Subject line say's it al.. I have a stepson that hogs all the internet . I have limited internet now with satellite (only option right now) and I need to be able to use it but can not. So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now. Was able to do this on ipfire and ipcop but not on opnsense the other two it was more easier than opnsense. I need to learn opnsense for my work that is one reason I have it installed at my home. I have opnsense 21.1.5 installed so can anyone help me with this???
Quote
So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now.
So you want something like a schedule?
From 02:00 to 05:59 full access.
From 06:00 to 01:59 no access.
Create an alias named 'Kids' wich contains all the IP adresses of kid's devices (PCs, game consoles, ...)
Create a schedule named 'AccessDenied' with the denied timeframes
Create some rules on the firewall to block/reject any connection to/from 'Kids' during 'AccessDenied'
https://forum.netgate.com/topic/62073/internet-access-restricts-for-kids/5
That is what I need ......... :-* Thanks I will try that..
Quote from: Sheldon on May 31, 2021, 03:07:58 PM
Quote
So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now.
So you want something like a schedule?
From 02:00 to 05:59 full access.
From 06:00 to 01:59 no access.
That is what I need to do....
I did as instructed but he still has access to net all the time.. Can somone let me know what I'm doing wrong???
You may need to check how he is connecting - Is he on an access point behind the OPNsense box, or, is he connected to the ONT (i.e. the ISP's modem) direct. If the latter he has bypassed the OPNsense restrictions.
Quote from: Jimmy007 on June 03, 2021, 01:44:41 PM
You may need to check how he is connecting - Is he on an access point behind the OPNsense box, or, is he connected to the ONT (i.e. the ISP's modem) direct. If the latter he has bypassed the OPNsense restrictions.
he is behind the router. some of his devices are wireless and some wired connected.
Right after the cut-off time, check the logs and see if his IP's are active. If active, there's a flaw in your rules/config. If not active, my bets would be that he's using a neighbors wifi or he's hotspotting from his cell phone. Maybe you have a cell hotspot left on by accident?
The kids are tech savvy, they brainstorm at school on how to get around us. They use web proxies to bypass facebook/instagram/snapshat blocks. My experience was that if they were angry, I was a step ahead of them. If they weren't angry and were distracted, they had figured out a way past the firewall. One teenager dug out an old wifi router, plugged it into the spare port on the modem, and built his own private network... was mad as a hornet when we figured it out and pulled the plug.
Most effective advice I received: all mobile comm devices have to be on the kitchen counter at 9pm. If you go that route, expect a real fight.
Good luck.
1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.
Quote from: tanks on June 07, 2021, 12:38:24 PM
1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.
Good advice in general.
However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.
Another solution would be to used a separate VLAN and apply limits on the entire subnet.
Quote from: sorano on June 07, 2021, 03:20:56 PM
Quote from: tanks on June 07, 2021, 12:38:24 PM
1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.
Good advice in general.
However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.
Another solution would be to used a separate VLAN and apply limits on the entire subnet.
I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.
Quote from: cookiemonster on June 07, 2021, 04:55:19 PM
I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.
Not totally sure what you mean with "force the clients to use the LAN".
If you mean that you have a list of MAC addresses and you only want to allow those specific MAC adresses to get a DHCP lease then it could be done by using the option:
Deny unknown clients under DHCP config for that specific interface.
You will need to add the allowed MAC's at the bottom under: DHCP Static Mappings for this interface.
However, that in itself will not prevent users from configuring a static IP on their device.
I guess you could combine it with the Static ARP option and ARP Table Static Entry (enable that for each static mac - ip binding you create). Then add a firewall rule that only accepts traffic from the IP's that you have configured statically.
I have not tested it but in theory it should work ;)
Quote from: sorano on June 07, 2021, 06:28:07 PM
Quote from: cookiemonster on June 07, 2021, 04:55:19 PM
I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.
Not totally sure what you mean with "force the clients to use the LAN".
If you mean that you have a list of MAC addresses and you only want to allow those specific MAC adresses to get a DHCP lease then it could be done by using the option:
Deny unknown clients under DHCP config for that specific interface.
You will need to add the allowed MAC's at the bottom under: DHCP Static Mappings for this interface.
However, that in itself will not prevent users from configuring a static IP on their device.
I guess you could combine it with the Static ARP option and ARP Table Static Entry (enable that for each static mac - ip binding you create). Then add a firewall rule that only accepts traffic from the IP's that you have configured statically.
I have not tested it but in theory it should work ;)
Or create a alias with mac adresses for the firewall block rule
Don't current iOS mobile devices randomize MAC addresses to prevent tracking? It can be disabled by the user for home networks, but then can also be re-enabled by the user. No idea about android...guessing same.
QuoteGood advice in general.
However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.
Another solution would be to used a separate VLAN and apply limits on the entire subnet.
Works for me so far. Have not thought of that, not a network expert though.
Hi. Good ideas the OP and I could use to try. Thanks.
Quote from: gpb on June 08, 2021, 12:46:37 AM
Don't current iOS mobile devices randomize MAC addresses to prevent tracking? It can be disabled by the user for home networks, but then can also be re-enabled by the user. No idea about android...guessing same.
That is true, but it can be switched off per network in the iOS device.
Go with the suggestion above:
Deny unknown clients. If he does not switch the random MAC address feature off, he will never get an IP address assigned, even during allowed time slots.
I still can not get this to work..
It would be useful to know what you tried and how are things setup at the moment in your network.
The other way to do this is to use a deny all rule then whitelist the devices that you need to access the Internet. This gets away from the changing mac address that mobile devices use to "protect your privacy".
Of course if he learns to spoof an mac address with a whitelisted device!