Network Monitoring

[Altemose]

Yes but most kids don't go into a router!

Most kids won't touch the router but they will touch the computer or client. If you set OpenDNS as the DNS on the router, then all they have to do is open Settings --> Wi-Fi --> "Choose the Network" --> and enter a different DNS for that setting to be overridden. Their client will no longer use OpenDNS. The same goes for Windows and Mac.

 

[mildocjr]

Yes but most kids don't go into a router!

Yes but most kids will want to get to a website and will google how to do it, in a few minutes they will find what they were looking for and in a few more minutes they will have changed their computers DNS settings.

 

[hobowankenobi]

Yes but most kids will want to get to a website and will google how to do it, in a few minutes they will find what they were looking for and in a few more minutes they will have changed their computers DNS settings.

Most kids won't touch the router but they will touch the computer or client. If you set OpenDNS as the DNS on the router, then all they have to do is open Settings --> Wi-Fi --> "Choose the Network" --> and enter a different DNS for that setting to be overridden. Their client will no longer use OpenDNS. The same goes for Windows and Mac.

This is why it is essential that kids do not have access to an admin account. Without admin credentials, they can't change DNS. And lots of other things become nearly impossible....which is good for parents that want control.

Standard, non-admin accounts (and parental controls on mobile devices) are the first step.

 

[mildocjr]

This is why it is essential that kids do not have access to an admin account. Without admin credentials, they can't change DNS. And lots of other things become nearly impossible....which is good for parents that want control.

Standard, non-admin accounts (and parental controls on mobile devices) are the first step.

The only reason I mentioned it, is single user devices such as Apple devices and Android phones and tablets don't necessarily come with standard and admin accounts, instead you might have to rely on an external tool such as Apple's configurator or the equivalent for Android to prevent access to the network settings.

 

[Michael Anthony]

This is why it is essential that kids do not have access to an admin account. Without admin credentials, they can't change DNS.

Standard, non-admin accounts (and parental controls on mobile devices) are the first step.

You'd be surprised what a kid can learn when their parents aren't too tech savvy haha

 

[satcomer]

You'd be surprised what a kid can learn when their parents aren't too tech savvy haha

That was tie 10 to 15 years ago but no longer with today's parents!

 

[Flint Ironstag]

There was a really, really slick app a few years back. Lithium I think it was? Back in 2003-2007, somewhere in there. Anyone remember it? They advertised heavily in all the Mac periodicals.

Haven't heard a peep from them in years. Has someone else adopted the project? It was damn good.

[EDIT] found this archived page if anyone's interested. Lithium was way ahead of its time, and still better visually than anything since. I've been out of big iron enterprise installations for a few years now though.

http://fireballed.org/linked/2011/04/15/lithium/

 

[hwojtek]

Yes but most kids will want to get to a website and will google how to do it, in a few minutes they will find what they were looking for and in a few more minutes they will have changed their computers DNS settings.

Do you really think a kid without the admin password to a linux-based router 192.168.0.1 will circumvent this?

iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.0.1:53
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.1:53

 

[grahamperrin]

… I would like to have better control and monitoring of my network, to determine data usage, security, and potential parental content monitoring.

I have looked into a few different options such as Wireshark, Domotz, etc. but they seem complicated. Is there something that makes sense for a non IT person on a home network?

A few years ago I took an interest in a product that was open source and partly community-driven and, if I recall correctly, ran on (required) a dedicated computer. Right now I can't recall the name of the product.

Whilst I try to find it – and (re)discover whether it's suitably non-complicated – is that the type of thing that might interest you, @10661776? Counting the number of networked items in your list of things at home, I guess that you already have a suitable spare computer.

Postscript

Found, almost uppermost amongst DuckDuckGo search results for live CD network filter open source:

Web Filter Lite | Untangle

Beyond that point I have not browsed the site, I assume that the product is significantly different from (and no less usable than) the non-lite product that I tested years ago.

 

[mmomega]

I'm not sure if this is exactly what you're talking about. I didn't want to go to in detail so I only took a couple of screen grabs.
I use a UniFi system. A Router, switch and 2 WiFi Access Points.
The screen shots are from the dashboard that configures and monitors everything that passes through. It can be as detailed as one would want.
I'm sure there are plenty of other systems that can/will do more but this was very easy system to setup and now monitor.

 

[hwojtek]

Are you using the Unifi Gateway (I assume) or an EdgeRouter?

 

[adam9c1]

Mmomega,

Which router do you have?
Edge or USG?

Do you have a ubiquitous switch too? What kind?

 

[mildocjr]

Do you really think a kid without the admin password to a linux-based router 192.168.0.1 will circumvent this?

iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.0.1:53
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.1:53

I'm talking about the basic home router with the default OS, not a nice managed router or a firmware overwrite. Yes there are ways to proof your network and this is one of them, this is if you want to do some tech support (aka handholding) with the person wanting to implement iptables. As it is a simple command for you and I, I wouldn't throw it off on someone else without giving them an explanation. You also forgot one important command that would leave many scratching their head.

copy running-config startup-config

 

[hwojtek]

I'm talking about the basic home router with the default OS, not a nice managed router or a firmware overwrite.

Call me biased, but open/dd/tomato is actually easier to operate and maintain then any stock firmware. Same commands as in the OS X terminal, after all, and nice GUIs. People just need to know they are easily available (and not as "enthusiast" routers).

Yes there are ways to proof your network and this is one of them, this is if you want to do some tech support (aka handholding) with the person wanting to implement iptables.

True, however in OpenWRT Luci it's a matter of ticking a single box reading "intercept all DNS queries" with an accompanying explanation - click, job done.

You also forgot one important command that would leave many scratching their head.

copy running-config startup-config

You're absolutely right, I just wanted to highlight the IPTABLES as an effective tool against using external DNS and (in a limited way) proxy servers, this wasn't meant as a full instructable though.

 

[mildocjr]

@hwojtek I agree with you, I just didn't want to get into it as the OP thought Wireshark was complicated.

Believe me, if I cared enough to go snooping, I'd have Kali Linux handling the DNS requests between my router and modem.

 

[mmomega]

Are you using the Unifi Gateway (I assume) or an EdgeRouter?

I have the UniFi Security Gateway yeah.
Also have the 8 port POE UniFi Switch and 2 UniFi UAP AC Pro Access Points and the CloudKey.

 

[hobowankenobi]

The only reason I mentioned it, is single user devices such as Apple devices and Android phones and tablets don't necessarily come with standard and admin accounts, instead you might have to rely on an external tool such as Apple's configurator or the equivalent for Android to prevent access to the network settings.

Agreed. PITA for the average parent, too big a learning curve. It would be great if mobile devices had the ability to lock a few basics like DNS with simple integrated parental controls.
[doublepost=1473710646][/doublepost]

I have the UniFi Security Gateway yeah.
Also have the 8 port POE UniFi Switch and 2 UniFi UAP AC Pro Access Points and the CloudKey.

I run the Edge Router X SFP, and two AC Lite APs running on the POE ports. Nice, but I would prefer a simpler interface, and don't really need most of the routing power of the X SFP.

Thinking of testing the Security Gateway....how do you like it?

 

[mmomega]

Agreed. PITA for the average parent, too big a learning curve. It would be great if mobile devices had the ability to lock a few basics like DNS with simple integrated parental controls.
[doublepost=1473710646][/doublepost]


I run the Edge Router X SFP, and two AC Lite APs running on the POE ports. Nice, but I would prefer a simpler interface, and don't really need most of the routing power of the X SFP.

Thinking of testing the Security Gateway....how do you like it?

I started with the EdgeRouterX and purchased the UniFi Gateway and sold the Edge on Amazon.
I also have an EdgeSwitch Lite and I was just wanting one interface to rule them all essentially.

I do have a small 8 port switch I bought from monoprice sitting in the living room entertainment center to hardwire the receiver, AppleTV, TV, DirecTV with.

And I forget the other AP, I have a UniFi in-wall AP in my nephews bedroom. For some reason his little corner of the house wasn't getting the greatest signal but step one step outside his door and it was great. So I ended up running the in-wall in there and it fixed him up.

I also previously had the UniFi AC LR's and they just didn't impress me as much. I upgraded to the Pros and sold off the others and I've been happy.


This is what I've finally ended up with after going from multiple Airport setups over the years to 3 AC models.
Tried the Linksys 1900AC x 2.
A pair of engenius AC routers.

I also have all UniFi AP's at my office locations, now 3, and I can setup and control multiple WiFi networks over many different APs from the CloudKey controller I have at home.
It's making my more complicated setup and multiple APs much easier to take care of than previously.

Whew that was a mouthful.

 

[hwojtek]

Just 1 more quick Q: setting up a transparent proxy rule in UniFi Gateway - possible from the GUI? (I have Squid running on another machine and need to keep it that way - metered connection, 3 heavy web users at home)