Parents of STH - what is/are your solution(s) for Internet management with kids?

[jcl333]

Hello all, hopefully this is the best group to post this in.
If anyone has a really good forum for this say on Reddit or elsewhere that I should check out, I would really appreciate it.

As the title says, I have children who are 10 and 12, and I am looking for ways that I can monitor, protect, regulate, etc.
There are quite a few products online, most of them cloud-based apps and so forth. That is OK but wondering what my fellow high-tech parents may have come up with. There are allot of things that can cause more trouble than they are worth.

This is my current setup, been using this for years:
- VMware host with Intel NICs passed through to a pfSense VM
- VMware Photon OS with docker, and Pi Hole running in a container to block ads via DNS
- OpenDNS for further protection from objectionable content
- WiFi is handled by a pair of Ubiquiti APs (with controller in a VM)
- Google Family link to restrict app use, YouTube in restricted mode

The above is far from perfect, and no software package can be a substitute for good parenting of course, just looking to make my job easier.
Right now, kids are limited to 1 hr of video games, and 1 hr of non-educational videos per day, more on weekends
All homework and chores done first.
Enforcement is getting harder though because things like YouTube are so addictive.
Each kid has a PC, oldest has an android phone, and we have 1 android and 1 iPad, and some streaming devices.
Mostly I want to monitor rather than restrict, I trust my kids and they do well in school.

Here is what I would like to be able to do: (in addition to what I currently have)
- Monitor/log what kids are doing, so that I can have the right conversations when the time comes
- If possible, filter YouTube categories so that it is less junk and more educational
- Regulate screen time - track usage and possibly enforce some limits (regardless of device)

- Possibly be able to add time for rewards​

Ideas:
My current idea is to add a Sophos UPN as a VM and run it in bridge mode on a separate vSwitch.
That would cover monitoring and some other capabilities, but it won't cover a phone not using WiFi.
- I know I will need a cert to get actual full monitoring, and I know Chrome doesn't like that, so it would cause constant warnings
- I could integrate and mandate a VPN, but not sure how effective or reliable that would be
So, I probably need some kind of app for that in addition to all this. It would be great if there was an all-in-one for this, but I am not getting my hopes up for that.
- Was looking at Circle with Disney, don't know how good that is

So, before going and spending allot more time researching and piloting, I thought I would ask what others are doing.

Thanks

-JCL

 

[klui]

I implement limited blocks and only on specific devices based on behavior. My wife and I try to discuss areas of improvement with our kids but obviously since their brains haven't fully developed yet, they need more restrictions once in a while. It's especially challenging for our pre-teen. Honestly it's a challenge for my wife and me as well. We're still learning and I can definitely improve!

Your kids' personalities will determine what kinds of policies you apply. I use a combination of firewall rules and local restrictions for our 8- and 12-year-old. Our 17-year-old hadn't had restrictions for a long time. If I'm honest he's much more disciplined than I was at that age, and in some cases, my current age. I'm encouraged that my kids come to us when they have questions (esp. about sex, drugs, crime) and I take the time to stop whatever I'm doing and either answer or find potential answers together. I'm somewhat long-winded and tend to go into history and nuances rather than a simple yes/no.

Our current method works most of the time; using technology is my last resort. Much easier to take away a device for gross violations--the question comes down to how long to enforce restrictions. I do send logs from all my devices to a log server. AP logs can be searched for checking domains if necessary but I haven't had a need to do that. I don't go through my logs on a regular basis because their behavior when I interact with them and performance on their school and extracurricular activities provide a good indicator. In fact the only time I had to use my NMS is when we had a noticeable network slowdown. Turned out my son's game was using P2P to download a 5GB update and its default setting had no upload restriction. That was when we had an asymmetric package. We have symmetric now but I did inform him why it was happening and let him to configure the restriction.

 

[jjacobs]

This is not a direct answer to your question but... I have a 12 year old who is a good kid. Does very well in school and doesn't give us any grief. It's been my experience that if you monitor/restrict in a way that your kids are aware of what's going on it has the opposite effect of what you would like. If kids think they are not trusted they will often make that come true. Adults are not all that different in this way also...

What I do have in place is firewall rules for known malware CC servers and such (Talos and Proofpoint) to catch the worst of unintentional browsing mistakes. I run a pinhole to catch the typical stuff you want to filter out for the age group. I can browse the logs and see if there have been any hits.

We are an Apple family so screentime is available, I've not used it for a few years, She knows 1 hour of Roblox a day is it and self monitors...

I think @klui is spot on, and agree that "using technology is my last resort" is the best mind set. It's not always easy but the effort pays off in many ways other than online behavior.

Take it slow, work with your kids as best you can. They are going to mess up sometimes, it what kids do and not the end of the world. Also don't beat on yourself too much. Kids don't come with documentation, it's hard

Edited to add: Yeah, this is STH. We love the technology. This place is the fastest route from Airport Express to pfsense (or VYOS!) and a multilayer switch setup. In this case though, less really can be more...

 

[fohdeesha]

This is not a direct answer to your question but... I have a 12 year old who is a good kid. Does very well in school and doesn't give us any grief. It's been my experience that if you monitor/restrict in a way that your kids are aware of what's going on it has the opposite effect of what you would like. If kids think they are not trusted they will often make that come true. Adults are not all that different in this way also...

What I do have in place is firewall rules for known malware CC servers and such (Talos and Proofpoint) to catch the worst of unintentional browsing mistakes. I run a pinhole to catch the typical stuff you want to filter out for the age group. I can browse the logs and see if there have been any hits.

We are an Apple family so screentime is available, I've not used it for a few years, She knows 1 hour of Roblox a day is it and self monitors...

I think @klui is spot on, and agree that "using technology is my last resort" is the best mind set. It's not always easy but the effort pays off in many ways other than online behavior.

Take it slow, work with your kids as best you can. They are going to mess up sometimes, it what kids do and not the end of the world. Also don't beat on yourself too much. Kids don't come with documentation, it's hard

Edited to add: Yeah, this is STH. We love the technology. This place is the fastest route from Airport Express to pfsense (or VYOS!) and a multilayer switch setup. In this case though, less really can be more...

couldn't agree more, if my parents enacted some of the censor/monitoring suggestions I see thrown around here when I was that age, I certainly wouldn't be doing what I'm doing now, publishing what I publish, etc. would probably be selling insurance or something. then again I'm not a parent so **** if I know

 

[jjacobs]

All said an answer to the OP's question would still be useful. I'd bet there are some here that can help separate the decent products from the crap that is just cashing in on parents stress, fatigue or desperation.

I apologize if my initial response appeared self-righteous or judgmental. I am not in procession of the sole right answer to this or any other question like this. To claim so would just make me a jerk. Forgive me...

 

[PigLover]

Mine or grown & gone so not really a 'current' solution - but it worked for me.

Really you don't need to block them or monitor them. You just need to convince them that you can. With my kids I did enough casual monitoring (put in some DNS tracking) so that I could casually mention things about sites they had visited, etc., and then said just enough to make them believe I could see anything they did on their computers or phones.

Perhaps it helped that I was working at a mobile phone carrier at the time and casually dropped into conversation work I had been doing on CALEA and wiretaps, etc.

Anyway, I had them completely convinced I could see everything they did, read their IMs/etc. Worked out great!

 

[zer0sum]

My current idea is to add a Sophos UPN as a VM and run it in bridge mode on a separate vSwitch.
That would cover monitoring and some other capabilities, but it won't cover a phone not using WiFi.
- I know I will need a cert to get actual full monitoring, and I know Chrome doesn't like that, so it would cause constant warnings
- I could integrate and mandate a VPN, but not sure how effective or reliable that would be
So, I probably need some kind of app for that in addition to all this. It would be great if there was an all-in-one for this, but I am not getting my hopes up for that.
- Was looking at Circle with Disney, don't know how good that is

So, before going and spending allot more time researching and piloting, I thought I would ask what others are doing.

Thanks

-JCL

Are you using OpenDNS Family shield or home?
You could look into NextDNS if you want a bit more control than pihole.

Chrome is just fine with self signed or custom certs so you can SSL inspection. You just have to add them to all of the devices.

Perhaps you need to go full MDM plus a couple of things like Bark Parental Controls and Parental Control & Internet Filtering Device and App | Meet Circle

 

[heromode]

Run your own VPS based VPN using wireguard/ipsec using algo. algo runs dnscrypt with your preferred blocklist you can find here

prevent the phone from accessing the internet via the isp. Force ipsec/wg. now u can control access.

Don't try to control the phone, it's a fool's errand. control the incoming data.

block raw internet access using afwall+, only allow access to wireguard ip subnet

If you need control of the phone, that means you root it. you flash it with a custom ROM from XDA-Developers. You leave out all the google code. You cannot trust google. Google is infested with pedophiles. Just like Disney is. It never ends. You can never trust the ROM a phone comes with from the shop. First thing you do is zap the phone, and install your custom ROM without any google code.

Get tough. It's lots of work and reading, but it is possible. Don't trust any app or 'parental solution' It's all bullshit.

 

[heromode]

to add. What you do is first you buy the same model phone your child has. Then you go to xda-developers and pick a cyanogenmod based ROM for it. You study how to flash the phone without installing the google code. you store the ROM you create on a encrypted sd card that only you have the encryption key to. When your ROM image is ready you transfer the encrypted sd card to your child's phone, and flash your child's phone with that ROM. it's been almost a decade since i did this for a living, can't remember all the details.

from that encrypted sd card you install the new rom onto your child's phone. It has no google code, all location based etc code is open source alternative (can't remember the name but it all exists) afwall+ controls all the internet traffic. your child cannot disable the iptables based fw.

You have to take complete control of the phone OS and the internet data channel. xda-developers has everything you need. Anything less than that is futile.

 

[Wasmachineman_NL]

Teaching your kids proper opsec on the internet is a very good start. And of course, the most important one: if you see something suspicious, talk to your parents about it.

 

[Blue)(Fusion]

Teaching your kids proper opsec on the internet is a very good start. And of course, the most important one: if you see something suspicious, talk to your parents about it.

100% best post so far.

But for the other moments, ZenArmor (paid edition) on OPNSense has been awesome.

The frantic shouts from roommates after I experimented with blocking "Pornography" in the policy was hilarious. "EVERY. WEBSITE. I TRIED EVERY WEBSITE , EVEN ONES GOOGLE DIDN'T KNOW ABOUT AND NOTHING WORKS!"

 

[jcl333]

First let me say, thank you for the great feedback, I appreciate it, and I am hoping this thread may help others too.

Hehe, it's funny, I ask this question, and the first few posts are to NOT do it.
That in itself can still qualify as good advice. You know, like never get involved in a land war in Asia ;-)
Don't worry, I am not offended at all, I did say in my post that none of this would be a substitute for good parenting.
Because even as I wrote it, I started thinking that myself.

To give a little more info:
- Oldest recently had the "puberty" class at school, sex ed probably not far away
- Started hanging around with some "bad" kids who use lots of words they shouldn't
- My kids are high B+ to A students, and usually demonstrate good judgement
- Oldest actually gave a girl a valentine in front of all her friends, at 12 years old, the force is strong in that one

- Then he wrote a pretty decent poem for my aunt's funeral coming up, and he wants to read it!​

- Starting to think the babies got switched at the hospital or something​

- I have many talks with them, the long-winded discussions, they are receptive but bashful
- I sit with them and talk about things they watch, just provide guidance
- They know Dad is an IT guy, and when I say I can monitor anything if I want, they believe me
- I do not allow either of them on any social media unsupervised, but right now only Roblox and Minecraft communities
- My oldest has an android phone, but it is locked down with Google Family link, he can't install apps without my consent

- He uses the phone, texting, maps, and playing music. For now.​

They each have a desktop computer, and they each assembled them with my instruction. Ten year old currently learning Python.
Getting ready to start learning about Arduino, 3D printing, 3D modeling, and then some rendering/animation.

For sure, if I put a bunch of restrictions, I agree it would likely do more harm than good, and would be potentially time consuming.

The last discussion we had was about going over the agreed limits on YouTube videos or other non-educational programming and games.
At that discussion, I made a statement that if they can't show me they have the self discipline to follow the rules, then I would consider doing it with technology, or even just shutting it all off outside their time limits, but I don't want to have to do that. I also put forth some sympathy that media on the Internet can be extremely addicting. I always offer the option to ask for help.

Usually, if they break the rules, I ask them "what do *you* think should happen now?" What did we agree on.

All that being said, I still do have some legit things I can do to make a "safer" Internet experience, for myself as well.
Obviously AV/AM software, edge firewall (pfSense), DNS filtering, AD filtering, and enough filtering and parental control so that they are unlikely to encounter adult material accidentally.

-JCL

 

[jcl333]

Our current method works most of the time; using technology is my last resort. Much easier to take away a device for gross violations--the question comes down to how long to enforce restrictions.

I think this is indeed a good question. I often find it hard to match the punishment to the crime, and it needs to be immediate to really have any effect.

 

[jcl333]

This is not a direct answer to your question but... I have a 12 year old who is a good kid. Does very well in school and doesn't give us any grief. It's been my experience that if you monitor/restrict in a way that your kids are aware of what's going on it has the opposite effect of what you would like. If kids think they are not trusted they will often make that come true. Adults are not all that different in this way also...

What I do have in place is firewall rules for known malware CC servers and such (Talos and Proofpoint) to catch the worst of unintentional browsing mistakes. I run a pinhole to catch the typical stuff you want to filter out for the age group. I can browse the logs and see if there have been any hits.

We are an Apple family so screentime is available, I've not used it for a few years, She knows 1 hour of Roblox a day is it and self monitors...

I think @klui is spot on, and agree that "using technology is my last resort" is the best mind set. It's not always easy but the effort pays off in many ways other than online behavior.

Take it slow, work with your kids as best you can. They are going to mess up sometimes, it what kids do and not the end of the world. Also don't beat on yourself too much. Kids don't come with documentation, it's hard

Edited to add: Yeah, this is STH. We love the technology. This place is the fastest route from Airport Express to pfsense (or VYOS!) and a multilayer switch setup. In this case though, less really can be more...

I pretty much couldn't agree more with all of this. Great feedback and perspective.
I do love your last paragraph, yup, the more you overtake the plumbing the easier it is to stop up the drain.
This is why I tend to be slow to adopt new stuff unit I really find the "go to" solution, which is really what my post is about.

 

[jcl333]

couldn't agree more, if my parents enacted some of the censor/monitoring suggestions I see thrown around here when I was that age, I certainly wouldn't be doing what I'm doing now, publishing what I publish, etc. would probably be selling insurance or something. then again I'm not a parent so **** if I know

You are not wrong, and I agree.
I sort of think along the lines of, when they figure out how to get around things, they deserve to get to it.

 

[jcl333]

All said an answer to the OP's question would still be useful. I'd bet there are some here that can help separate the decent products from the crap that is just cashing in on parents stress, fatigue or desperation.

I apologize if my initial response appeared self-righteous or judgmental. I am not in procession of the sole right answer to this or any other question like this. To claim so would just make me a jerk. Forgive me...

No worries, for all you know I am some whacko who beats his kids or completely ignores them and is just looking for a digital babysitter.
And, if someone asked me this question, I think I might also jump to these same kinds of conclusions (at least be thinking it).
So, this being a forum that has a much higher concentration of technical parents than average, I had to get through that "disclaimer" first.
You wouldn't hand someone a loaded gun who had never handled one before without saying something, right? (or even unloaded)

So, with that out of the way, we can now share responsibly with the knowledge that the suggestions will be taken in the proper context of good parenting comes first.

-JCL

 

[i386]

All kids need is a friend with a phone and most (if not all) the measurements in your home won't work

 

[jcl333]

Mine or grown & gone so not really a 'current' solution - but it worked for me.

Really you don't need to block them or monitor them. You just need to convince them that you can. With my kids I did enough casual monitoring (put in some DNS tracking) so that I could casually mention things about sites they had visited, etc., and then said just enough to make them believe I could see anything they did on their computers or phones.

Perhaps it helped that I was working at a mobile phone carrier at the time and casually dropped into conversation work I had been doing on CALEA and wiretaps, etc.

Anyway, I had them completely convinced I could see everything they did, read their IMs/etc. Worked out great!

Yep, great subterfuge here.

 

[jcl333]

Are you using OpenDNS Family shield or home?
You could look into NextDNS if you want a bit more control than pihole.

Huh, I actually don't know the answer, I will take a look at that. And thank you for the suggestion on NextDNS, I will check that out as well.
I was just really proud of myself for getting Docker up and running with PiHole, and controlling it from my smartphone. I like it because it is a very low maintenance solution, you can pause it for sites that refuse to work without the ads, etc.

Chrome is just fine with self signed or custom certs so you can SSL inspection. You just have to add them to all of the devices.

Yeah, I was trying out some filtering software years ago (practicing for the days ahead), and it needed certs on all the devices. It left a pretty bad impression with me, but maybe it is easier to do now. I really suck at certs, I always avoid tickets about them at work.

I have never found a good reference about how they really work and are implemented that is about my level. It is either just the basics, or something that belongs in a scientific journal, nothing in between.

Perhaps you need to go full MDM plus a couple of things like Bark Parental Controls and Parental Control & Internet Filtering Device and App | Meet Circle

I have only used the Citrix MDM solution, are their free one's that are suited for something like this?

Ah, thank you for the phone monitoring software for parents suggestions. You have sampled those and like them? I will definitely read up on them. At first glance those are almost like MDM themselves. This is just the type of thing I was thinking of, but there are many. I think what I would do is just monitor only and stick with the alerts that are most common.

These are the sort of things I was after, and one's that people here have had actual experience with. I am sure we all have a list of software we have used for years that we swear by for a given task, you know, that list of software you install first every time you install the OS for a new desktop for yourself. It can be really interesting to get a peek at each others lists.

 

[jcl333]

All kids need is a friend with a phone and most (if not all) the measurements in your home won't work

Yup, this same thought was on my mind for sure.
And I can already point to their friends who are clearly not receiving enough parenting
But, as others have mentioned, this is hard even for us techie people, so I try not to judge too harshly.