Since ARP spoofing is an attack in L2, OPNsense would behave correctly perfectly by preventing it (if it does).That should imho not be supported. If you want to filter the client traffic, you can do so on OPNsense itself.
Hi--I have a Mycircle device. It's a parental controls device -- it connects to WIFI, and then uses arp spoofing to "become" the default route so it can see who's talking to who. Based on client MAC (which can be grouped up under profiles -- in our case per kid, so the teenager has different filters than the 9 year old), it can filter access to specific sites, or block all access, and it's controlled by a simple app. ((as an aside, I absolutely hate this device -- I would love it if OPNsense did this, I'd even pay for it)) I have a separate "Kids" VLAN that has the Circle, the regular VLAN doesn't...The device hasn't been working, and support is saying it isn't their fault, it must be the firewall preventing arp spoofing. They say it's designed to work with a normal network, not an enterprise network (their words).I haven't changed anything on the firewall in a long time, but I *HAVE* kept up on firmware updates. In fact I just upgraded to 21.7.2.My question is... Did something change in the last, lets say, 6 months, that would affect this? Is OPNsense now able to detect an arp spoofing / IP takeover, and somehow prevent it? Can I disable that on a per interface basis?Many thanks,-msturtz-
OPNsense already does child protection perfectly here, using Sensei. You can even pay for it (which I did because it’s worth it).
Quote from: athurdent on September 10, 2021, 06:45:43 pmOPNsense already does child protection perfectly here, using Sensei. You can even pay for it (which I did because it’s worth it).Unless there's something I don't understand, and that very well may be the case, Sensei is security and threat-prevention, which is great, and brings OPNsense up to part with the big commercial players. But it's not parental controls. I need to enforce off-time for specific users (which I can pre-define by MAC address), with an easy way to grant additional time. I need to enforce basic content filters, again for specific users (so one kid can use facebook, but the other can't). The Circle device accomplishes both of these and more, beautifully -- until it quit working
Sensei policies are not that granular since you are limited to 3 policies on the paid home model. So basically allowing Facebook for 1 kid and blocking it for another you already wasted 2 of 3 policies.It's the biggest flaw of sensei really and I'm forced to use one and the same policy for all my kids.
OP, you dont give much information about whats wrong with the "it's not working". What exactly isnt working?I'll take a wild guess and say that the mycircle isnt blocking the traffic like it is supposed to?Have you done any troubleshooting? I would start to check the ARP table from a device on the kids vlan to see if the mycircle is doing it's MITM as it's supposed to. If it is you should see the mac of mycircle on the default gateway.
While OPNsense does have client traffic filtering it's not enough. I tried Sensei and honestly it looks cool but I found it difficult to get detailed data whenever I had an issue (ex: something being blocked that shouldn't be, or not being blocked) and it's just too limiting.
My approach differs from yours though, it is not to technically limit the kids time on something, but to protect them from evil. ATM, the classic approach that also worked OK for my TV time back when I was young, as in talking & agreeing with the kids upon times they can use their gear, seems to do well here so far for my 8 & 13 y/o. I might be forced to change my mind at some point but so far I still believe in the social approach vs. the technical one.
What a load of hypocritical bs. It's very obvious that he is doing both and that he obviously put alot of effort in researching different solutions that fits his needs.Tell me, why are you not using the social approach to "protect them from evil"?And how well does your current solution work when they bring their devices away from home?
Away from home, the ARP-based LAN solution depending on extra hardware is probably not going to work that fine either… but then again I seem to be into hypocritical bs, what do I know, right? 😉
3 is probably not enough, unless I can enable it only for a specific interface... I have a separate VLAN for kids, ostensibly because I don't want MY stuff going through the Circle. :-)
After factory reset of the device and the management app and repeating initial setup. It gets as far as connecting the device to WIFI, and then the app can't find it, which has to happen before it can actually do anything. The AP shows it connected, and DHCP is giving it an IP. But the app can't find it.Their support says it must be because the firewall is preventing arp spoofing. I don't know how that could even happen, the firewall can't block arp packets at Layer-2... The AP or switch potentially could, but those haven't changed in literally years (both are long-since out of support). They said the product is designed for "simple home network", and won't work with "enterprise firewall".They also say the device is old and support isn't guaranteed. To which I replied, either support it or call it end-of-life and tell me to buy a new one! And I received back pre-canned instructions to factory reset the device and the app, reboot my modem, and try again... Which I've done several times... I'd be good with a replacement solution, but haven't found one I like. I need easy app control over time limits (including extensions / rewards) on a per kid basis. That's the most important at this point...
After factory reset of the device and the management app and repeating initial setup. It gets as far as connecting the device to WIFI, and then the app can't find it, which has to happen before it can actually do anything. The AP shows it connected, and DHCP is giving it an IP. But the app can't find it.
