Sunday, February 1, 2015

Parental control using DD-WRT

As I have told you last time, I switched back to DD-WRT. The reason is that it is easier to go back to, and you can flash other 3rd-party from there.

Before I went to another firmware, I thought over it carefully because ... DD-WRT just doesn't work for MAC filtering. I went back to the stock firmware but the IP phone went dead! I'm not going to waste my time.

Also I have a rather complicated (and cheap) setup, with a client bridge to increase range, a powerline network to penetrate the walls into the garage, and a 2nd old router to serve the corner rooms and use twice the bandwidth!

If I flash another firmware the IP phone may not work again so I linger on DD-WRT a bit. The main problem is that the officially recommended version for my router isn't recommended by the community. This is well known but I don't know. How can I know? This is horrible. There's no update all these years. Of course there's no motivation for the few guys in charge to update things several years old.

I flashed the community recommended version and the MAC worked. Then I looked a bit more if I can do parental control effectively. The stock firmware and all the others like Tomato have easier to use GUI I suppose. DD-WRT is basically a complicated list of things it can do.

But how do I know what to do? I only knows what I want - parental control. There are a lot of tutorials on the DD-WRT site but I guess no parental control. That's the problem. Parental control is actually complicated and open ended, so you have to know exactly what you want in order to have a chance of finding the tutorials you need.

First, everybody have a few devices. I thought of adding host names to MAC's before starting to manage them. But it can't be done, so I didn't even try to control anything for a long time. The stock firmware gave me the idea - to add hostname you need to do static IP address. In DD-WRT, I never got the idea of linking static IP to adding host name to MAC's.

I have a few static IP's but all are setup on the host side. It's rather different on the router side. Basically it can be still automatic (DHCP) but you can assign a static IP to any host MAC and label the host your way. You can mix the static and dynamic IP ranges. So if you just change the dynamic assigned IP to a static one, you got your host labelled. But this is not under the initial DHCP setup but under Services - DHCP Server - Static Leases. This should be under newbie tutorial otherwise how do I know? Depending on your browser, you just need to cut and paste around the MAC. It is easy to guess the few unknown IP's remaining by eliminating once host at a time. Before that, the fastest way seems to be looking at the MAC at the host, and type the full digits into the access control box. Terrible.

Now since you have static IP, so it is just easier to use static IP access control rather than the MAC.

Now parental control starts but never easy. You want kids to use OpenDNS and such, while parents have no limitations. But Google made it very simple to change DNS on Chromebooks. You can ban other servers but then it's very inconvenient when you want superuser global access on that machine, to download and install something for example. Also if kids know how to change DNS then they might know how to change IP's etc.

The basic need is to have one SSID for restricted access and another for non-restricted access. I saw this need time and time again but it's not a simple switch in DD-WRT. May be it should be.

Also, if kids suddenly finds that they suddenly need a banned website for homework, there should be a simple way to grant temporary access all by themselves over the phone, without needing someone to login to the router and run some commands. OpenDNS used to take forever for the rules to update. Now it says a few minutes but I doubt that. Immediate is better.

Interestingly, my stock firmware has one SSID and one extra for guest. DD-WRT can have as many virtual access point (SSID's) as you want.

Unfortunately for multiple SSID to work with different DNS, you need the terrible horrible iptable commands. They seldom work, particularly if the poster says "something like this".

The tutorial that works is called "Multiple WLAN" in the DD-WRT tutorials. Each SSID is a WLAN (or sort of), and if you don't install multiple of them, all the SSID's will be bundled on the same WLAN with the same DNS of course.

For DD-WRT, the interface vlan1 represents all the LAN sockets at the back of the router. (For older routers it may be called vlan0.) The eth1 interface is the physical access point (phyiscal SSID). Each additional virtual access point (additional SSID's) is given interfaces wl0.1, wl0.2, etc.

By default everything should be on the same network so vlan1 and eth1 are bridged into br0 interface. You can see this on Setup>Networking. So iptables won't work on individual interfaces since perhaps they are already bridged. Only the bridged interfaces will work. And when you separate the WLAN's (or the SSID's), the only easy way I see is using the DD-WRT GUI building new bridges. So everything will be bridged and there's no reason not to work on the bridged interfaces only.

The instructions for adding bridges are good and working. So I'll will skip and talk about the things you may need to do differently.  By default you have (network)      br0 (bridged ) = vlan1 (ethernet connections ) + eth1 (wifi)

If you add more VAPs (SSIDs), it will be    br0 = vlan1 + eth1 + wl0.1 + wl0.2 + ...

For me all the shits already setup, with static IP's and such, went through wifi eth1. (Powerline adaptors, client bridge and repeater.) So for me it's easier to separate the only LAN connection, the PC. So the 1st bridge I created is:  br1 = vlan1
You can only take out one interface at a time unless perhaps using the commands. All the other interfaces will be left on br0.

I need one wifi VAP for adults, so br2 = wl0.1

You may need another VAP for guests with different settings.

The iptable commands for forcing DNS works. You just need to pick the DNS address and bridge number. By default, hosts in different bridges (WLAN) cannot access each other. So I need to set br1 (my PC) to be able to access br0 (my router and all the shits). The iptable commands work, but cannot penetrate deep into the subnet br0 when I have client bridges, repeaters, and such.

Now when I need to give somebody unrestricted access, I can give them the password for a VAP without OpenDNS. I can take it back by simply changing the password, the SSID or deleting it.

Now for more parental control, I can restrict the host IP's with a time table, say no messaging on the phone after light out.

One more thing I wanted to do is to setup VPN on just one VAP. So I can switch VAP to get VPN instead of connecting and disconnecting the VPN server, that takes time. However, I find out that OpenVPN will be slow on the router just because the clock rate is a lot lower on the router. So it's not worth it.

But I wanted to protect my IP on the guest VAP. I can use a simple VPN as a proxy or full openvpn because speed is not important. Openvpn is always a little tricky. The servers may want to do it one way but the clients may do it differently. For example chromebook is seldom supported. Servers in the world are fairly standard but clients behave differently - Linux clients and Window clients are slightly but critically different on at least one point. It took me a while to figure out that servers push some options on clients but only works for Window clients.

DD-WRT is differently tricky so the instructions never works. Basically if the config files for Linux works it should work for DD-WRT. However, since you cannot store or edit the config files at will so you need DD-WRT to help write the config files. But DD-WRT's help is not direct edit at all. You can't add more options (in my newer version) or delete options that DD-WRT force you to. For example most servers use (and DD-WRT setup) key files to login but some use username and password. So everybody goes their own half way but do not meet up. It's a hindrance. If OPENVPN works with the right options, then there is the dreadful iptables that may or may not work.

No comments: