Segment Airport-based Home Network

Discussion in 'Mac OS X Server, Xserve, and Networking' started by HyperliteG4, Mar 31, 2015.

  1. HyperliteG4 macrumors regular


    Jul 18, 2002
    Southern California
    I would like to segment my network up so that I can better lock down my kids as they are getting to the ages where I'll need to get them a computer.

    I would prefer to use OpenDNS's filtering services on a router level, however I don't want to lock my wife and I down too much which is why I'm wondering about segmenting.

    I currently have a Airport Extreme A/C, Airport Extreme (2011 model) and 2 current Airport Express'. We are a pretty well Mac-based household with 1 iMac, 2 MBP's, 3 iPad mini's, 2 iPhones and 2 ATV's.

    I did some digging and found a tip about creating a separate pool for the kids devices where they use OpenDNS for their DNS and I could leave everything else untouched. I already lock them out of modifying the network settings on their devices, so them changing this shouldn't be much if an issue.

    Here's a link to that article:

    Does anyone have any recommendations they could share or give me a pointer of what equipment I might need or whatnot? I'm wondering if I should use a Mac Mini as a home server and do the DHCP there or are there other devices? Any help is greatly appreciated!!
  2. Les Kern macrumors 68040

    Les Kern

    Apr 26, 2002
    If you truly want to lock out various web sites, OpenDNS won't work since it doesn't do deep-packet inspection (that was why I switched to Cymphonix Composer a few years ago). Using proxy servers or simply bypassing using
    https is a breeze, and kids being kids...
    Without the expensive equipment there are few choices. One is using a whitelist on the Mac itself, and THAT will mean quite a bit of hands-on making settings changes. There's also the "access window" method, which is to have your router set up access only during certain hours, and starting the DHCP higher up allowing your own machine 24/7 access with no filter. And there's "in full view", in that they can't cuddle up in bed all alone when they do have full access.
    It's been awhile since I've had to think of a solution as my daughter is 20 now and she has of course full access. I'd be interested in seeing any other solutions from readers.
  3. BS_Squasher, Jan 31, 2016
    Last edited: Jan 31, 2016

    BS_Squasher macrumors newbie

    Jan 31, 2016
    --- Post Merged, Jan 31, 2016 ---
    I don't believe you understood the technical details of the article that Hyperlite posted. I don't see bypassing that configuration specified "a breeze", at all. Https is no help and neither is "kids being kids." If you believe differently still, go ahead and show a detailed example of how you would bypass the VLAN/OpenDNS configuration specified. Feel free to get as technical as you like in that scenario description.

    "Deep-packet" inspection is certainly necessary in firewalls. It is not necessary for our kids. It's unnecessary complexity and unnecessary cost.

    OpenDNS protections alone could be circumvented by kids that understand DNS; however, they will not easily get around the additional barriers implemented using a VLAN with an ACL, as described.

    So to answer Hyperlite's question: you simply need a router that can implement VLAN's and ACL's. Put your kids in a VLAN that has an ACL that restricts all DNS queries to OpenDNS. Then, use OpenDNS's interface to lock down their content.
  4. Altemose macrumors G3


    Mar 26, 2013
    Elkton, Maryland
    If you prefer to use Open DNS then simply set that as the default on the router and switch your devices over to Google DNS, or manually configure their devices to use Open DNS. Keep in mind that when they leave your network they will lose your settings.

Share This Page