simple toggle for children VLAN

sgw

For a customer I look for a way to easily toggle internet access for a separate "kids vlan":
there should be some intranet-webpage with a button or two that toggle some blocking rule "kids vlan is allowed to surf or not"

A guy on reddit pointed me at Captive Portal, I am not yet sure if that solves the problem.
Ideally I'd like to avoid giving access to pfsense-GUI to any user (the parents there should be able to toggle that access without much complexity). Maybe even integrate into their FHEM-system? Maybe a script adding/removing rules via ssh?

I'd appreciate any pointers here.

Gertjan

Hi,

pfSense is GUI based.
But it isn't really focussed on the family usage market.
A CLI exists but it doesn't offer very few to none possibilities to script commands.

Still, pfSense is build with ..... 99 % scripting. The good and the bad news : it's PHP ....

Coding it up isn't rocket science - as soon as you understood how pfSense works ...

What works right now :
Parents have to login into the GUI and enable / disable a firewall rule.
I counted 6 straightforward mouse clicks.

Do not forget the 'simple and can't fail' solution : have the parents rip out the Ethernet cable that powers the Kids network (not using VLAN).

awebster

@Gertjan Yeah, but it would be cool to have a simple UI extension for parents, or more specifically, the less technical parent, that is easy to use. Based on the questions in the Forums, there appear to be lots of pfSense deployments in the home, so responding to this need would be a win for sure.

In my case, I integrated my pfSense installation with an Asterisk PBX that does exactly this, by dialing a specific phone number, the caller is prompted to select which Kid's network they wish to enable or disable.
It does this by sshing to pfSense and toggling the proper rule. I used a specific pattern in the rule comments to allow the rule to be found in the rulebase. Works like a charm!

I think ultimately the basic concept could easily be extended to allow for some pretty cool rule automation.

sgw

@awebster said in simple toggle for children VLAN:

@Gertjan Yeah, but it would be cool to have a simple UI extension for parents, or more specifically, the less technical parent, that is easy to use. Based on the questions in the Forums, there appear to be lots of pfSense deployments in the home, so responding to this need would be a win for sure.

In my case, I integrated my pfSense installation with an Asterisk PBX that does exactly this, by dialing a specific phone number, the caller is prompted to select which Kid's network they wish to enable or disable.
It does this by sshing to pfSense and toggling the proper rule. I used a specific pattern in the rule comments to allow the rule to be found in the rulebase. Works like a charm!

I think ultimately the basic concept could easily be extended to allow for some pretty cool rule automation.

Sounds interesting! Do you want to share some of your work?

I also found this: https://forum.netgate.com/topic/130847/toggle-rules-or-rulesets-via-php-or-perl/1

... seems I asked a similar question back then already ;-)

Using "easyrule" might do the trick, if I wrap it up into some PHP-code that ssh-es into pfsense and runs the commands.

Gertjan

@sgw said in simple toggle for children VLAN:

into pfsense and runs the commands.

Added to that : php can anything.
So, an OpenVPN client on your pHone device, and two favourite browser URLs pre-setup in your pHone's browser will do the ENABLE and DISABLE.
( The OpenVPN app on the phone is much simpler as a opening up a (remote) SSH sessions )

The browsers ENABLE and DISABLE "URLs" would fiction right away when the pHone is connected to the Home Parrent Wifi connection.

NogBadTheBad

Is this for Wi-Fi, if it is I'd be be tempted to put them on their own vlan.

If you were using Ubiquity, you can enable / disable Wi-Fi clients on the fly or have time based schedules for the SSID.

sgw

@Gertjan sounds great, but how do I "define" or "get" these URLs?

sgw

@sgw said in simple toggle for children VLAN:

@Gertjan sounds great, but how do I "define" or "get" these URLs?

I think I understand now: something like:

https://pfsense/firewall_rules.php?if=opt4&act=toggle&id=63

would toggle that rule. Doesn't it have to be applied as well?
Additional I would need a low-right-pfsense-User with access to the Firewall Tab only, correct?

sgw

@NogBadTheBad said in simple toggle for children VLAN:

Is this for Wi-Fi, if it is I'd be be tempted to put them on their own vlan.

If you were using Ubiquity, you can enable / disable Wi-Fi clients on the fly or have time based schedules for the SSID.

No Wifi, no Ubiquiti ;-) .. so far PCs connected via ethernet cabling, inside a separate VLAN.

akuma1x

Ok, if it's all hard wired, how about sacrificing a small smart switch (because you said VLAN's) and power said switch with one of those "smart home" wifi power outlets?

The power outlet thingie can be turned on and off on a schedule, or even better, on demand with a smart phone app.

https://www.amazon.com/Gosund-Compatible-Required-appliances-Certified/dp/B079MFTYMV

If the switch doesn't have power, then the network traffic isn't going to pass. I'm NOT saying it's bullet-proof, or kid-proof either, but it could be a cheap & easy way to do this.

Remember, parenting of internet stuff CAN'T be done with tech, it has to be done with real-live parents. A conversation about time, or behavior, online would always be a better option.

Jeff

awebster

@akuma1x said in simple toggle for children VLAN:

Remember, parenting of internet stuff CAN'T be done with tech, it has to be done with real-live parents.

I agree, it requires real-live parents, but the tech can act as an enforcement point. Cut off Johnny's Netflix or PS4 access, and you'd be surprised how quickly the chores get done!

sgw

@akuma1x said in simple toggle for children VLAN:

Ok, if it's all hard wired, how about sacrificing a small smart switch (because you said VLAN's) and power said switch with one of those "smart home" wifi power outlets?

The power outlet thingie can be turned on and off on a schedule, or even better, on demand with a smart phone app.

https://www.amazon.com/Gosund-Compatible-Required-appliances-Certified/dp/B079MFTYMV

If the switch doesn't have power, then the network traffic isn't going to pass. I'm NOT saying it's bullet-proof, or kid-proof either, but it could be a cheap & easy way to do this.

We will consider that, thanks. Maybe we could even toggle the existing switch-port via FHEM somehow.