Skip to content
MikroTik RouterOS Docs

Kid Control

Kid Control

Section titled “Kid Control”

Kid Control is a MikroTik RouterOS feature for parental bandwidth and access management. It uses a two-level model: you create a user profile for each child, configure rate limits and time schedules on the profile, then assign one or more devices (by MAC address) to that profile. All restrictions are applied at the user level — devices inherit the profile’s settings automatically.

Overview

Section titled “Overview”

Kid Control uses a user → device hierarchy:

  1. User profiles (/ip kid-control) — define per-child settings: bandwidth limits, allowed access hours per day of week.
  2. Devices (/ip kid-control device) — MAC addresses associated with a user profile. A device has no independent rate or time settings.

When a registered MAC address is seen on the network, RouterOS creates a simple queue entry targeting that device’s IP (resolved via ARP) and enforces the user profile’s limits.

Prerequisites

Section titled “Prerequisites”

  • RouterOS 7.x

  • FastTrack must be disabled on the interface carrying Kid Control traffic, or Kid Control devices must be excluded from FastTrack. FastTrack bypasses queue processing and will prevent rate limiting from taking effect.

    Verify FastTrack rules:

    /ip firewall filter print where action=fasttrack-connection

Configuration

Section titled “Configuration”

Step 1 — Create a user profile

Section titled “Step 1 — Create a user profile”

Create one profile per child. Apply rate limits and per-day schedules here.

/ip kid-control add name="Mia"

Set the allowed access hours and bandwidth limit on the profile:

/ip kid-control set [find name="Mia"] \
    mon=07:00-21:00 \
    tue=07:00-21:00 \
    wed=07:00-21:00 \
    thu=07:00-21:00 \
    fri=07:00-21:00 \
    sat=08:00-23:00 \
    sun=08:00-23:00 \
    rate-limit=5M/1M

Days with no value set allow unrestricted access for that day.

User profile parameters

Section titled “User profile parameters”
ParameterDescription
nameDescriptive name for the child/profile
monsunAllowed access window for that day (HH:MM-HH:MM). Empty string blocks all access for that day.
tur-montur-sunTime Unlimited Rate window — rate-limit is lifted during this window while other restrictions remain.
rate-limitBandwidth cap in download/upload format (e.g., 10M/2M). Units: k, M, G.
disabledSet disabled=yes to suspend the profile without deleting it.

Rate limit format

Section titled “Rate limit format”

The rate-limit property uses download/upload format:

5M/1M     — 5 Mbps down, 1 Mbps up
10M/2M    — 10 Mbps down, 2 Mbps up
512k/256k — 512 kbps down, 256 kbps up

Time unlimited rate (tur-*)

Section titled “Time unlimited rate (tur-*)”

tur-* properties define windows where the rate-limit is temporarily removed. This is useful for allowing full-speed homework hours while throttling gaming time:

/ip kid-control set [find name="Mia"] \
    mon=07:00-21:00 \
    tur-mon=15:00-17:00 \
    rate-limit=5M/1M

During 15:00–17:00 Monday, Mia’s devices have unrestricted bandwidth. Outside that window, the 5M/1M limit applies.

Step 2 — Add devices to the profile

Section titled “Step 2 — Add devices to the profile”

Add each device by MAC address. The user parameter is required.

/ip kid-control device add user="Mia" mac-address=AA:BB:CC:DD:EE:FF name="Mia-Tablet"
/ip kid-control device add user="Mia" mac-address=11:22:33:44:55:66 name="Mia-Phone"

Device parameters

Section titled “Device parameters”
ParameterDescription
userRequired. Name of the Kid Control user profile this device belongs to.
mac-addressMAC address of the device (XX:XX:XX:XX:XX:XX).
nameDescriptive label for the device.

Rate limits and time schedules are not set on devices — configure them on the user profile.

Complete example — two children with different schedules

Section titled “Complete example — two children with different schedules”
# Child 1: school-age, limited on school nights
/ip kid-control add name="Mia"
/ip kid-control set [find name="Mia"] \
    mon=07:00-21:00 \
    tue=07:00-21:00 \
    wed=07:00-21:00 \
    thu=07:00-21:00 \
    fri=07:00-22:00 \
    sat=08:00-23:00 \
    sun=08:00-21:00 \
    rate-limit=10M/2M


/ip kid-control device add user="Mia" mac-address=AA:BB:CC:DD:EE:FF name="Mia-Tablet"
/ip kid-control device add user="Mia" mac-address=11:22:33:44:55:66 name="Mia-Phone"


# Child 2: younger, stricter hours and lower bandwidth
/ip kid-control add name="Sam"
/ip kid-control set [find name="Sam"] \
    mon=15:00-19:00 \
    tue=15:00-19:00 \
    wed=15:00-19:00 \
    thu=15:00-19:00 \
    fri=15:00-20:00 \
    sat=09:00-20:00 \
    sun=09:00-19:00 \
    rate-limit=5M/1M


/ip kid-control device add user="Sam" mac-address=BB:CC:DD:EE:FF:AA name="Sam-Laptop"

Temporarily suspending a profile

Section titled “Temporarily suspending a profile”

Disable a profile to suspend all restrictions without removing configuration:

/ip kid-control set [find name="Mia"] disabled=yes

Re-enable:

/ip kid-control set [find name="Mia"] disabled=no

Verification

Section titled “Verification”

View all profiles and their schedules:

/ip kid-control print

View all registered devices:

/ip kid-control device print detail

Monitor per-device traffic statistics:

/ip kid-control device print stats

The stats output includes bytes-down and bytes-up counters per device. Reset counters:

/ip kid-control device reset-counters numbers=0

Check that Kid Control is creating queue entries for active devices:

/queue simple print

Verify system time (schedules depend on accurate router time):

/system clock print

Troubleshooting

Section titled “Troubleshooting”

Device not being limited

Section titled “Device not being limited”
  1. Confirm the MAC address matches exactly: device print detail
  2. Check the user profile has rate-limit set: print
  3. Check for FastTrack rules that bypass queuing: 
    /ip firewall filter print where action=fasttrack-connection
  4. Verify the device’s IP appears in the ARP table (Kid Control resolves MAC → IP via ARP): 
    /ip arp print where mac-address=AA:BB:CC:DD:EE:FF

Schedule not enforced

Section titled “Schedule not enforced”
  1. Verify the router’s clock: /system clock print
  2. Check that mon/tue/etc. are set on the user profile, not the device: 
    /ip kid-control print detail
  3. Confirm the day abbreviations are full property names (mon=, tue=, not mtwtf abbreviations).

MAC address randomization

Section titled “MAC address randomization”

Modern mobile devices (Android 10+, iOS 14+) use randomized MAC addresses by default. If a device is not being matched, disable MAC randomization for your Wi-Fi network on the device. Kid Control identifies devices by MAC address and cannot track randomized MACs reliably.

Device still has access outside allowed hours

Section titled “Device still has access outside allowed hours”

Check for other firewall or NAT rules that may be forwarding traffic before Kid Control queues are evaluated. Kid Control operates via the queue system; it does not install firewall drop rules.

See Also

Section titled “See Also”