Questions about using pfsense to restrict internet content for my kids
-
Hi, all. I have done a bunch of searching here about restricting my kids' access to the internet safe by blocking inappropriate content, etc, but I'm having some trouble with putting it all together into a cohesive strategy.
Let me share my thoughts about what I think I'd like to do, and anybody can correct me where I'm wrong, or advise different approaches.
I'd like to set up a VLAN for the kids' devices so that the MAC addresses have to use that VLAN. The VLAN would give out OpenDNS servers. Then I was thinking that I could use a pfSense plugin like SquidGuard for other content or location restrictions.
I have created a VLAN, but I have no idea how to configure a DHCP server for that VLAN that will hand out specific DNS server addresses.
Well, that's really about as far as I have gotten. Any help would be greatly appreciated and thanks in advance!
-
Under SERVICES > DHCP SERVER you will find all the defined interfaces on your firewall. Your configured VLAN will be listed there. Click to edit that interface (VLAN) and scroll down and you can configure what DNS servers are to be handed out for that VLAN's IP range.
I assume when you said you had the VLAN created that you have tested and made sure it is handing out IP addresses in the correct scope and that scope is not part of your regular LAN. A VLAN will have a separate IP network subnet.
How old are your kids? If teenagers, it will potentially take them all of 60 seconds to get around your protection scheme by simply hardcoding a different DNS server on their device. Any of their IT-savy friends can show them how. If you have pre-adolescents, then your scheme will work.
To truly lockdown the DNS you would need to configure DNS port redirection on pfSense for that VLAN and make sure all outbound requests from that VLAN on TCP or UDP port 53 get redirected to the DNS server of your choice.
-
Thanks for the reply. I have a rule for that VLAN that only allows access to the OpenDNS servers
-
"Under SERVICES > DHCP SERVER you will find all the defined interfaces on your firewall. Your configured VLAN will be listed there. Click to edit that interface (VLAN) and scroll down and you can configure what DNS servers are to be handed out for that VLAN's IP range."
Ok, so I have configured something wrong with the VLAN, because I only have the option to configure the LAN interface.
-
@steve973
I don't use DHCP on pfSense in my setup, so I'm working from memory when I set up a VLAN system for our church last year. Each interface will have its own configuration section within the DHCP Server on pfSense. It will be in the same place where you configured the IP ranges for DHCP to hand out for that VLAN. Where did you put the MAC addresses for the kids' devices? That would normally be the DHCP Server section. -
I just now got it working. Now I need to figure out how to make sure that certain mac addresses can only get configuration for that particular VLAN, and cannot get on any of the other interfaces.
-
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
To truly lockdown the DNS you would need to configure DNS port redirection on pfSense for that VLAN and make sure all outbound requests from that VLAN on TCP or UDP port 53 get redirected to the DNS server of your choice.
This won't stop DNS over TLS or DNS over HTTPS, like TRR in Firefox.
-
@grimson said in Questions about using pfsense to restrict internet content for my kids:
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
To truly lockdown the DNS you would need to configure DNS port redirection on pfSense for that VLAN and make sure all outbound requests from that VLAN on TCP or UDP port 53 get redirected to the DNS server of your choice.
This won't stop DNS over TLS or DNS over HTTPS, like TRR in Firefox.
Correct. That's why I am generally not a fan of trying to police user access to web content with firewall rules. Much better instead, in my view, to use the threat of serious repercussions for offenders of a corporate or domestic Internet usage policy. There is too much technology specifically designed to thwart other security technology to ever be 100% successful with technological lockdowns of things that are really about personal integrity and honesty.
For younger kids, using settings like Google's Safe Search and maybe OpenDNS work to prevent accidental exposure to adult content. With teenagers, technology rapidly loses the race. Better then to just be a nosy parent and give them "the talk" early.
-
Ok, I'm aware of how these measures can be circumvented, but I would like to try to at least get this set up. How can I ensure that specific MACs are only allowed on this particular VLAN, so that when the kids connect, they are only connected to the somewhat-secured VLAN, and that they won't have access to the unrestricted VLAN that my wife and I use?
-
Isolating VLANs on L2 is handled in your managed switch and/or AP, not on pfSense.
-
Well, I can deny MACs on any of the interfaces, so I'll at least do that. I don't see anything obvious that allows my tp-link archer c9 to handle VLANs.
-
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
Well, I can deny MACs on any of the interfaces, so I'll at least do that. I don't see anything obvious that allows my tp-link archer c9 to handle VLANs.
I don't believe that device is going to work as you need. Are the devices you want to protect wireless or hard-wired? If both, then you will need a VLAN-capable switch and a VLAN-capable Wireless AP. My favorite VLAN AP is the Ubiquiti line. They do multiple SSIDs and VLANs: perfect for what you need.
What kind of pfSense firewall do you have? Is it perhaps one of their SG-1100 or SG-3100 appliances? If so, those have a built-in VLAN-capable switch you could make use of if everything is hard-wired.
-
If you want to use VLANs your switch, and for wireless, your AP needs to support them too, so check their documentation and Google.
Also you need to actually understand how VLANs work, you can start here: https://www.netgate.com/docs/pfsense/book/vlan/index.html
-
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
Well, I can deny MACs on any of the interfaces, so I'll at least do that. I don't see anything obvious that allows my tp-link archer c9 to handle VLANs.
I don't believe that device is going to work as you need. Are the devices you want to protect wireless or hard-wired? If both, then you will need a VLAN-capable switch and a VLAN-capable Wireless AP. My favorite VLAN AP is the Ubiquiti line. They do multiple SSIDs and VLANs: perfect for what you need.
What kind of pfSense firewall do you have? Is it perhaps one of their SG-1100 or SG-3100 appliances? If so, those have a built-in VLAN-capable switch you could make use of if everything is hard-wired.
Also something along this line is to have two separate wireless SSIDs and manage it at that level. One would be the "kids" WiFi and it would have a guest network that their friends could attach to, but would also be subject to the same network restrictions as the "kids". You could have a "parents" WiFi network that is less restrictive than the "kids". You may be able to do this with one WiFi device, but you can easily do it with two.
Each WiFi network could terminate at a different pfSense physical port to segregate them, that is if you have the extra ports on your pfSense box. Otherwise, you could VLAN them from a L2 switch as you've already considered above.
-
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
What kind of pfSense firewall do you have? Is it perhaps one of their SG-1100 or SG-3100 appliances? If so, those have a built-in VLAN-capable switch you could make use of if everything is hard-wired.
I have a Netgate SG-1100. I could get another wireless router and connect it to the OPT physical port and lock the kids' devices' MACs out of the other router and the non-VLAN interface.
-
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
@bmeeks said in Questions about using pfsense to restrict internet content for my kids:
What kind of pfSense firewall do you have? Is it perhaps one of their SG-1100 or SG-3100 appliances? If so, those have a built-in VLAN-capable switch you could make use of if everything is hard-wired.
I have a Netgate SG-1100. I could get another wireless router and connect it to the OPT physical port and lock the kids' devices' MACs out of the other router and the non-VLAN interface.
Yes.
Since it will be the only thing plugged into the OPT interface, it's its own physical network. You can choose what/how it routes to the Internet and to your LAN.
-
@bmeeks Hello. It's been a while. I just got a Ubiquiti UniFi UAP-AC-M and I have made sure that I have internet access on my OPT port of my SG-1100. But since I'm not on the same subnet, I cannot locate my device with the UniFi manager app. Do you have any suggestions about how I can do this?
-
My unrestricted wifi is on 192.168.0.0/24 and my OPT network is 10.0.0.0/24.
-
A great solution is DNSThingy where you can manager multiple user with different policies on each device. It works on Pfsense as an add-on, here is the link https://www.dnsthingy.com/testimonials/
-
@steve973 said in Questions about using pfsense to restrict internet content for my kids:
@bmeeks Hello. It's been a while. I just got a Ubiquiti UniFi UAP-AC-M and I have made sure that I have internet access on my OPT port of my SG-1100. But since I'm not on the same subnet, I cannot locate my device with the UniFi manager app. Do you have any suggestions about how I can do this?
Put your UniFi Controller and the APs on your LAN (the unrestricted 10.0.0.0/24 network). Then within UniFi controller create the VLAN for your restricted WiFi (using the VLAN ID). The UniFi APs will segregate the VLAN traffic for you and give the Guest Wi-Fi (the restricted network) the proper VLAN tag you specify.
