Documentation for "Family" Firewall Setup


  • So I've been using PFSense for a couple years now as my firewall/gateway at my house.

    Modem <–> PFSense Physical Machine <--> Rest of the Network (including wired and wireless switches)

    A few weeks ago my wife threw a fit at the amount of time the Kids spend online and their lack of interest in doing their homework and general reluctance to listen to us...so she demanded I setup a general "parental control" situation (Time locking all internet access to kid devices with the ability to filter specific websites such as "Netflix" and online gaming such as "League of Legands" while leaving other educational websites turned on.)

    She was pissed, and because I'd ignored the request for a while I found myself in the situation I needed a solution RIGHT NOW.  With lack of documentation and not enough time to figure out all the components in PFSense, I did the "panic research" on consumer family firewall/routers and ran out and bought one...

    A significant mistake.  While I've got much better wireless technology now, there is nothing that is going to compare to a well setup custom box for security and I've had more problems with our home network and internet connectivity in the last couple weeks than in the last several years with PFSense at the helm.

    I've bought some time for myself and I WANT to roll back to my trusted PFSense firewall solution, but I need documentation to work through/with on the best method of setting up Squid, SquidGuard/Dansguardian, and any other packages / scripts required to support a comprehensive Parent Controlled Internet experience.

    I'm not asking for anyone to document the process, I'm asking for community advice on the best resource(s) I'm going to find for turning PFSense into a better equivalent of a Linksys or Asus wireless router with "family filter" protection.

    Specifically I'm needing:

    • Time based restrictions by MAC that can be turned on/off.
    • Website based restrictions, again by MAC (the best I can come up with is, for instance, blocking "Facebook" or "Netflix" without having to input all 200 IP Addresses these sites can come up as).
    • The ability to modify these restrictions in an intelligible way (such as turning on / off groups of rules that apply to specific things).

    I'm a Linux sysadmin by trade, I'm not afraid to get in and do the work, I just need good documentation on how these packages works and how to configure them for what I need.  I have found some pre-canned work on these forums that indicates it would set things up in at least a close representation I'd want, but running someone else's script and hoping it does what I want it to do is not what I'm looking for.

    Any recommendations on setup documentation for managing this task would be most appreciated.


  • Honestly, for home use, I would suggest using something like Circle by Disney for filtering. It is only $100 and it just a device that hangs off a port on your switch allowing you to use pfsense as your firewall. No annual license. To me, that was much easier. I have tried setting up squid in the past and dansguardian and it never worked right. Just my two cents.

    https://meetcircle.com/


  • First, trying to filter on MAC addresses using pfsense and Dan's Guardian isn't (as far as I know) really possible. Give your kids' devices DHCP reservations so you don't have to try to filter on MAC addresses. Put the kids' stuff in the high end of the IP address range, and your unrestricted stuff in the low end, then you can create simple rules with subnet masks.

    For example, if your private network space is 192.168.1.0/24, put your unrestricted stuff at 192.168.1.1, 192.168.1.2, etc and your kids' stuff at 192.168.1.129, 192.168.1.130, etc. Then, your rules have simple masks: 192.168.1.0/25 for your stuff, and 192.168.1.128/25 for the kids.

    This, of course, assumes they aren't technically knowledgeable enough to figure out your scheme and hardcode an IP address. If they are, you may need to use VLANs or physically separate networks to segregate the traffic. I suppose you could create a cron job on the pfsense box that periodically dumps the ARP cache, finds their MAC addresses, and sends you an email if they don't have an IP address in the proper range.

    Next, I suggest you don't try to run squid and Dan's Guardian on the pfsense box. It's just not a good idea from a security point of view, and it complicates the configuration. Getting Squid and Dan's Guardian running on a dedicated linux server is well documented.

    If you really want one box, get something with 2 cores and 4GB of RAM and run ESXi. Make your pfsense and squid servers virtuals.

    If you really want to impress the wife, put apache on the squid server and create a little password protected web page that runs a script to turn off and on the squid service. Put a shortcut to this page on your wife's phone. When the kids aren't listening to Mom, she can cut them off from the internet with one click.


  • Maybe OpenDNS Home?


  • @AR15USR:

    Maybe OpenDNS Home?

    That's super easy to bypass imo.


  • LAYER 8 Global Moderator

    the circle thing looks kind of slick, but not a big fan of arp spoofing to manage anything..  That pretty freaking simple to bypass…  I think such is for your typical user...  Which is a good thing.

    But seems the OP wants to get a bit more involved than some magic box.

    Blocking access on schedule is very simple.  As to content filtering that can get more difficult...  But you can proxy on pfsense without much issue.


  • I've been using Squid and Dansguardian for about 10 years (but running Ubuntu server).  I would recommend using e2guardian rather than Dansguardian.  It is a fork that has added quite a bit and is active (Dansguardian updates and support seem to be fizzling out).

    With e2guardian/Dansguardian you can create different filter sets and then direct them to the proper port based on ip range or subnet.  In my Ubuntu setup I'm using Shorewall as the firewall and that's how I redirect.  I'm working on coming up with the same type of setup in pfSense, but haven't quite gotten there yet.

    Here is a link that is specific to setting this up in Ubuntu, but it might give you some good ideas that you can use in your setup on pfSense.

    https://www.branchdistrictlibrary.org/professional/ubuntu_precise_dg.php

    The info in the link is from a gentlemen who sets this up for a library system he works for, but as I mentioned I've been using a very similar setup at home for many years.  The link also uses Dansguardian, but I don't imagine it would be much different setting up e2guardian.

    I'm looking at doing something similar to what you're doing with the MAC addresses, but I am hoping to put together a quick web page hosted on my box that will allow my wife to turn access off/on for specific devices (kids Kindles, XBox, etc).  In my current setup I have a similar page that will allow my wife to whitelist sites without my help and without her having to login to the administration of the server.

    I hope this didn't stray too far from your questions, maybe some of it will be helpful to you.

    I'm going to watch this topic in case you post updates on your progress.  If you do, maybe I'll post some of mine too since I'm trying to accomplish similar things as I move my environment over to pfSense.