how to limit stepson's usage of internet? new to opsense.

[thorneo]

Subject line say's it al.. I have a stepson that hogs all the internet . I have limited internet now with satellite (only option right now) and I need to be able to use it but can not. So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now. Was able to do this on ipfire and ipcop but not on opnsense the other two it was more easier than opnsense. I need to learn opnsense for my work that is one reason I have it installed at my home. I have opnsense 21.1.5 installed so can anyone help me with this???

[Sheldon]

So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now.

So you want something like a schedule?
From 02:00 to 05:59 full access.
From 06:00 to 01:59 no access.

[Superduke]

Create an alias named 'Kids' wich contains all the IP adresses of kid's devices (PCs, game consoles, …)
Create a schedule named 'AccessDenied' with the denied timeframes
Create some rules on the firewall to block/reject any connection to/from 'Kids' during 'AccessDenied'


https://forum.netgate.com/topic/62073/internet-access-restricts-for-kids/5

[thorneo]

That is what I need ......... Thanks I will try that..

[thorneo]

So I would very much like to limit his internet usage to a couple of hours at night he has four devices on the network now.

So you want something like a schedule?
From 02:00 to 05:59 full access.
From 06:00 to 01:59 no access.

That is what I need to do....

[thorneo]

I did as instructed but he still has access to net all the time.. Can somone let me know what I'm doing wrong???

[Jimmy007]

You may need to check how he is connecting - Is he on an access point behind the OPNsense box, or, is he connected to the ONT (i.e. the ISP's modem) direct. If the latter he has bypassed the OPNsense restrictions.

[thorneo]

You may need to check how he is connecting - Is he on an access point behind the OPNsense box, or, is he connected to the ONT (i.e. the ISP's modem) direct. If the latter he has bypassed the OPNsense restrictions.

he is behind the router. some of his devices are wireless and some wired connected.

[LouieLouie]

Right after the cut-off time, check the logs and see if his IP's are active.  If active, there's a flaw in your rules/config.  If not active, my bets would be that he's using a neighbors wifi or he's hotspotting from his cell phone.  Maybe you have a cell hotspot left on by accident?

The kids are tech savvy, they brainstorm at school on how to get around us.  They use web proxies to bypass facebook/instagram/snapshat blocks.  My experience was that if they were angry, I was a step ahead of them.  If they weren't angry and were distracted, they had figured out a way past the firewall.  One teenager dug out an old wifi router, plugged it into the spare port on the modem, and built his own private network...  was mad as a hornet when we figured it out and pulled the plug. 

Most effective advice I received:  all mobile comm devices have to be on the kitchen counter at 9pm.  If you go that route, expect a real fight.

Good luck.

[tanks]

1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.

[sorano]

1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.

Good advice in general.

However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.

Another solution would be to used a separate VLAN and apply limits on the entire subnet.

[cookiemonster]

1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.

Good advice in general.

However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.

Another solution would be to used a separate VLAN and apply limits on the entire subnet.

I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.

[sorano]

I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.

Not totally sure what you mean with "force the clients to use the LAN".

If you mean that you have a list of MAC addresses and you only want to allow those specific MAC adresses to get a DHCP lease then it could be done by using the option:

Deny unknown clients under DHCP config for that specific interface.

You will need to add the allowed MAC's at the bottom under: DHCP Static Mappings for this interface.

However, that in itself will not prevent users from configuring a static IP on their device.

I guess you could combine it with the Static ARP option and ARP Table Static Entry (enable that for each static mac - ip binding you create). Then add a firewall rule that only accepts traffic from the IP's that you have configured statically.

I have not tested it but in theory it should work 

[lfirewall1243]

I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.

Not totally sure what you mean with "force the clients to use the LAN".

If you mean that you have a list of MAC addresses and you only want to allow those specific MAC adresses to get a DHCP lease then it could be done by using the option:

Deny unknown clients under DHCP config for that specific interface.

You will need to add the allowed MAC's at the bottom under: DHCP Static Mappings for this interface.

However, that in itself will not prevent users from configuring a static IP on their device.

I guess you could combine it with the Static ARP option and ARP Table Static Entry (enable that for each static mac - ip binding you create). Then add a firewall rule that only accepts traffic from the IP's that you have configured statically.

I have not tested it but in theory it should work 

Or create a alias with mac adresses for the firewall block rule

[gpb]

Don't current iOS mobile devices randomize MAC addresses to prevent tracking?  It can be disabled by the user for home networks, but then can also be re-enabled by the user.  No idea about android...guessing same.