how to limit stepson's usage of internet? new to opsense.

thorneo · May 31, 2021, 10:26:50 AM

Subject line say's it al.. I have a stepson that hogs all the internet . I have limited internet now with satellite (only option right now) and I need to be able to use it but can not. So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now. Was able to do this on ipfire and ipcop but not on opnsense the other two it was more easier than opnsense. I need to learn opnsense for my work that is one reason I have it installed at my home. I have opnsense 21.1.5 installed so can anyone help me with this???

Sheldon · May 31, 2021, 03:07:58 PM

Quote
So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now.

So you want something like a schedule?
From 02:00 to 05:59 full access.
From 06:00 to 01:59 no access.

Superduke · May 31, 2021, 03:11:31 PM

Create an alias named 'Kids' wich contains all the IP adresses of kid's devices (PCs, game consoles, ...)
Create a schedule named 'AccessDenied' with the denied timeframes
Create some rules on the firewall to block/reject any connection to/from 'Kids' during 'AccessDenied'

https://forum.netgate.com/topic/62073/internet-access-restricts-for-kids/5

thorneo · June 01, 2021, 03:21:59 AM

That is what I need ......... :-* Thanks I will try that..

thorneo · June 01, 2021, 09:48:11 AM

Quote from: Sheldon on May 31, 2021, 03:07:58 PM
Quote
So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now.

So you want something like a schedule?
From 02:00 to 05:59 full access.
From 06:00 to 01:59 no access.

That is what I need to do....

thorneo · June 02, 2021, 04:29:48 PM

I did as instructed but he still has access to net all the time.. Can somone let me know what I'm doing wrong???

Jimmy007 · June 03, 2021, 01:44:41 PM

You may need to check how he is connecting - Is he on an access point behind the OPNsense box, or, is he connected to the ONT (i.e. the ISP's modem) direct. If the latter he has bypassed the OPNsense restrictions.

thorneo · June 05, 2021, 03:06:28 AM

Quote from: Jimmy007 on June 03, 2021, 01:44:41 PM
You may need to check how he is connecting - Is he on an access point behind the OPNsense box, or, is he connected to the ONT (i.e. the ISP's modem) direct. If the latter he has bypassed the OPNsense restrictions.

he is behind the router. some of his devices are wireless and some wired connected.

LouieLouie · June 06, 2021, 03:42:00 PM

Right after the cut-off time, check the logs and see if his IP's are active. If active, there's a flaw in your rules/config. If not active, my bets would be that he's using a neighbors wifi or he's hotspotting from his cell phone. Maybe you have a cell hotspot left on by accident?

The kids are tech savvy, they brainstorm at school on how to get around us. They use web proxies to bypass facebook/instagram/snapshat blocks. My experience was that if they were angry, I was a step ahead of them. If they weren't angry and were distracted, they had figured out a way past the firewall. One teenager dug out an old wifi router, plugged it into the spare port on the modem, and built his own private network... was mad as a hornet when we figured it out and pulled the plug.

Most effective advice I received: all mobile comm devices have to be on the kitchen counter at 9pm. If you go that route, expect a real fight.

Good luck.

tanks · June 07, 2021, 12:38:24 PM

1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.

sorano · June 07, 2021, 03:20:56 PM

Quote from: tanks on June 07, 2021, 12:38:24 PM
1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.

Good advice in general.

However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.

Another solution would be to used a separate VLAN and apply limits on the entire subnet.

cookiemonster · June 07, 2021, 04:55:19 PM

Quote from: sorano on June 07, 2021, 03:20:56 PM
Quote from: tanks on June 07, 2021, 12:38:24 PM
1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.

Good advice in general.

However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.

Another solution would be to used a separate VLAN and apply limits on the entire subnet.

I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.

sorano · June 07, 2021, 06:28:07 PM

Quote from: cookiemonster on June 07, 2021, 04:55:19 PM
I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.

Not totally sure what you mean with "force the clients to use the LAN".

If you mean that you have a list of MAC addresses and you only want to allow those specific MAC adresses to get a DHCP lease then it could be done by using the option:

Deny unknown clients under DHCP config for that specific interface.

You will need to add the allowed MAC's at the bottom under: DHCP Static Mappings for this interface.

However, that in itself will not prevent users from configuring a static IP on their device.

I guess you could combine it with the Static ARP option and ARP Table Static Entry (enable that for each static mac - ip binding you create). Then add a firewall rule that only accepts traffic from the IP's that you have configured statically.

I have not tested it but in theory it should work ;)

lfirewall1243 · June 07, 2021, 10:30:41 PM

Quote from: sorano on June 07, 2021, 06:28:07 PM
Quote from: cookiemonster on June 07, 2021, 04:55:19 PM
I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.

Not totally sure what you mean with "force the clients to use the LAN".

If you mean that you have a list of MAC addresses and you only want to allow those specific MAC adresses to get a DHCP lease then it could be done by using the option:

Deny unknown clients under DHCP config for that specific interface.

You will need to add the allowed MAC's at the bottom under: DHCP Static Mappings for this interface.

However, that in itself will not prevent users from configuring a static IP on their device.

I guess you could combine it with the Static ARP option and ARP Table Static Entry (enable that for each static mac - ip binding you create). Then add a firewall rule that only accepts traffic from the IP's that you have configured statically.

I have not tested it but in theory it should work ;)

Or create a alias with mac adresses for the firewall block rule

gpb · June 08, 2021, 12:46:37 AM

Don't current iOS mobile devices randomize MAC addresses to prevent tracking? It can be disabled by the user for home networks, but then can also be re-enabled by the user. No idea about android...guessing same.

how to limit stepson's usage of internet? new to opsense.

thorneo

May 31, 2021, 10:26:50 AM Last Edit: May 31, 2021, 10:37:39 AM by thorneo

Sheldon

May 31, 2021, 03:07:58 PM #1

Superduke

May 31, 2021, 03:11:31 PM #2

thorneo

June 01, 2021, 03:21:59 AM #3

thorneo

June 01, 2021, 09:48:11 AM #4

thorneo

June 02, 2021, 04:29:48 PM #5

Jimmy007

June 03, 2021, 01:44:41 PM #6

thorneo

June 05, 2021, 03:06:28 AM #7

LouieLouie

June 06, 2021, 03:42:00 PM #8

tanks

June 07, 2021, 12:38:24 PM #9

sorano

June 07, 2021, 03:20:56 PM #10

cookiemonster

June 07, 2021, 04:55:19 PM #11

sorano

June 07, 2021, 06:28:07 PM #12

lfirewall1243

June 07, 2021, 10:30:41 PM #13

gpb

June 08, 2021, 12:46:37 AM #14