Parental Controls
The Parental tab lets you block whole categories of websites — adult content, gambling, social media — for every device connected to your home WiFi. The blocks happen at the DNS level, so they apply to every phone, tablet, laptop, and smart TV without installing anything on the devices.
This is an optional feature your ISP has to turn on. If you don’t see the Parental tab, your ISP hasn’t enabled DNS filtering on the network you’re on.
How to get here
Section titled “How to get here”After login, from the portal:
- Sidebar → Parental
- Direct URL:
/customer/parental - Mobile app: More → Parental
The tab is hidden when your ISP has not enabled the parental controls service. Ask your operator if you’re interested — it’s a network feature that requires their DNS filter to be deployed and your router to be steered to it.
How it works
Section titled “How it works”In short:
- Your router normally sends DNS queries to whatever resolver it’s configured for (often 8.8.8.8 or your ISP’s resolver).
- When parental controls are enabled, your ISP’s MikroTik NATs your DNS traffic to a filtering resolver — either a self-hosted one or a relay to NextDNS.
- The filtering resolver checks the requested domain against your category settings.
- If the domain is in a blocked category, the resolver returns a “blocked” page IP instead of the real IP — and the browser shows a block notice.
- If the domain isn’t blocked, the query proceeds normally.
All of this happens transparently — devices in your home don’t need to be configured. Even if a device hard-codes Google DNS (8.8.8.8), the NAT rule on the operator’s router redirects it through the filter.
Layout
Section titled “Layout”The Parental page has three sections:
| Section | What it shows |
|---|---|
| Master toggle | One big switch — enables / disables filtering for your entire household. |
| Categories | Toggles for the major categories (Adult, Gambling, Social Media, etc.). |
| History / Devices | Per-device list (when supported) showing what’s been blocked recently. |
The master toggle
Section titled “The master toggle”The top switch turns parental controls on or off for your account. When off:
- All other category toggles are greyed out.
- DNS queries flow normally — no filtering.
- Devices in your home are unrestricted.
When on, the system creates a NAT rule on your router (via MikroTik API) that intercepts DNS traffic and routes it to the filtering resolver. The rule is added per-subscriber, identified by your PPPoE username, so it doesn’t affect your neighbours.
Categories
Section titled “Categories”The categories you can block (subject to your ISP’s configuration):
| Category | What’s blocked |
|---|---|
| Adult / Porn | Sites tagged as adult content. The most common reason customers enable filtering. |
| Gambling | Online casinos, sports betting, lottery sites. |
| Social Media | Facebook, Instagram, TikTok, Snapchat, etc. Useful for “homework hours” if you’re not using time-based schedules. |
| Dating | Dating apps and websites. |
| Drugs / Alcohol | Sites promoting illegal drugs or excessive alcohol. |
| Violence / Weapons | Sites with graphic violence, weapons sales. |
| Piracy / Torrents | Torrent trackers, illegal streaming. |
| Proxy / VPN | Anonymizers — useful to enforce that your filtering can’t be bypassed. |
When a category is on, requests to those domains return a block page. When off, requests resolve normally.
Defaults shipped with the system: Adult, Gambling, Dating are typically enabled by default when you first turn on parental controls.
Per-service toggles
Section titled “Per-service toggles”Beyond categories, some ISPs expose per-service toggles — block specific sites without affecting their whole category. Common examples:
- Block TikTok specifically (without blocking the rest of Social Media).
- Block Roblox for younger kids.
- Block YouTube outside specific hours.
The available list depends on what your ISP has configured. You see a search box; type a name and toggle it.
Allow / block lists
Section titled “Allow / block lists”Many configurations let you add domains by hand:
- Allowlist — domains that should always resolve, even if their category is blocked. Useful when your kid’s school site got false-positived as “social media”.
- Blocklist — domains that should always be blocked, regardless of category. Useful for one-off sites you’ve decided your household doesn’t visit.
Both lists are entered as bare hostnames: tiktok.com, cousin-blog.com. Wildcards aren’t supported in the portal UI (the underlying NextDNS configuration may support them; ask your ISP).
Schedules (when supported)
Section titled “Schedules (when supported)”Some configurations let you schedule when filtering is active — e.g. “block social media on weekdays from 19:00 to 22:00 (homework hours)”. The schedule editor (when available) shows a weekly grid; tap cells to enable / disable filtering for that hour.
Outside the scheduled hours, the master toggle’s state applies (i.e. no schedule means “always filtered”).
Per-device controls (when supported)
Section titled “Per-device controls (when supported)”If your router supports DHCP host reporting via TR-069, the Devices section lists each device in your home with its MAC, IP, and current name. You can:
- Rename devices (
iPhone-Kid1,Living-Room-TV). - Apply different profiles per device — e.g. a child’s tablet gets the strictest filter, while the parents’ laptop is unfiltered.
This requires both a TR-069 router that reports hosts AND your ISP to enable per-device profile mapping. Not all setups support it.
Common workflows
Section titled “Common workflows”Setting up parental controls for the first time
Section titled “Setting up parental controls for the first time”- Parental → toggle the master switch on.
- The category list activates.
- Turn on Adult. Turn on Gambling if relevant. Turn on Social Media if you want to limit kids’ screen time.
- Test from a phone on your WiFi: try to visit a blocked site. You should see a block page in 1–2 seconds.
- If a site you wanted to keep is blocked, add it to the Allowlist.
Allowing one site that got blocked by mistake
Section titled “Allowing one site that got blocked by mistake”- Parental → scroll to Allowlist.
- Type the domain (
my-favorite-blog.com). Tap Add. - Wait 30–60 seconds for the cache to refresh.
- Retry the site — it should now resolve.
Temporarily disabling filtering for an evening
Section titled “Temporarily disabling filtering for an evening”- Parental → toggle the master switch off.
- Filtering is paused; all categories are inactive.
- Browse normally for the evening.
- Toggle the switch back on when you’re done. Filtering resumes immediately.
- Every toggle is logged — you (and your operator) can see when filtering was on or off in the audit history.
Bypass attempts and how they’re handled
Section titled “Bypass attempts and how they’re handled”A motivated user (e.g. a teenager) might try to bypass the DNS filter:
| Attempt | What happens |
|---|---|
| Set device DNS to 8.8.8.8 manually | The operator’s MikroTik NAT rule redirects port 53 traffic through the filter anyway. |
| Use DNS-over-HTTPS (DoH) directly | If the ISP has configured DoH blocking, queries to public DoH providers (Cloudflare, Google) are also blocked, forcing devices back to the filtered resolver. |
| Use a VPN | If you’ve enabled the Proxy / VPN category, VPN provider sites are blocked — you’d have to manually allow one first. |
| Connect via cellular instead of WiFi | Not bypassable from the parental controls — that’s a separate network and the operator’s filter doesn’t apply. |
Privacy
Section titled “Privacy”What the operator and the filtering resolver see:
- The list of domains your household queries (DNS logs).
- Aggregated category statistics.
- Per-device hostnames (when TR-069 host reporting is on).
What they do not see:
- The content of HTTPS pages (DNS only sees the hostname, not the URL).
- Encrypted application traffic (Signal, WhatsApp message content).
- Browsing history beyond the DNS layer.
For most home use this is comparable to using any public resolver like Cloudflare or NextDNS directly — the filtering happens on top.
Edge cases
Section titled “Edge cases”| Case | Behavior |
|---|---|
| Master toggle is off | Category toggles are visible but greyed out. Your settings are remembered for when you turn the master back on. |
| ISP changes engine from self-hosted to NextDNS | Your category settings migrate; allow / block lists sync via the NextDNS API. |
| Block page is broken | Sites still don’t load — but instead of a “blocked” page, you get a generic browser DNS error. The block is working; the operator just doesn’t have a custom block page configured. |
| Filtering is on but blocked sites still load | DNS may be cached. Restart the device, or wait 5–10 minutes for the cache to expire. |
Permissions
Section titled “Permissions”The Parental tab has no per-customer permission gate beyond the ISP-side master switch:
| Condition | Effect |
|---|---|
| ISP has enabled the parental service for the network | Tab is visible. |
| Customer JWT valid | Tab can be used. |
customer_username ownership | All toggles apply only to your account. |
Related pages
Section titled “Related pages”- WiFi Management — related network-level control, also operator-managed.
- Customer Portal Overview — the rest of the portal.
- Support Tickets — for help configuring categories or whitelisting a site.
- Dashboard & Live Traffic — verify the filter isn’t slowing your connection (it shouldn’t).
- Admin → Parental Settings — operator-side configuration.