Kid Control (Parental Controls)

Kid Control (Parental Controls)

Version Info

RouterOS 7.16 | Min: v6.42+ | ⏱️ 10 minutes | 🟢 Beginner

Tested on: 7.16 7.14

Version-specific notes

• v6.42: Kid Control feature introduced

TL;DR (Quick Start)

For the impatient: create a profile and assign a device.

# Create a kid profile with weekday evening access
/ip/kid-control/add name=homework mon=16:00-21:00 tue=16:00-21:00 wed=16:00-21:00 thu=16:00-21:00 fri=16:00-22:00

# Add a device by MAC address
/ip/kid-control/device/add name=kids-tablet mac-address=AA:BB:CC:DD:EE:FF user=homework

Verify with:

/ip/kid-control/device/print

Overview

What this does: Kid Control is a parental control feature that restricts internet access for specific devices based on time schedules and bandwidth limits. It works by creating dynamic firewall rules to block access and simple queues to limit bandwidth.

When to use this:

• Limiting children’s internet access to specific hours
• Restricting bandwidth for certain devices
• Temporarily pausing internet for a device
• Managing screen time on tablets, phones, and gaming consoles

Prerequisites:

• Router must be the default gateway for controlled devices
• System clock must be accurate (NTP configured)
• Devices identified by MAC address

Important Requirement

Kid Control only works when the MikroTik router is the default gateway for the devices you want to control. If devices use a different gateway, the restrictions won’t apply.

Configuration Steps

Step 1: Configure NTP (Critical)

Kid Control relies on accurate time. Ensure NTP is configured:

/system/ntp/client/set enabled=yes
/system/ntp/client/servers/add address=pool.ntp.org
/system/clock/set time-zone-name=America/New_York

Verify time is correct:

/system/clock/print

Step 2: Create a Kid Profile

Create a profile defining when internet access is allowed:

/ip/kid-control/add name=afterschool \
    mon=16:00-21:00 \
    tue=16:00-21:00 \
    wed=16:00-21:00 \
    thu=16:00-21:00 \
    fri=16:00-22:00 \
    sat=09:00-22:00 \
    sun=09:00-21:00

Time format: HH:MM-HH:MM (24-hour format)

Tip: Leave a day empty to block access completely for that day.

Step 3: Find Device MAC Address

View connected devices:

/ip/kid-control/device/print

Or check the ARP table:

/ip/arp/print

Step 4: Assign Device to Profile

Add the device with its MAC address:

/ip/kid-control/device/add name=kids-tablet mac-address=AA:BB:CC:DD:EE:FF user=afterschool

Step 5: Verify Configuration

Check device status:

/ip/kid-control/device/print

Flags indicate status:

• B = Blocked (outside allowed hours)
• L = Rate limited
• P = Paused
• I = Inactive

Common Scenarios

Scenario: Add Bandwidth Limit

Restrict a profile to 5 Mbps during allowed hours:

/ip/kid-control/set afterschool rate-limit=5M

Scenario: Unlimited Rate During Specific Hours

Allow full speed during homework hours, limited speed otherwise:

/ip/kid-control/set afterschool rate-limit=2M \
    tur-mon=16:00-18:00 \
    tur-tue=16:00-18:00 \
    tur-wed=16:00-18:00 \
    tur-thu=16:00-18:00

The tur-* (time unlimited rate) settings override the rate-limit during those hours.

Scenario: Pause Internet Immediately

Temporarily block a device regardless of schedule:

/ip/kid-control/pause afterschool

Resume normal schedule:

/ip/kid-control/resume afterschool

Scenario: Weekend-Only Access

Create a profile allowing access only on weekends:

/ip/kid-control/add name=weekend-only \
    sat=10:00-20:00 \
    sun=10:00-18:00

Weekdays (mon-fri) are left empty, blocking access completely.

Scenario: Time Range Spanning Midnight

For access from evening to early morning (e.g., Friday night):

# Friday 18:00 to midnight
/ip/kid-control/set weekend-only fri=18:00-1d00:00:00

# Saturday midnight to 2 AM (add to Saturday)
/ip/kid-control/set weekend-only sat=00:00-02:00,10:00-20:00

Use 1d00:00:00 to represent midnight (end of day).

Scenario: Multiple Devices for One Profile

Add multiple devices to the same profile:

/ip/kid-control/device/add name=tablet mac-address=AA:BB:CC:DD:EE:FF user=afterschool
/ip/kid-control/device/add name=phone mac-address=11:22:33:44:55:66 user=afterschool
/ip/kid-control/device/add name=gaming-console mac-address=77:88:99:AA:BB:CC user=afterschool

Scenario: Temporary Bonus Time via Script

Create a script to grant 30 minutes of extra access:

/system/script/add name=bonus-time source={
    /ip/kid-control/disable afterschool
    :delay 30m
    /ip/kid-control/enable afterschool
    :log info "Bonus time ended for afterschool"
}

Run it when needed:

/system/script/run bonus-time

Scenario: View Usage Statistics

Check bandwidth usage per device:

/ip/kid-control/device/print stats

Reset counters:

/ip/kid-control/device/reset-counters [find name=kids-tablet]

Verification

Confirm Kid Control is working correctly:

Check 1: Verify Profile Configuration

/ip/kid-control/print

Expected: Profiles listed with correct time schedules.

Check 2: Verify Device Assignment

/ip/kid-control/device/print

Expected: Devices listed with user showing assigned profile; flags indicate current status (B/L/P).

Check 3: Verify Firewall Rules Created

/ip/firewall/filter/print where comment~"kid"

Expected: Dynamic rules created by Kid Control for blocking.

Check 4: Verify Queue Rules Created

/queue/simple/print where comment~"kid"

Expected: Dynamic queues created for rate limiting.

Troubleshooting

Symptom	Cause	Solution
Device not blocked at correct times	System clock incorrect	Configure NTP; verify time with /system/clock/print
Kid Control not affecting device	Router not default gateway	Ensure device uses router as gateway
Settings revert after changing	Known bug in some versions	Try CLI instead of GUI; update RouterOS
Time range errors in GUI	Midnight representation	Use 1d00:00:00 for midnight; use CLI for complex schedules
Rate limit not working	Queue not created	Check /queue/simple/print; verify device MAC is correct
Device bypasses controls	Random MAC enabled	Disable “random MAC” on device; consider MAC filtering
”End time must be bigger” error	Invalid time format	Use 24-hour format; split ranges crossing midnight
Controls block all the time	Empty or invalid time config	Verify time values are set for allowed days

Debug: Check Current Device Status

/ip/kid-control/device/print detail

Look for flags: B (blocked), L (limited), P (paused), I (inactive).

Debug: View Dynamic Firewall Rules

/ip/firewall/filter/print where dynamic=yes

Kid Control creates reject rules for blocked devices.

Debug: Monitor Real-Time

/ip/kid-control/device/print stats interval=1

Watch bandwidth usage in real-time.

Common Mistakes

• Not configuring NTP - Without accurate time, schedules won’t work correctly
• Router not being the default gateway - Kid Control only works for devices routing through the MikroTik
• Using GUI for complex time ranges - CLI handles midnight-spanning times better
• Forgetting random MAC addresses - Modern phones/tablets use random MACs; disable this feature or use static assignments
• Expecting instant blocks - There may be a short delay before rules take effect

Community Tips

MAC Address Randomization: Modern devices often randomize MAC addresses. On iOS/Android, disable “Private Address” or “Random MAC” in WiFi settings for consistent control.

Multiple Time Slots: To have multiple allowed periods on the same day, use comma separation:

/ip/kid-control/set homework sat=09:00-12:00,14:00-18:00

Temporary Unblock: Kid Control lacks a built-in “bonus time” feature. Use the script approach shown above for temporary access grants.

Notification: Create a scheduler that logs when a device gets blocked:

/system/scheduler/add name=log-blocks interval=5m on-event={
    :foreach d in=[/ip/kid-control/device/find where blocked=yes] do={
        :local name [/ip/kid-control/device/get $d name]
        :log info "Kid Control: $name is blocked"
    }
}

How It Works

Kid Control creates two types of dynamic rules:

1. Firewall Filter Rules: Block traffic when outside allowed hours

   • Creates reject rules in /ip/firewall/filter
   • Matches source/destination by IP (resolved from MAC via ARP)

2. Simple Queue Rules: Limit bandwidth during allowed hours

   • Creates queues in /queue/simple
   • Applies the rate-limit value from the profile

The rules are automatically managed - created when restrictions apply and removed when not needed.

Related Topics

Prerequisites

• Clock/NTP - required for accurate time schedules
• DHCP Server - identify devices by DHCP lease

Related Features

• Firewall Basics - understanding filter rules
• Simple Queues - bandwidth management
• Firewall Address Lists - device grouping

Automation

• Scheduler - for automated tasks
• Logging - track blocked access

Reference

• MikroTik Kid Control Documentation

Key Commands Reference

Command	Description
/ip/kid-control/add	Create a new kid profile
/ip/kid-control/print	View all profiles
/ip/kid-control/pause	Temporarily block a profile
/ip/kid-control/resume	Resume normal schedule
/ip/kid-control/device/add	Add device by MAC address
/ip/kid-control/device/print	View all devices
/ip/kid-control/device/print stats	View bandwidth statistics
/ip/kid-control/device/reset-counters	Reset usage statistics

Profile Properties

Property	Type	Default	Description
name	string	-	Profile identifier (required)
mon - sun	time	-	Daily access windows (HH:MM-HH:MM)
rate-limit	string	-	Bandwidth limit (e.g., 5M for 5 Mbps)
tur-mon - tur-sun	time	-	Unlimited rate periods (override rate-limit)
disabled	yes/no	no	Disable the profile

Device Properties

Property	Type	Default	Description
name	string	-	Device name (required)
mac-address	MAC	-	Device MAC address (required)
user	string	-	Associated kid profile
disabled	yes/no	no	Disable device tracking

Device Flags

Flag	Meaning
X	Disabled
D	Dynamic
B	Blocked (outside allowed hours)
L	Rate limited
I	Inactive (device not seen)
P	Paused (manually paused)