Setup for children protection

Started by deuch, June 04, 2023, 10:50:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 04, 2023, 10:50:33 AM
Hello all,

I'm new to opnsense and I will receive my hardware (N5105/8Gb RAM, 256GB SSD with 4 I226v) in a few days an I've got some questions about my future setup.

I've an internet fiber connection at home with a ONT. OPNSens will replace my actual modem and will act as router.
I've got a Asus XT8 Wifi router that will act as Access Point only. I've many Ethernet device connected on multiple switch too.

The idea of what I want to achieve :

- 1 WAN for internet
- 1 LAN for the rest (of course  :))

I would like to cut the subnet of the LAN in 3 parts let say :

- 192.168.1.2 -> 192.168.1.30 -> Fixed IPs for NAS and fixed stuff (computer etc ...)
- 192.168.1.31 -> 192.168.1.220 -> DHCP IPv4 classical
- 192.168.1.221 -> 192.168.1.254 -> Only use for the kids wifi device

Basically what I would like to achieve is to use standard DNS like CloudFlare (1.1.1.1/1.0.0.1) for the 2 first subnet, and a special one (let say ad-guard public DNS or a AdGuard Home) for the subnet for the kids and apply filtering, parental controls etc only on this part of the subnet.

How can I achieve that ? With MAC filtering (if exist in OpenSense) ? To ensure that kids device goes to the dedicated subnet ? If they change on their device to use a private/random MAC, how can i ensure that it will stay in the kids subnet ?

How to ensure that kids can not override DNS servers directly in the device ? And how to bypass the hard-coded dns servers in some apps (route/firesall rule maybe) ?

Sorry if some of my questions are dumb, but I would like to set up something at least robust  :)

Maybe I can do it with VLAN, but can I make the difference between my kids phone and my phone at the Wifi AP+OPNSense to put them in the right VLAN ?

Thanks for the help and patience !


June 04, 2023, 05:19:11 PM #1
You can achieve most of your goals with the UI but in different ways. The first part to clear is that you can't (theoretically it can be done but not straight forward to achieve and definitively the UI) split your LAN in blocks and have services applied to each with a different configuration.
So your network 192.168.1.0/24 is one. This can be setup in one way.
Another would be 192.168.2.0/24. This can be setup in another way, different to the previous.
The way the OPN firewall will normally separate them will be by a port. So when you get your new hardware, port 0 will be WAN (counting from 0 here), port 1 will be LAN and that can be used to setup 192.168.1.0/24 and port 2 can be for used for 192.168.2.0/24.
The limitation with this is that anything connecting to what leads to each port, gets in that network. Normally this is not the limitation but the intention of it, but in home settings, is not usually feasible to have cables laid for more than one network i.e. two cables to each room.

So your options will start with what you can do physically. If you can't physically isolate then VLANs might be an option. For that you need a managed switch.
Another option you could look into is a subscription to Zenarmor.
June 04, 2023, 11:27:36 PM #2
Hello,

I can use a port for the WAN (0), a port for the Ethernet stuff (1) and a port for the Wifi AP (2) if needed.

On the AP I can set up a guest wifi network for kids, but it stills keep the same IP range than other wifi device.

So i do not know how to secure my setup to avoid my kid bypass the security (random Mac address, hard coded DNS etc ...).

If you have idea to secure kids stuff, I'm listening  :)

How zenarmor can help me to achieve this kind of setup ?

Thank you !
June 05, 2023, 08:08:36 AM #3
You can portforward all dns requests from the defined range to adguard public dns. To avoid changing Mac you need a separate network, if you dont have enough ports or arent vlan aware you wont get better protection. Or just use family filter for all and do other things via VPN or mobile
June 07, 2023, 10:50:22 AM #4
I've a Apple Airport Extreme that i can use as a AP for my kids and use it in a dedicated port.

so WAN, LAN and KIDS.

What is the better between using dedicated port or use a switch with VLAN ? For performance and management ?

In the cas of using 3 ports (WAN, LAN and KIDS), does the client in the KIDS network will be able to use Network Discovery or Bonjour protocol or multicast between LAN and KIDS easily ?

Basically in LAN i will have NAS, Roon Server, Computer, Sonos Speakers and in KIFS i will have phone and tablet and Sonos Speakers which nee to discover (and be discover) with some LAN assets.
So no issue here with the good settings ? I can too use local DNS name for each network ?

My aim is to use a adguard home in the KIDS network (rpi4 connected to aiport extreme) and enforce wifi connected device to the airport to use adguard home as DNS servers (no need to filter MAC or anything in this case). [I'm thinking to zenarmor too witj policy based only on the KIDS interface, but i will try it for free before jumping to a subscription]

Sorry for some dumb questions, i've some knowlege about network but not so deep as yours  :)

I've some issue with my double NAT network right know (modem/router without bridge mode and Asus XT8 wifi router set as router to have parental control and filtering enable and wireguard). And in this setup the discovery between devices does not work  :( (maybe i didn't set up correctly or this simple netwok device does not bring so much control to do that).

Again, thanks for you help !
June 10, 2023, 02:04:10 PM #5
Hello deuch

I've had a similar requirement to you and managed to achieve it with the wonderful help of the people here and elsewhere

to only allow DNS from unBound I implemented the following https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

I did find that this created some problems for some devices, namely TV's so I gave them static IP's, created an alias for them and created a specific rule only for them, that comes before these DNS control rules, I've attached an example for you in case it helps.

I also found that unBounds blacklists to be really good at blocking unwanted websites and ads.

Hope this helps you
June 15, 2023, 11:48:27 AM #6
Thanks,

I've started to do this kind of setup. I used an Airport Time Capsule on a dedicated port in the OPNSense firewall (i've 4x2.5Gb port) and the kids are using this Wifi network only.

But with Unbound, how do you create separated profil for blocking list ? Like an adult one for this Interface (LAN for eg) and a kids one for an another (Kids in my setup).
It seems that the same "profile" and blocking list is applied for both (or i didn't understand or find it)

Zenarmor seems to have this features but only in the paid version.
June 15, 2023, 12:00:32 PM #7
hi,

it's not so much the profile as a list of alias's. In my image, I have TV Appliances (which are alias's), they completely bypass the requirement to use unBound and can use whatever DNS is configured in their static config in DHCP, this way they aren't blocked by the unBound rules.

hope that helps
June 15, 2023, 03:01:08 PM #8
Quote from: deuch on June 15, 2023, 11:48:27 AM
Thanks,

I've started to do this kind of setup. I used an Airport Time Capsule on a dedicated port in the OPNSense firewall (i've 4x2.5Gb port) and the kids are using this Wifi network only.

But with Unbound, how do you create separated profil for blocking list ? Like an adult one for this Interface (LAN for eg) and a kids one for an another (Kids in my setup).
It seems that the same "profile" and blocking list is applied for both (or i didn't understand or find it)

Zenarmor seems to have this features but only in the paid version.
So you have all the devices on a separate OPN interface, nice.
I see what you mean regarding Unbound. The UI doesn't have a "profiles" mechanism. It might be achievable with zones but I can't help with testing it first for advice for the time being. See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ . The way to implement it IMHO would be to install the "custom options" from mimugmail's plugin and put those options in the field. The trouble is you need to work out what to put there.
In light of this I would suggest as an alternative option to explore, to install Adguard (again another wonderful contribution from mimugmail to integrate it as a plugin - what a guy :) ) on OPN.
After installing the plugin, the first time you get to https://yourOPNLanIp:8080 you need to configure it. At this point you chose the interfaces to listen to and it is all by default. There you have option 1: to listen on all interfaces to begin with and customise as needed i.e. excluding your _not_kids network or 2: listen only on the kids network.
Any choice can be changed later, just that these selections are no in the UI, needs changing a config file by hand. Easy enough though.

I'd be remiss not to mention though. There is an additional requirement for this to work. You'll need to change ports either in Unbound or AdguardHome for the default port to listen to for DNS requests and a couple of firewall rules. There's a thread in General section i think with the details, and around the web. Not hard really.
August 12, 2023, 11:57:01 AM #9
Hello,

Setup seems ok with AdGuard home on a RPI, a dedicated network and wifi router for kids. Some firewall rules enforce usage of AdGuardHome as DNS server, and disable 443 on udp. Zenarmor try to block DNS over TLS and HTTPS.

But now, my issue is to prevent my kids to use VPN ... and it seems to be challenging without full TLS inspection.
Zenarmor does not provide it yet, what kind of tool can give me this kind of protection ? I can add a CA on my device kids, it's not an issue.

Thanks for the help
Print
Go Up Pages1
User actions