Restrict (internet) access to certain MAC addresses at specific times

Panja · Nov 12, 2015, 8:56 AM

I would like to restrict my daughters iPad, Android mobile and desktop computer from accessing the internet after 9PM until 7AM.
Is there a way to do this within pfSense? If so, could you explain how to? ;D

muswellhillbilly · Nov 12, 2015, 9:02 AM

There are lots of posts on this forum and elsewhere on the internet if you Google for the information. Here are two links for starters:

https://forum.pfsense.org/index.php?topic=22598.0
https://doc.pfsense.org/index.php/Firewall_Rule_Schedules

The rest I'm sure you can find if you look.

Panja · Nov 12, 2015, 9:23 AM

Thanks for the reply.
The problem is that this is done by IP and not by MAC address.
I would like to block on MAC address instead.

If my daughter is smart enough, and she probably is, she will just change her current IP address and go past the firewall rule I set up.

doktornotor · Nov 12, 2015, 9:32 AM

There is no such feature in pf packet filter.

muswellhillbilly · Nov 12, 2015, 9:41 AM

@Panja:

Thanks for the reply.
The problem is that this is done by IP and not by MAC address.
I would like to block on MAC address instead.

Why not set your DHCP service on your PFS to issue static-only addresses and bind her PC's MAC to a single address? You may find you can do the same thing on your wifi AP, assuming she's using wifi to connect. You can then apply your firewall rule to her machine via the static IP she receives.

Panja · Nov 12, 2015, 9:56 AM

@doktornotor
That's a pity. But thanks for clearing that up.

@muswellhillbilly
I can give her a static IP through DHCP (static lease).
But wouldn't it just be possible to change her IP manually on the phone, ipad etc?
She can than pick an IP that is not blocked and still access the internet.

Derelict · Nov 12, 2015, 10:02 AM

Multi-SSID Wi-Fi, separate VLAN, and don't let her have the passphrase to the regular Wi-Fi.

Re: the android, my kid would just turn off wifi and use cell data. End result, no phone. Does the iPad have cell data?

muswellhillbilly · Nov 12, 2015, 1:46 PM

@Panja:

I can give her a static IP through DHCP (static lease).
But wouldn't it just be possible to change her IP manually on the phone, ipad etc?
She can than pick an IP that is not blocked and still access the internet.

So create a firewall rule which prevents all but the static addresses you define from getting internet access. Randomise the addresses - give her, say, 172.16.1.23 and something else 172.16.5.34 on a /16 subnet - and she would then have to try changing anything up to 255x255 possible addresses before finding one that might let her out. My bet is she'd lose interest fast and just learn to live with the rules you've set.

Derelict · Nov 12, 2015, 11:18 AM

There's always nmap, tcpdump, wireshark, etc, to do that work for her. Separate interface/VLAN is the only way to be sure.

Panja · Nov 12, 2015, 12:10 PM

Thanks all for thinking with me to find a solution! Cheers for that.

We have 2 wifi access points to cover the house with signal. Both with the same SSID to have wireless "roaming".
I would like to use VLAN's but I don't think it's possible with my setup at the moment.

pfSsense box –> wireless access point 1 --> unmanaged switch --> wireless account point 2

Could the restrict access be done with FreeRadius? I'm going to setup radius for wifi authentication anyways.

Panja · Nov 12, 2015, 1:40 PM

@Panja:

Could the restrict access be done with FreeRadius? I'm going to setup radius for wifi authentication anyways.

To answer my own question: not possible…
I can restrict logging on to the network, but already connected devices stay connected.
So for instance if I set the user logon times to be available from 07.00 - 21.00 hours.
When the device is connected between this hours and does not disconnect, than the connection is still available after 21.00 hours.
Only when the device gets disconnected and tries to reconnect, than the connection is not available.

Derelict · Nov 12, 2015, 3:24 PM

If you want to create a discrete subnet/segment you'll need the gear for it.

Panja · Nov 12, 2015, 5:00 PM

I understand that but at the moment I don't have the (extra) gear for it.

mer · Nov 12, 2015, 8:18 PM

@Panja:

@Panja:

Could the restrict access be done with FreeRadius? I'm going to setup radius for wifi authentication anyways.

To answer my own question: not possible…
I can restrict logging on to the network, but already connected devices stay connected.
So for instance if I set the user logon times to be available from 07.00 - 21.00 hours.
When the device is connected between this hours and does not disconnect, than the connection is still available after 21.00 hours.
Only when the device gets disconnected and tries to reconnect, than the connection is not available.

So setup a cron job to flush the states at 7:05. It may interrupt a few legimate things, but it whacks the desired connections and then if they try to reconnect, they get hit by the scheduled block.