Can I do this? How?



  • I would like to do some fancy internet access control for the children. I don't know if what I am considering is possible with my current hardware, or possible with some small expenditure on new hardware.

    The main problem, as always, is Facebook (and possibly Skype). What I hoped to do was prevent the children accessing Facebook on their computers over the wireless connection, but allow it with an ethernet connection (so they are in the living room and easily supervised). I would also like to limit their total internet time per day, across all browsing devices.

    I have a Netgear ADSL modem/router/wireless AP. I also have an Asus router/wireless AP. And I have a AOpen DE2700 with 320GiB HD I can use for pfsense (or other appropriate software).

    What I tried this weekend (just experimenting to see if it might work):
    I left the netgear modem untouched, except to plug the DE2700 into it. my own computers and the xbox remained connected to the Netgear. I installed pfsense 2.01 on the de2700, and plugged the Asus (in AP only mode) into it.
    In pfsense I installed squid, squidguard, freeradius. I set up squid as a transparent proxy, and set up captive portal to use radius authentication. I created some squidguard rules. On limited testing this seemed to be behaving as I expected.

    I then set the pfsense DHCP to give fixed IP addresses to the ethernet MAC addresses for the childrens computers, and created squidguard rule to allow access to facebook from those IPs but not from the dynamic IPs. On initial testing that seemed to work.

    then I set the children on it.
    First problem: one of them had https://www.facebook.com as his homepage. The https seems not to trigger the captive portal redirect, so he never got asked to log in. The browser just hangs and eventually times out. Screaming and shouting!
    If he starts with a http page, he does get asked to log in to the captive portal. But then squidguard does not seem to block the https facebook.

    Second problem: when they were blocked on the wireless, and then connected to the ethernet and tried to load the page, they got the same block page. It seems the blocking software did not recognise they had a different IP (I confirmed that the IP was different in ipconfig). Or perhaps this is to do with the browser cache? I couldn't find a solution in the short time I played with it.

    Third problem: idle and hard timeouts do not seem to work. They logged in for a few minutes during the morning, then went out for the day. In the evening they all got messages that their time for the day had been used. I had set a 5 minute idle timeout and 60 minute hard timeout, but when I checked, their sessions were still going 6 hours later.

    Can anyone suggest how to achieve what I want? Can I do it with my current hardware? If not, or even if I can, what would be better hardware for this problem? (should I get a wireless card for the de2700 so the wireless and wired are on separate interfaces, instead of trying to assign different IPs?)

    Is there any way to block https for one domain, while allowing it for others?

    Why did the captive portal timeout not work?

    I don't know much about networks, but can usually pick up tech stuff fairly easily. Partly this current project is to help me learn, so
    I can set up the best possible network for us when we move into a new house in August.

    I am happy to play around with different suggestions and different software (eg, Untangle) but do not want to spend money on this. and if I try something and it doesn't work, I need to be able to easily revert to my current working system (I don't have separate equipment for development).

    My current setup just uses the Netgear modem/router/AP and OpenDNS parental controls. Facebook and some other stuff is blocked, with bypasses on my computer and one laptop that is blocked from the wireless. So this achieves forcing the children out of their rooms to use facebook. The problems are the fights over whose turn it is, and the fact that I cannot bypass the opendns block with my tablet. And I don't have any way to limit total internet time for the children. I can limit time on each computer, but then they jump to another device (including my ones) when time runs out on their own computers.



  • To block https, you need to configure proxy settings on browser or create an host alias with apps.facebook.com and then assign a firewall rules to it.

    Squidguard html error page return may be changed in acl from 301 to 302 to avoid these cache erros.



  • @timbp:

    Third problem: idle and hard timeouts do not seem to work. They logged in for a few minutes during the morning, then went out for the day. In the evening they all got messages that their time for the day had been used. I had set a 5 minute idle timeout and 60 minute hard timeout, but when I checked, their sessions were still going 6 hours later.

    I don't know about the timeouts. Its possible the timeouts are not polled but checked on an internet access

    @timbp:

    The problems are the fights over whose turn it is,

    Can't think of a firewall rule for that one :-) You might have to exercise some "tough love".

    @timbp:

    and the fact that I cannot bypass the opendns block with my tablet.

    The tablet probably gets its DNS settings from pfSense by DHCP. If you use it in multiple locations you probably want to continue that UNLESS you are prepared to use the same DNS server (e.g. Google) regardless of where you are in which case you might be able to configure the tablet with a "fixed" DNS (ignore DNS from DHCP).

    Have you thought of using Vouchers for Captive Portal authentication?  When the voucher time expires access is blocked. A user can go to another computer (and maybe use up any remaining voucher time there) but once the voucher time has expired and they don't have an unused voucher they can't get access. You could give extra vouchers for good behaviour, cut off voucher supply for bad behaviour. (OK, my children thought I was a tough old grouch!) You could even recall vouchers for particularly bad behaviour. (I'm only just warming up!)

    I haven't used Captive Portal with RADIUS authentication but I suspect vouchers would be easier to use if you wanted to impose a fairly flexible access regime.



  • One of the easiest things you can do is set up a OpenDNS account.

    Then you can set up your router to point to their DNS servers and block out Facebook from their control panel @ OpenDNS to any client that connects to your router via DHCP. The router will either hand out OpenDNS's ip addresses as the DNS resolver or do DNS-forwarder functions.

    On any computer that you wish to use Facebook use a public DNS server like google's 8.8.8.8 or Level3's 4.2.2.1. It will bypass OpenDNS results.

    Not very hard to do; takes about 10 minutes to set up.



  • While using Opendns do not forget to block access to outside dns servers from hosts you do want to restrict access.


Log in to reply