Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Network-level, GUI-based parental controls integrated with pfSense

    Firewalling
    6
    9
    3.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DominikHoffmann
      last edited by

      I have a client who wants to apply parental controls to his kids’ use of the internet. Rather than advising him on filtering software to be installed on individual devices, I am wondering, what solutions might exist that provide access control on the network level.

      Ideally, it would be easily configured by a non-techie through a GUI, but still integrate with the pfSense firewall. I think, this would require Layer 1 blocking, so that individual MAC addresses can have their access curtailed or put on a schedule. Doing that would make the application operating system agnostic.

      M S 2 Replies Last reply Reply Quote 2
      • M
        m1ner2049er @DominikHoffmann
        last edited by

        @dominikhoffmann Yes please, this is a good idea.
        I followed a guide for a few hours to setup static ip's on my kids pc's in dhcp, created an alias, a schedule and finally allow and block rules. I was very proud what i had managed to do.
        Only to find out my son managed to circumvent this somehow because now his pc has another MAC and ip adress so he's happily gaming all night long again...

        D 1 Reply Last reply Reply Quote 0
        • D
          DominikHoffmann @m1ner2049er
          last edited by DominikHoffmann

          @m1ner2049er: What you did is beyond my client’s capabilities. It would be too costly for him to have me set something like that up for him, and he would still need the ability to easily make ad hoc changes.

          I think, my client’s kids have Macs and an Xbox. Not sure, whether it is easy to do MAC address spoofing on an Xbox. On a Mac, I would never let my kids have user IDs with admin privileges.

          On a Windows machine I would want to do the same thing, if feasible. Even back with Windows 7 it was nearly impossible to run a lot of software without the logged-in user being an admin. From what I have seen, this has much improved with Windows 10 and newer, although I am not the power user on Windows that I am on macOS.

          M 1 Reply Last reply Reply Quote 0
          • M
            m1ner2049er @DominikHoffmann
            last edited by m1ner2049er

            @dominikhoffmann Ofcourse, what i wrote was not a proposed solution to your client, i was just sharing my experiences with trying to apply parental control on my pfsense, and how i failed. I would really like to have something like you proposed, a GUI for parental control.

            1 Reply Last reply Reply Quote 0
            • F
              fabrizior
              last edited by

              @dominikhoffmann
              To keep your kid's DHCP client "honest" when requesting your reserved IP, in your pfSense DHCP config for each necessary LAN/vLAN interface, set the "Deny unknown clients" option to "All known clients only from this interface". This way, you register the "real" MAC address of his network card in your DHCP lease, and any unregistered devices will NOT get a DHCP reservation. Of course, I wouldn't do this unless you have ALL your devices registered.

              As for him changing his config to, say... set a static IP on his own, you'll need to demote his account and revoke administrative access. This will likely cause him all kinds of grief and inconvenience beyond network security issues.

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @DominikHoffmann
                last edited by SteveITS

                @dominikhoffmann MacOS has parental controls: https://support.apple.com/en-us/HT211874. Similar to iOS.

                Windows does as well, we use it for our son. Unfortunately it only works with Edge because it’s via a Microsoft Account. It can however block apps from running so one can block Chrome. It can also restrict Xbox/gamertag decently well.

                iOS, Android, Windows, and MacOS have a “private address” feature that randomly generates a MAC address for each wireless network. It’s intended to not allow following a device across wireless networks, e.g. retail stores.

                Also applications often use a temporary IPv6 address to avoid tracking, so one device will often have 5-10 IPv6 addresses. Not really your question but it doesn’t help with limiting by IP and firewall rules.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 1
                • P
                  pwood999
                  last edited by

                  I went down several of these routes when my kids were young. In the end two things proved most effective:

                  1. show them the firewall logs regularly, to let them know we were aware of what websites, etc they were looking at. Their "adult" viewing stopped completely that day !!

                  2. Set up speed limits at bedtime & one hour before. So one hour before bed, their connection would slow to a few hundred kbps, and then at midnight speed would drop to 1-2 kbps.

                  Consequently internet would work for google or homework, but really bad for gaming !!

                  Pete

                  1 Reply Last reply Reply Quote 1
                  • the otherT
                    the other
                    last edited by

                    hey,
                    same here:
                    I configured first our Fritzbox router with blocklists. Then later I did the same with pfsense and pfblocker and made sure my son won't get another IP to circumvent those rules. Worked, but who knows how often mobile data instead of WLAN (with my blocking rules) is being used...
                    After all, besides all those IT related options, education and preparation for life is parental responsibility and IMHO means much more than just block things...my son got his "now you're in that age when you get the talk about love, sex, respect to/from/with others" lesson.
                    After that (wasn't really necessary, just a kind of "update") all went well...and maybe he learned, why those sites are additionally blocked (just to make sure... :)), which is much more important than just saying no. ;)

                    the other

                    pure amateur home user, no business or professional background
                    please excuse poor english skills and typpoz :)

                    D 1 Reply Last reply Reply Quote 1
                    • D
                      DominikHoffmann @the other
                      last edited by

                      @the-other, @pwood999
                      I agree with you that preparing your kids with the ethical and moral understanding is key.

                      That said, there is such a thing as temptation, which can at time overpower the best ethical and moral comprehension. Unfortunately, pornography can be highly addictive. Therefore, the technological block can help against temptation.

                      I think, at home I have all that covered pretty well. However, it was a client who had indicated that he wanted administrative access control. Knowing his level of expertise, going about it the way I would is not an option. I had hoped that the incredible extensibility of the pfSense platform might offer a viable solution.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post