Blocking individual device YouTube and IPv6
My household has a lot of electronic devices and I want to block YouTube on some devices (younger kids) while leaving other devices enabled.
My first attempt was to "kill switch" individual devices using a firewall rule. Simply turn off that device's access except when authorized. This didn't work, because the firewall rule still allowed internet access through IPv6. I tried to setup an IPv4+IPv6 rule but no success because the "source" for the individual device is referrred to with an IPv4 LAN address (not allowed with IPv6).
The second attempt was to uncheck the "Allow IPv6" and make my network entirely IPv4. Therefore, device could be easily blocked using IPv4 addresses, and I could eventually figure how to use pfBlock or some other mechanism to selectively disable YouTube for individual devices based on IPv4 rules. But I never could make my network operate smoothly with the "Allow IPv6" unchecked.
The third attempt was to block individual devices by MAC address at the WiFi access point. Brute force, but it works. Kids can use their devices on the internet only when their MAC address is enabled. It's a pain to remember to log into the AP admin page and manually adjust their access.
The real solution is to selectively block YouTube for each individual device, in a way that IPv6 can't sneak through.
I'm not expert, but only a newbie ;)
But will try to help, in a newbie way. This is what i'll probably do:
Do you need IPv6? If not, turn if off. Then make Static ARP table for all devices. Then group your devices via ALIASES.
For the blocking part, I will use opendns dns filtering. Make a firewall rule to force all connection to use opendns dns port 53, and block all other port 53 connection right below the opendns firewall rule.
Not sure my step by step is enough, but feel free to ask :)
Install Squid & SquidGuard & SARG and then create for each user and device an account, then you will be having a better control
as I see it right you can now deny or Permit things to each individual user (kid) and taking care on their Age. Together with an
OpenDNS account you gain that security a bit more.
Pending on the horse power and RAM amount of your pfsense firewall you could also try out to set up pfBlockerNG & DNSBL + TLD
to get rid of many things such as adds, porn and spam. Together with Snort and AppID rules it could also walk well.
force youtube safe mode?
Assuming there devices are apple products I might suggest putting restrictions on their devices specifically. Settings->General->Restrictions. Similar functionality with Mac OS…
- In terms of pfSense, I would go back again and look at the "Scheduling functionality" in your rules.
- Setup a specific VLAN for your kids(You need an AP that is VLAN capable)
- I just got pfBlocker working and love the customizable functionality
- Turn off IPv6...I have it turned off on my firewall(I think?)
- As already suggested use OpenDNS...I believe there are "Parental Control OpenDNS IPs)
(I have less then a year into pfSense...big learning curve but what you seek is very possible)