Pre-Sales Questions - Creating Complex Access Schedules for Clients (teenagers)



  • After some hours of reading the Wiki, I still have some pre-sales questions. I am considering buying a SG-2220 to replace my existing Wal-Mart quality Linksys router.

    Q. - Can I create complex access schedules under pfSense which restrict certain MAC and/or IP addresses from (1) all network and internet access, (2) all internet access, (3) filtered internet access?  Sometimes I don't want my kids (teenagers) to be able to access anything outside their own computer (no local network and no internet). Sometimes I just want to limit their access (e.g. Wikipedia is OK; Blood Guts and Gore Gaming is not).

    Q. - Can I create schedules which start one day and end another? One would think this is obvious, but on my existing cheapie router, I can't have a schedule that runs from 10pm to 6am, because the moronic interface on my router can't figure out that I mean 6am the next day.

    Q. - After programming pfSense with my schedules, can I create simple toggles that my wife, who is even less tech than I am, can login to toggle on or off restrictions for certain MAC and/or IP addresses?

    Q. - Can I setup the DHCP service so that certain MAC addresses are always denied a lease? I like to setup my router so that everything that is normally on my network has a reserved address. The only devices to get DHCP leases should be guests, and I want to be able to easily toggle DHCP service on and off.

    Q. - Can I setup logging for specific MAC and/or IP addresses which logs all addresses that devices visits and when?

    When you're used to spending <$100 for a router, spending $300 is a big step up. No doubt that pfSense is incredibly robust, but after much research, I still can't determine whether I can program it to keep my kids from wasting hours in the middle of the night playing games and surfing the web.



  • If you want to satisfy yourself completely whilst familiarize yourself a bit better, download a copy of pfsense onto an old laptop or something or even run it in Virtualbox (like VMware) and add as many nics as you want/need and see if it does what you want.

    In virtualisation software you can "bridge" the nics, so instead of acting and behaving like your main computers network card using its ip address, a virtual guest with a bridged nic can use the physical nic but with a different ip address, and you can add quite alot of different types of nics to a virtual guest, ie you can also create your own mini network and other virtual guests to simulate your actual physical network & connected devices layout.

    So if you have say an old laptop with wifi, that gives you a wifi nic and a cabled nic, plus you could also plug in some cheap usb nics to the usb ports to add more cable nics if you need them, just bear in mind the USB nics will only run as fast as the USB bus which can be a bit slower than Wifi & the physical nic built into the laptop/add on card based nics, sometimes.

    YMMV

    _Q. - Can I create complex access schedules under pfSense which restrict certain MAC and/or IP addresses from (1) all network and internet access, (2) all internet access, (3) filtered internet access? _

    Give devices you want to control, a static IP in the DHCP server for the interface in question.
    Next create an Alias for the IP's addresses you want to control, lets say you have two kids each with games consoles, you can blanket ban both of them on a schedule by creating one alias called games console and put each ip address under the one alias, or you might have two kids where both can play them on different schedules. In this case, you would create an alias for each games console.

    You dont even need to use Aliases to control the access as you can just as easily setup a fw rule to control the destination ip address.

    You can use aliases to create allowed websites, like one for Wikipedia, you would need to look up the Ip address range for Wikepedia if they have a nice block of ip addresses, or you could add all the different domain names into an alias called Wikipedia which might be easier, eg www.wikepedia.com, wikipedia.com, media.wikipedia.com, mobile.wikipedia.com.

    Something else you can do, is create an alias which calls one or more aliases, so you could create an alias called Allowed Education, and in there you could then add your wikipedia alias and say another alias for britannica enclycopedias which is an alias that just has the different domains and sub domaines in it.

    You can then create a rule which uses the Allowed Education alias in a rule on a schedule.
    Q. - Can I create schedules which start one day and end another?
    What you need to do is create multiple schedules.
    Lets say you want them to have unrestricted access to games networks from Friday 15:00 through to Sunday 18:00, you would need to create a schedule for friday from 15:00 to Midnight, Saturday all day, Sunday Midnight to 18:00

    Like Aliases, you would create a schedule and then choose it in the firewall rule, but as its just a drop down, you need to make configure the schedules you envisage using/needing in as little permutations as possible otherwise you will be scrolling through a massive list of drop down options. In other words make the schedules as generic as possible.
    Q. - After programming pfSense with my schedules, can I create simple toggles that my wife, who is even less tech than I am, can login to toggle on or off restrictions for certain MAC and/or IP addresses?

    If you want to toggle individual devices, you r best bet would be to create some allow rules which remain disabled at the top of the firewall rule list. FW rules work top down, If the device matchs the rule, the action is either allowed or blocked, or rejected depending on how the rule is setup. If you want them to be kept hanging around wondering if they will connect, use a block rule as the device will keep trying as theres no response, if you want them to know straight away they are not allowed to connect use a reject rule.
    So if you want to have a rule that allows games consoles to be played out of the normal schedule, create a rule for the game console in question assuming only one child gets the reward not both in the hypothetical two kid scenerio mentioned above, but leave it disabled. You wife/other half would need to know how to log in to pfsense (which you can set up as a separate user) to avoid any cock ups that leave you locked out, and can enable the fw rule, but make sure these special occasion rules are before all other rules, then all she has to do is go in and click Enable, but she will need to remember to go back in and disable it to kill off the state, and keep an eye on states, some versions of pfsense didnt kill the states as expected which meant games consoles carried on working after the scheduled shutdown time.

    Q. Can I setup the DHCP service so that certain MAC addresses are always denied a lease.

    Give them an IP address but have a fw rule which blocks all their access, this way you can also log if so inclined to see how many times they hit their head against a brick way. If using this on wifi, you could have the dhcp give out an ip address but have a rule to block the ip addresses given out by the DHCP server. Your wifi devices could be allocated an ip address based on its mac id and then fw rules could allow your household wifi devices access according to your schedules, aliases and rules you have setup. Its a good way to see if your kids friends have sneaked in at times you dont permit as chances are their mobile will connect to the dhcp if they have used it once before when around officially, but it does involve checking the logs.

    Q. - Can I setup logging for specific MAC and/or IP addresses which logs all addresses that devices visits and when?

    Yes, send everything from the syslog to a separate device, a little raspberrypi, running with an external HD connected to it, makes an ideal low cost to run syslog server rsyslog is better but make sure you expand the message size to the max which is about 64K wide on rsyslog. Make sure you setup iptables on it, to only allow syslog events through, they all tend to be plaintext UDP so no need to write your own little MITM app to break the encryption and mirror the communication, but its a good backup in case your network gets hacked and you need to know how. You can also use windows to do this (needs a free app which you can find by googling) and linux configs, but personally for extra piece of mind rewrite the network driver on any opensource OS and then handle the network traffic data yourself but this involves an awful lot of work and renders all other packages available on the OS useless potentially depending on the approach you take. This way you make the NSA and other countries spooks & hackers work harder to get into your system and it can be quite illuminating seeing the zero days they have bought.  ;D



  • @SoonerLater:

    After some hours of reading the Wiki, I still have some pre-sales questions. I am considering buying a SG-2220 to replace my existing Wal-Mart quality Linksys router.

    Q. - Can I create complex access schedules under pfSense which restrict certain MAC and/or IP addresses from (1) all network and internet access, (2) all internet access, (3) filtered internet access?  Sometimes I don't want my kids (teenagers) to be able to access anything outside their own computer (no local network and no internet). Sometimes I just want to limit their access (e.g. Wikipedia is OK; Blood Guts and Gore Gaming is not).

    Yes.  It's not easy and will be a lot of work, but it can be done.

    Content filtering can be done with a package or something else like OpenDNS for example.  Both require configurations.

    Q. - Can I create schedules which start one day and end another? One would think this is obvious, but on my existing cheapie router, I can't have a schedule that runs from 10pm to 6am, because the moronic interface on my router can't figure out that I mean 6am the next day.

    Yes, see the Schedule screen shot enclosed.

    Q. - After programming pfSense with my schedules, can I create simple toggles that my wife, who is even less tech than I am, can login to toggle on or off restrictions for certain MAC and/or IP addresses?

    No.  Schedules are time-based firewall rules.  You would need to modify those rules in the pfSense interface.  So there would be some navigation, identification of the appropriate rule, and enabling/disabling that rule.  Since you seem to have complex schedules, there will be quite a few rules.

    Q. - Can I setup the DHCP service so that certain MAC addresses are always denied a lease? I like to setup my router so that everything that is normally on my network has a reserved address. The only devices to get DHCP leases should be guests, and I want to be able to easily toggle DHCP service on and off.

    Yes, but it might be easier to use Captive Portal instead.  You can exempt your devices from using captive portal by MAC, and those that you want to allow access onto the network would need to go through the captive portal.

    Q. - Can I setup logging for specific MAC and/or IP addresses which logs all addresses that devices visits and when?

    When you're used to spending <$100 for a router, spending $300 is a big step up. No doubt that pfSense is incredibly robust, but after much research, I still can't determine whether I can program it to keep my kids from wasting hours in the middle of the night playing games and surfing the web.

    No.  There may be a package that does this, but none that I've used.  pfSense is a firewall/router, not a networking monitoring appliance.  I think E2guardian might do this, but I'm not sure.  It's a package that is awaiting approval, so you'd need to install it on your own in the meantime.