pfSense: How to Block YouTube for a Specific Device, on a Schedule

My son is a good kid. I’m a good parent.

But sometimes I’m focused on a time-sensitive task while he accidentally overextends his break time on YouTube (or other family-friendly sites).

While I’m focused, it’s OK if he continues to use the Internet for school or other productive things.

I seek a tool that will help him avoid accidentally spending too much time on specific sites.

Technical requirements:

  • User or device specific
  • Scheduled
  • Site specific
  • No local device installation
  • No subscription
  • Leverages pfSense (cuz I already bought the hardware and installed the software, thinking it would serve well)

My original (not pfSense) gateway has DNS filtering on a schedule and that’s worked well, but it’s not device-specific.

I seek device-specific because I have another, older son in the house and have no concerns with his personal time management decisions.

I understand that devices cache things, and I’m not super picky on blocking a video midstream or cutting off YouTube at exactly 1:00. I’m also not worried about my son trying to bypass anything. He’s got integrity and we’ve got a good relationship. I’m just looking for another tool in my parenting toolbox that will help with convenience. It’s a lot easier for a chef to make a meal when the chef has utensils.

I Googled like crazy and didn’t find any solutions. But there’s lots of ignorant parent-judging and lots of stuff about blocking all Internet traffic, per-device, on a schedule.

I found these two old posts on this forum, but they remain unresolved.

My hardware has 4 physical interfaces.

Is it possible to apply pfBlocker to one of two WAN interfaces, then use a firewall rule to route device-specific traffic through the pfBlockered WAN interface on a schedule?

Or is there an even better way to do it?

Looking for suggestions.


I read here that one can set the List Action to use an alias. If this is a viable solution, are there any details on how to set this up?

I don’t have a solution as such.

Though, if you setup vlans you could apply the rules to the vlan rather than devices, then setup a schedule via the advance feature on a rule.

Though I’m not totally sure you can easily block these large sites such as youtube all the time.

You should also see pfSense® software Configuration Recipes — Blocking Web Sites | pfSense Documentation for ways too.

I rely on a separate SSID and the Circle parental control device:

The separate SSID allows me to do a blanket shutdown of access without having to even think about changing any of the very fine tuned rules I’ve set up on the Circle. I imagine you could get the same effect with a VLAN.

Technically, the circle uses ARP poisoning, which relies on the MAC address of each device.

The Circle allows control over time per web site and includes mobile app use of a web site when on the LAN in its calculation. You can set start and stop times. You can also pause the whole thing to allow open access, or completely pause access without touching any of the built in scheduling.

You setup a category for each set of rules you want to have and then assign devices to the category. You can give rewards in the form of extra time for a particular web site or overall time.

What it can’t do is differentiate between different users on a computer.

The circle defaults to putting new devices on the network in the “Home” category which in its default form is wide open. That means guests can use the Internet no problem without doing anything to give them access. It also means a technically inclined teenager can get around the controls by changing a device’s MAC address. To avoid this problem I locked down the “Home” category completely. As a result any new device, such as a guest on the network for the first time, or change in the MAC address given out by a device, can’t access the internet until it’s been reassigned to one of the other categories.

Time limits on the circle are hard, so turning off Youtube at say 9:00pm means right at 9:00pm. I find this good for helping my son learn to plan ahead.

You can also sign up for a monthly subscription plan that applies the same controls to a mobile device when it’s not on your home network.

Edit to add that this was used with pfSense without any problems.

Thanks @Super_Stealth !

Do you know if Circle can work without a subscription? I’m not seeing anywhere on the website that would lead me to believe it can, although I saw a Reddit comment somewhere saying it can.

Thanks again!

I’ve got the 1st version and it definitely works without a subscription. The only thing the subscription added was the ability to work on mobile devices when not on your own LAN. The 2nd version appears to just be a minor update with slightly revised enclosure so I would expect it would work the same way as the first.

It appears they’re now bundling a three month subscription with every device. I presume in the hope that once you try it you’ll want to continue your subscription…

I don’t have the second version so I can’t be any more definite in terms of whether the subscription is required. They do say on the web site that there is a 30 day money back guarantee.

1 Like