MyCircle parental controls -- arp spoofing

[msturtz]

Hi--

I have a Mycircle device.  It's a parental controls device -- it connects to WIFI, and then uses arp spoofing to "become" the default route so it can see who's talking to who.  Based on client MAC (which can be grouped up under profiles -- in our case per kid, so the teenager has different filters than the 9 year old), it can filter access to specific sites, or block all access, and it's controlled by a simple app.   ((as an aside, I absolutely hate this device -- I would love it if OPNsense did this, I'd even pay for it))  I have a separate "Kids" VLAN that has the Circle, the regular VLAN doesn't...

The device hasn't been working, and support is saying it isn't their fault, it must be the firewall preventing arp spoofing.  They say it's designed to work with a normal network, not an enterprise network (their words).

I haven't changed anything on the firewall in a long time, but I *HAVE* kept up on firmware updates.  In fact I just upgraded to 21.7.2.

My question is...  Did something change in the last, lets say, 6 months, that would affect this?  Is OPNsense now able to detect an arp spoofing / IP takeover, and somehow prevent it?  Can I disable that on a per interface basis?

Many thanks,

-msturtz-

[fabian]

Since ARP spoofing is an attack in L2, OPNsense would behave correctly perfectly by preventing it (if it does).

That should imho not be supported. If you want to filter the client traffic, you can do so on OPNsense itself.

[msturtz]

Since ARP spoofing is an attack in L2, OPNsense would behave correctly perfectly by preventing it (if it does).

That should imho not be supported. If you want to filter the client traffic, you can do so on OPNsense itself.

I get it.  Generally you don't want arp spoofing happening on the network.  But it's a fact of life in a public WI-FI -- someone at a Starbucks should assume their packets are being intercepted, and must rely on universal end-to-end encryption.  There's really no other option.

In my case, this is arp spoofing by design.

[athurdent]

Hi--

I have a Mycircle device.  It's a parental controls device -- it connects to WIFI, and then uses arp spoofing to "become" the default route so it can see who's talking to who.  Based on client MAC (which can be grouped up under profiles -- in our case per kid, so the teenager has different filters than the 9 year old), it can filter access to specific sites, or block all access, and it's controlled by a simple app.   ((as an aside, I absolutely hate this device -- I would love it if OPNsense did this, I'd even pay for it))  I have a separate "Kids" VLAN that has the Circle, the regular VLAN doesn't...

The device hasn't been working, and support is saying it isn't their fault, it must be the firewall preventing arp spoofing.  They say it's designed to work with a normal network, not an enterprise network (their words).

I haven't changed anything on the firewall in a long time, but I *HAVE* kept up on firmware updates.  In fact I just upgraded to 21.7.2.

My question is...  Did something change in the last, lets say, 6 months, that would affect this?  Is OPNsense now able to detect an arp spoofing / IP takeover, and somehow prevent it?  Can I disable that on a per interface basis?

Many thanks,

-msturtz-

OPNsense already does child protection perfectly here, using Sensei. You can even pay for it (which I did because it's worth it).

[msturtz]

OPNsense already does child protection perfectly here, using Sensei. You can even pay for it (which I did because it's worth it).

Unless there's something I don't understand, and that very well may be the case, Sensei is security and threat-prevention, which is great, and brings OPNsense up to part with the big commercial players.  But it's not parental controls.  I need to enforce off-time for specific users (which I can pre-define by MAC address), with an easy way to grant additional time.  I need to enforce basic content filters, again for specific users (so one kid can use facebook, but the other can't).  The Circle device accomplishes both of these and more, beautifully -- until it quit working  >:(

[athurdent]

OPNsense already does child protection perfectly here, using Sensei. You can even pay for it (which I did because it's worth it).

Unless there's something I don't understand, and that very well may be the case, Sensei is security and threat-prevention, which is great, and brings OPNsense up to part with the big commercial players.  But it's not parental controls.  I need to enforce off-time for specific users (which I can pre-define by MAC address), with an easy way to grant additional time.  I need to enforce basic content filters, again for specific users (so one kid can use facebook, but the other can't).  The Circle device accomplishes both of these and more, beautifully -- until it quit working  >:(

Sensei has pretty fine grained application and web filters, including adult, proxy, DoH etc. Try it, it's free.
If you really need scheduling, you can setup firewall rule scheduling on top.

[sorano]

Nah.

Sensei policies are not that granular since you are limited to 3 policies on the paid home model. So basically allowing Facebook for 1 kid and blocking it for another you already wasted 2 of 3 policies.

It's the biggest flaw of sensei really and I'm forced to use one and the same policy for all my kids.

But that discussion is off topic.

OP, you dont give much information about whats wrong with the "it's not working". What exactly isnt working?
I'll take a wild guess and say that the mycircle isnt blocking the traffic like it is supposed to?

Have you done any troubleshooting? I would start to check the ARP table from a device on the kids vlan to see if the mycircle is doing it's MITM as it's supposed to. If it is you should see the mac of mycircle on the default gateway.

[msturtz]

Sensei policies are not that granular since you are limited to 3 policies on the paid home model. So basically allowing Facebook for 1 kid and blocking it for another you already wasted 2 of 3 policies.

It's the biggest flaw of sensei really and I'm forced to use one and the same policy for all my kids.

3 is probably not enough, unless I can enable it only for a specific interface...  I have a separate VLAN for kids, ostensibly because I don't want MY stuff going through the Circle.  :-)

OP, you dont give much information about whats wrong with the "it's not working". What exactly isnt working?
I'll take a wild guess and say that the mycircle isnt blocking the traffic like it is supposed to?

Have you done any troubleshooting? I would start to check the ARP table from a device on the kids vlan to see if the mycircle is doing it's MITM as it's supposed to. If it is you should see the mac of mycircle on the default gateway.

After factory reset of the device and the management app and repeating initial setup.  It gets as far as connecting the device to WIFI, and then the app can't find it, which has to happen before it can actually do anything.  The AP shows it connected, and DHCP is giving it an IP.  But the app can't find it.

Their support says it must be because the firewall is preventing arp spoofing.  I don't know how that could even happen, the firewall can't block arp packets at Layer-2...  The AP or switch potentially could, but those haven't changed in literally years (both are long-since out of support).  They said the product is designed for "simple home network", and won't work with "enterprise firewall".

They also say the device is old and support isn't guaranteed.  To which I replied, either support it or call it end-of-life and tell me to buy a new one!  And I received back pre-canned instructions to factory reset the device and the app, reboot my modem, and try again...  Which I've done several times...   :o

I'd be good with a replacement solution, but haven't found one I like.  I need easy app control over time limits (including extensions / rewards) on a per kid basis.  That's the most important at this point...

[Nnyan]

I used one of those for almost a year and it was overall pretty good.  It will impact your performance once you get above around 500Mbps and there was a bit of a "delay" before changes became active.  BUT the arp spoofing could introduce weird issues on your network.  I eventually did move away.

While OPNsense does have client traffic filtering it's not enough.  I tried Sensei and honestly it looks cool but I found it difficult to get detailed data whenever I had an issue (ex:  something being blocked that shouldn't be, or not being blocked) and it's just too limiting.

After trying SafeDNS, DNSfilter, OpenDNS, Cloudflare for Teams, ADGuard and piHole I ended up with NextDNS.  Just the right balance of ease of use and features.  Cost is dirt cheap.  Much easier to use IMHO then Sensei.
That with Screentime and Bark.us and I'm covered.

I will say that Netgear has some options with a "lite" version of Circle.  I found that implementation a bit hokey but YMMV. 

I just upgraded my NAS to an 8 bay Synology and I found that their routers have "Safe Access".  I haven't tried this out yet but it looks promising. 

Also some of the Firewalla devices have a version of the arp spoofing built in and while I haven't used it myself I know a few friends that have with good success.

[athurdent]

While OPNsense does have client traffic filtering it's not enough.  I tried Sensei and honestly it looks cool but I found it difficult to get detailed data whenever I had an issue (ex:  something being blocked that shouldn't be, or not being blocked) and it's just too limiting.

The home edition comes with a blocked session explorer and a live security events monitor, so debugging problems is quite easy there.

My approach differs from yours though, it is not to technically limit the kids time on something, but to protect them from evil. ATM, the classic approach that also worked OK for my TV time back when I was young, as in talking & agreeing with the kids upon times they can use their gear, seems to do well here so far for my 8 & 13 y/o. I might be forced to change my mind at some point but so far I still believe in the social approach vs. the technical one.

[sorano]

My approach differs from yours though, it is not to technically limit the kids time on something, but to protect them from evil. ATM, the classic approach that also worked OK for my TV time back when I was young, as in talking & agreeing with the kids upon times they can use their gear, seems to do well here so far for my 8 & 13 y/o. I might be forced to change my mind at some point but so far I still believe in the social approach vs. the technical one.

What a load of hypocritical bs.  ::)

It's very obvious that he is doing both and that he obviously put alot of effort in researching different solutions that fits his needs.

Tell me, why are you not using the social approach to "protect them from evil"?
And how well does your current solution work when they bring their devices away from home?

[athurdent]

What a load of hypocritical bs.  ::)

It's very obvious that he is doing both and that he obviously put alot of effort in researching different solutions that fits his needs.

Tell me, why are you not using the social approach to "protect them from evil"?
And how well does your current solution work when they bring their devices away from home?

Well, malware has many faces. While I do tell them how to recognize malicious acts, it seems to be a good idea to also filter malicious content at firewall level.

Away from home, the ARP-based LAN solution depending on extra hardware is probably not going to work that fine either... but then again I seem to be into hypocritical bs, what do I know, right? 😉

Their gear is set up to also leverage the built in youth protection, so that might have some effect when they are away.

However, I am out of here now. Too much hostility against alternative opinions in this thread. Have a nice weekend anyways. 😊

[sorano]

Away from home, the ARP-based LAN solution depending on extra hardware is probably not going to work that fine either... but then again I seem to be into hypocritical bs, what do I know, right? 😉

Yeah you said it. You dont know, ignorance is not an excuse in my book though.

Since the solutions that NNyan ended up with are all software based per device I'm pretty sure they work wherever.

[sorano]

3 is probably not enough, unless I can enable it only for a specific interface...  I have a separate VLAN for kids, ostensibly because I don't want MY stuff going through the Circle.  :-)

You can define policies per interface, that is what I'm doing. 1 Kids policy for all devices in the kids vlan and the Kids SSID mapped to that vlan.

After factory reset of the device and the management app and repeating initial setup.  It gets as far as connecting the device to WIFI, and then the app can't find it, which has to happen before it can actually do anything.  The AP shows it connected, and DHCP is giving it an IP.  But the app can't find it.

Their support says it must be because the firewall is preventing arp spoofing.  I don't know how that could even happen, the firewall can't block arp packets at Layer-2...  The AP or switch potentially could, but those haven't changed in literally years (both are long-since out of support).  They said the product is designed for "simple home network", and won't work with "enterprise firewall".

They also say the device is old and support isn't guaranteed.  To which I replied, either support it or call it end-of-life and tell me to buy a new one!  And I received back pre-canned instructions to factory reset the device and the app, reboot my modem, and try again...  Which I've done several times...   :o

I'd be good with a replacement solution, but haven't found one I like.  I need easy app control over time limits (including extensions / rewards) on a per kid basis.  That's the most important at this point...

Do you know how the app is supposed to find the circle device? Broadcast?
Might be a dumb question, but do you connect your device that you use for configuration to the same Kids SSID/VLAN after you've configured the circle to join it? Just making sure that you dont keep your own device on another vlan and by doing that the broadcasts never reaches the circle.

What happens if you use static DHCP leases for the clients and assign the circle as default gateway for them? That would "simulate" the effect of the circle doing MITM.

[athurdent]

After factory reset of the device and the management app and repeating initial setup.  It gets as far as connecting the device to WIFI, and then the app can't find it, which has to happen before it can actually do anything.  The AP shows it connected, and DHCP is giving it an IP.  But the app can't find it.

A few things I would take a look at.
The FAQ says that you should not connect the device to WiFi but use a wired connection. This makes sense, because the speed of the kids internet will depend on the WiFi connection of the device then, and it will also generally take up WiFi airtime by pushing the kid's traffic back and forth again through WiFi, which you could avoid by connecting it wired.
If you are using a UniFi AP, make sure to turn off "High Performance Devices" in the SSID settings and Auto-Optimize Network (which would enable the aforementioned option). I guess the box might only do 2.4G, and if it was pushed to 5G erroneously, it would lose it's connection.
In general, an upgrade of your AP's firmware might have caused ARP spoofing to be handled differently, so you could also take a look there, if you depend on connecting the device to WiFi.

The problems reaching the MyCircle box after connecting it to WiFi could be caused by your phone living in the parent's IP network and not in the same network as the kids. Try to connect to the kid's SSID to see if the app is working then.