review this feature, however. Don’t look for the wording, but how things work.
Dong, thanks for the reply. They all can do schedules, only some can do multiple schedules per profile (user) AND limit access on a particle schedule to specified websites. For example, “Bedtime” (all WiFi off), “Homework” (WiFi on, but whitelisted sites only), etc. I know Parental Controls aren’t your thing, but you have a great web site here. Keep up the great work!
Wi-Fi scheduling is generally not part of Parental Control in most routers — it’s in the Wi-Fi section — but it’s the same thing.
Regarding this portion of the article:
“Online protection generally applies to the case where you want to keep everyone safe. It’s obvious stuff like phishing, ransomware, malware, or even misinformation, and so on. But you can add more — like social media or pornography — to the list.”
And ASUS RT-AXE7800 in particular… It seems that the AI protection is only for the malicious stuff, but to get to the site content based protection, its all done through the parental controls which is MAC address specific and has to be individually entered. Am I missing something? Is there a way to globally protect site content for the ASUS?
Thanks…
You’re correct. You can try the DNS route, much more effective. And it’s super easy with an Asus router.
how do you keep the device from overriding the router configured dns?
You can’t, Ryan. More here.
I’ve been using NextDNS and am quite happy with it. I would have to go over 20 years to get an ROI vs the Firewalla Gold and then I would be capped at 1Gbps (I have a 2Gbps connection). Maybe the next version of the FWG will have 2.5Gbe ports for almost $500.
Dong,
Thanks for the article. Have you reviewed the parental controls offered by {…}? Currently, we are using {link removed} for DNS, parental controls on our router, and parental controls like Apple ScreenTime on each device.
No, I haven’t tested it, Jeff.
I must say Dong, your reviews of the Asus network offerings have really helped me to decide on a way forward in upgrading my home system. I just have one question in relation to creating an AiMesh system.
I currently have 2 XT8’s that are running great. I had initially struggled to get them working correctly until i found out that our paid for TV system over here in the UK – Sky Q, was creating a ‘mesh system’ to connect all 4 boxes around the house. This was causing drop outs and all manner of issues on our new Asus home wifi system. I have had to disable the wifi feature of the TV boxes and resort to ethernet. I need to add 2 additional nodes to my network and wanted to ask what the impact would be in i added 2 x CT8’s instead of the XT8’s?
Currently have 1 XT8 router on top floor with 1 gig fibre coming in, one on ground floor and speeds are excellent. the 2 tv’s i need to ethernet in are in the middle floor and i’d thought of using CT8’s to save a few bucks, but would this impact negatively my network overall – would it be worth paying the extra to get XT8’s? We currently haver approx 6 wifi6 devices in the house.
thanks in advance Dong
Kind regards
Jon
You need another XT8 box, Jon. Mixing the two standards will create all sorts of unexpected issues. More in this post.
Sure, Sam. I’ll keep your suggestions in mind. 🙂