Not the usual type of content here but is worth a shot. So as my kids get older I figure its time I start to monitor/block some things on that big bad web. I know no amount of blocking will block everything and teaching my kids is the way to go but a little deterrent can go a long way.
For outbound (i.e., traffic initiated by systems on the local network):
A fundamental aspect is a reputation service. They exist (OpenDNS is one example). I don't think it is possible to do it (reputation list maintenance) on one's own.
The DNS approach is simple and can be achieved using existing equipment. However, not all devices will use the DNS service offered by local DHCP (e.g., Chromecast, Amazon TV, kids who discover DNS evasion techniques). It's a reasonable place to start. One may or may not get metrics depending on the service chosen.
Past that, a lot more is needed. For partial control (absolute control is elusive), one must observe and/or control as much outbound traffic as possible. Techniques vary across protocols (and a reputation service is still needed), and encrypted protocols cannot easily be inspected (QUIC is a good example). Minimally, if one wishes to have a record of traffic, one must log all outbound "connections" (i.e., new conntrack sessions) for later analysis, which means a primary router that can log such and a (possibly separate) system to aggregate logs and provide analysis. All traffic of interest is not restricted to TCP, and some is best summarily blocked (e.g., Teredo).
Related, ad/tracker blocking may also be of interest.
For inbound (i.e., unsolicited traffic):
Start with passive measures. Block all unsolicited traffic as a start. This can easily be done with consumer or better routers (and UPnP is
not a Good Idea).
If unsolicited traffic of any sort is allowed in, undesirable traffic must be culled. Did I mention a reputation service? Reasonable blocklists are readily available (
e.g.). Use of such requires more than just a typical consumer router.
Active measures require more than a typical consumer router.
Miscellany:
Some of the above can be done using your existing equipment. Your CRS125 has a CALEA feature, btw. Explain it to the kids.
Security Onion is (but) one example of a reasonably comprehensive SIEM. It, or any of the components comprising it, would be places to start.
I have a small home network front-ended by a low-cost Ubiquiti EdgeRouter. It's quite adequate for passive measures. It has a reasonable traffic analysis feature, though that feature is not entirely appropriate for your intended purpose. It logs all inbound and outbound connections. I use a Supermicro 5017A-EF for log capture and analysis (and other always-on duties). It watches (Suricata in IDS mode) a mirror of aggregate local network traffic heading towards the edge router. I do not use (no kids) any outbound blocking (except for Teredo at the moment). If I did, I'd want something like a Supermicro 5018A-TN4 or better to handle that and other SIEM-related duties. I also have a CRS125, though it is serving just as a switch, but its OS can also be used for some of the above functions.
Unfortunately, home network control is not much different than enterprise network control.
