Questions about using pfsense to restrict internet content for my kids
-
If you want to use VLANs your switch, and for wireless, your AP needs to support them too, so check their documentation and Google.
Also you need to actually understand how VLANs work, you can start here: https://www.netgate.com/docs/pfsense/book/vlan/index.html
-
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
Well, I can deny MACs on any of the interfaces, so I'll at least do that. I don't see anything obvious that allows my tp-link archer c9 to handle VLANs.
I don't believe that device is going to work as you need. Are the devices you want to protect wireless or hard-wired? If both, then you will need a VLAN-capable switch and a VLAN-capable Wireless AP. My favorite VLAN AP is the Ubiquiti line. They do multiple SSIDs and VLANs: perfect for what you need.
What kind of pfSense firewall do you have? Is it perhaps one of their SG-1100 or SG-3100 appliances? If so, those have a built-in VLAN-capable switch you could make use of if everything is hard-wired.
Also something along this line is to have two separate wireless SSIDs and manage it at that level. One would be the "kids" WiFi and it would have a guest network that their friends could attach to, but would also be subject to the same network restrictions as the "kids". You could have a "parents" WiFi network that is less restrictive than the "kids". You may be able to do this with one WiFi device, but you can easily do it with two.
Each WiFi network could terminate at a different pfSense physical port to segregate them, that is if you have the extra ports on your pfSense box. Otherwise, you could VLAN them from a L2 switch as you've already considered above.
-
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
What kind of pfSense firewall do you have? Is it perhaps one of their SG-1100 or SG-3100 appliances? If so, those have a built-in VLAN-capable switch you could make use of if everything is hard-wired.
I have a Netgate SG-1100. I could get another wireless router and connect it to the OPT physical port and lock the kids' devices' MACs out of the other router and the non-VLAN interface.
-
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
What kind of pfSense firewall do you have? Is it perhaps one of their SG-1100 or SG-3100 appliances? If so, those have a built-in VLAN-capable switch you could make use of if everything is hard-wired.
I have a Netgate SG-1100. I could get another wireless router and connect it to the OPT physical port and lock the kids' devices' MACs out of the other router and the non-VLAN interface.
Yes.
Since it will be the only thing plugged into the OPT interface, it's its own physical network. You can choose what/how it routes to the Internet and to your LAN.
-
@bmeeks Hello. It's been a while. I just got a Ubiquiti UniFi UAP-AC-M and I have made sure that I have internet access on my OPT port of my SG-1100. But since I'm not on the same subnet, I cannot locate my device with the UniFi manager app. Do you have any suggestions about how I can do this?
-
My unrestricted wifi is on 192.168.0.0/24 and my OPT network is 10.0.0.0/24.
-
A great solution is DNSThingy where you can manager multiple user with different policies on each device. It works on Pfsense as an add-on, here is the link https://www.dnsthingy.com/testimonials/
-
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
@bmeeks Hello. It's been a while. I just got a Ubiquiti UniFi UAP-AC-M and I have made sure that I have internet access on my OPT port of my SG-1100. But since I'm not on the same subnet, I cannot locate my device with the UniFi manager app. Do you have any suggestions about how I can do this?
Put your UniFi Controller and the APs on your LAN (the unrestricted 10.0.0.0/24 network). Then within UniFi controller create the VLAN for your restricted WiFi (using the VLAN ID). The UniFi APs will segregate the VLAN traffic for you and give the Guest Wi-Fi (the restricted network) the proper VLAN tag you specify.
-
@hotshottech It looks pretty cool, but it's $8/month!
-
It is worth it....I have used it for three year now and it gives you a peace of mind knowing the interest is properly filtered.
-
@hotshottech How much harder, really, is SquidGuard? And I'm already using the OpenDNS servers.
-
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
And I'm already using the OpenDNS servers.
Which of their servers? They have the family shield set, and the regular everyday set.
Jeff
-
@akuma1x The family shield servers.
-
They use OpenDNS for their Blacklist Rules but I like the way they handle Whitelist Rules.
-
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
@akuma1x The family shield servers.
Ok, since it's the family shield servers, you can set the kids VLAN to use a DHCP server, and then use the Family Shield DNS servers as the main DNS for that subnet/network. That will lock it up pretty good. That's how I set it at my house, with the kid network.
Jeff
