Father of 4 kids in house needs help w firewall / router advice

[georgeberz]

I have 4 kids in the house some are wannabe geeks. looking for a nice firewall router package.

I need to force ALL DNS requests to OPENDNS (so I can do some content filtering) doing with pfsense GREAT

We are currently running of pfsense....

I am having a hard time trying to get some way to monitor individual user ip or mac bandwidth to see who is the pig in the house.

pfsense dumped bandwidthd do you have any advice on if opensense will work better for me?

can I monitor individual mac or ip bandwidth?

thank you

George

[fabian]

I would use fixed IP addresses with DHCP and collect the data via squid logs (http(s) only via a analysis tool like sarg or lightsquid) or netflow complete traffic. Forcing a DNS server can be done via a "Port Forward".

[bartjsmit]

Hi George,

OPNsense will serve your needs. The netflow component will show you which IP addresses consume the most bandwidth. You can set static IP reservations in DHCP to tie those to specific MAC addresses.

DNS clients can be forced to use OpenDNS by a simple rule allowing outbound TCP/UCP 53 to their IP's only. OpenDNS is recursive, so the single firewall rule is enough.

To go from diagnostics to enforcement you could look at an enterprise grade WiFi access point which let's you run more than one SSID from a single device, thereby allowing you to regulate WiFi access per child. I use an Ubiquiti AP which allows four separate WiFi networks. It also gives more information about the clients (hostname, manufacturer, etc.), their bandwidth use and history.

In the past, I have also used a Raspberry Pi for the same purpose. The code is here: http://bedtime.sf.net/ It is aimed at a slightly younger age group, as your wannabe geeks may soon discover ways around its funky routing.

Bart...

[mtwannabe]

Bart do you have a setup/install for what you are currently running as this sounds very similar to what I'm looking for? 

Hi George,

OPNsense will serve your needs. The netflow component will show you which IP addresses consume the most bandwidth. You can set static IP reservations in DHCP to tie those to specific MAC addresses.

DNS clients can be forced to use OpenDNS by a simple rule allowing outbound TCP/UCP 53 to their IP's only. OpenDNS is recursive, so the single firewall rule is enough.

To go from diagnostics to enforcement you could look at an enterprise grade WiFi access point which let's you run more than one SSID from a single device, thereby allowing you to regulate WiFi access per child. I use an Ubiquiti AP which allows four separate WiFi networks. It also gives more information about the clients (hostname, manufacturer, etc.), their bandwidth use and history.

In the past, I have also used a Raspberry Pi for the same purpose. The code is here: http://bedtime.sf.net/ It is aimed at a slightly younger age group, as your wannabe geeks may soon discover ways around its funky routing.

Bart...

[bartjsmit]

My current network has moved on as the kids grew up. I only use the ubiquiti now. Happy to help if you get stuck though.

Bart...

[greg124816]

I dont do any bandwidth usage tracking/control, just on/off per device. With desktops, laptops, phones, xbox/playstation/DS's etc we wanted them grouped to shut them all off, but also to add a single rule to allow a different group, say a Nintendo DS and TV etc.

I use the static arp checkboxes in DHCP reservations to force the mac of the kids devices to only work on a certain IP for each mac. Then I have their IPs grouped in aliases and schedules setup and assigned to firewall rules.

The rule logic seems to need to be to schedule an "allow/pass their traffic" rule above a permanent "block all their traffic" rule at the bottom. Otherwise the clearing of existing connections doesn't work when a schedule kicks a rule in/out.

We also have a separate rule above everything else that just blocks all traffic for each alias. That way we can login and enable/disable that rule to stop internet on all their devices in one shot. Along these same lines, we have "allow" rules we can go enable that will allow internet to all or a subgroup of phone/devices manually while all the auto-scheduled rules have things blocked.

You can lock things down with "only static arp" for the entire interface(actually in the DHCP settings for that interface), but then no hosts will work without having their mac added as a reservation (even if they are setup static). So far kids haven't learned about changing their mac. They were changing IPs effortlessly before I set static ARP up.

Actually I take that "no bandwidth control" statement back, before I moved off pfsense I did do a 64K throttle on phones(that have no cell  service) so they could have messaging app like google hangouts but no "usable internet" as they considered it. I did NOT have a firm grasp on how the throttling worked on pfsense but I got it figured out. On opnsense it's even more confusing to me, although I did manage to get it working for one device, I haven't had much call to expand that throttling setup to other devices.

Basically it all becomes a big list of firewall rules, some enabled, some disabled manually or by schedule at different times, but it does work for complex scenarios with numerous internet connected devices when you dont necessarily want to block all of their devices(even for a single child) at the same time.

What I wonder about is if macvlan type setup might work better, but then I think instead of a very long vertical list of rules for "LAN", I'd have a very wide list of Interfaces tabs in the firewall rules page.

[georgeberz]

I have since added a openmesh om5p it has full bandwidth accounting as for gigs used, which ip used it, mack accress, was it on facebook, p2p etc. it breaks it all down.

I am still looking for a easy way to visualize traffic per ip or user, was thinking of trying captive portal, will that track total usage?

George

I have 4 kids in the house some are wannabe geeks. looking for a nice firewall router package.

I need to force ALL DNS requests to OPENDNS (so I can do some content filtering) doing with pfsense GREAT

We are currently running of pfsense....

I am having a hard time trying to get some way to monitor individual user ip or mac bandwidth to see who is the pig in the house.

pfsense dumped bandwidthd do you have any advice on if opensense will work better for me?

can I monitor individual mac or ip bandwidth?

thank you

George