admin wrote: You also need to set up an ip filter for DNS lookups, otherwise the 16 year old will just change the DNS server on his PC. Also, what does OpenDNS do for https lookups ?

I know that I can set the DNS server - currently using Google's 8.8.8.8 - in my router's LAN settings but I don't think I can set a different one in the SSID settings? Ideally, I'd like to set different DNS servers for the different wireless networks (SSIDs) so that one runs on Google for us parents and the other on OpenDNS for the kids but I don't think this is possible with a Draytek 2920?

I can set individual DNS servers on each PC but, as admin says, any of the more clever kids - no offence to the others ;-) - will just set it back to Google's and I would be left checking the DNS settings on everybody's PC all the time to see whether they've been changed.

J1mbo, thanks for your thoughts and I agree with most of them but am still mystified how to stop unwanted apps on devices like iPods or Androids tablets running as they obviously don't use http URLs for connecting to their servers (I imagine). I guess even if I disable frankly.com or snapchat.com via OpenDNS, the Frankly and Snapchat iOS apps will still run?

Everything Internet works with DNS, regardless of whether it's an IOS App, a web page, or anything else. DNS is the phone book that translates host names to IP address. Have a look at this for snapchat for example.

Draytek routers support additional VLANs (sorry not sure about the router WiFi config as I've always deployed separate Access Points), but each of these can have separate DHCP options set, including DNS servers. A VLAN is a separate network - traffic between VLANs has to cross a routing device.

To keep things simple, you could enable VLANs on the Draytek (LAN/VLAN option) and set a particular physical Ethernet port of the Draytek router to be on LAN2 subnet. Then buy any WiFi access point (that isn't made by NetGear) and plug it in to that port. On the router, under LAN2 DHCP (LAN/General/LAN2/Details) set the DHCP servers to be OpenDNS, and on LAN1 set DNS servers to be Google. Next set up a new SSID on the new access point, and connect the devices to be filtered to that.

So it looks like this:

Draytek Router
+-> Built-in WiFi AP -> Unfiltered Wireless Clients (on LAN1)
+-> LAN2 subnet Ethernet port -> New Access Point -> Filtered Wireless Clients

Also - Draytek has a subscription based URL filtering solution I think that might do what you want.

Anyway, hope that helps!

Thanks J1mbo, this sounds like an option. It's a little out of my comfort zone, technically, but I will get my head round it somehow as I understand the thinking behind it.

Plenty of food for thought here, thank you all for your input - I will go away and put something together and report back for an update.

Great forum, thanks guys! Been a customer of Draytek for many years and currently use 16 of their routers in my business but none of them have ever needed this kind of granular filtering.

Users could just enter the IP address of an unsuitable site and bypass open dns altogether. I think global view with dns filter can prevent that.