"Taming" home network for kids by experts for experts

jcl333

Active Member
May 28, 2011
229
53
28
Hello, I put this here because I wasn't sure if it was a good post for the networking hardware forum (Patrick: let me know what you think if you see this...)

I am wondering what my fellow networking experts have done to tame the Internet and network for their kids, or even just for themselves and maybe non-technical spouses. My kids are 8 & 10 and this is starting to become an issue. Right now I use pfsense and opendns along with some parental controls from Microsoft and Google and some DHCP reservations. I made my wife adopt 2FA and a password manager for everything like I use myself, which my kids will get at some point.

Now I am considering something more elaborate to get some more layers of defense in depth, and trying to find the right balance between complexity and usability. Here are some of the things I am considering:

- Using Sophos UTM or Untangle in addition to or instead of pfsense (all cases VMs in ESXi)
- Using Pi-Hole for centralized ad-blocking (also a VM)
- Using something like Circle with Disney on a separate VLAN for kids (with it's own Pi-Hole)
- This would go along with multiple SSIDs in my Ubiquiti WAPs
- While I am at it - creating separate networks for guests and IoT
- There might be a place in here for things like squid, not sure
- Passing this out to my mobile devices with a VPN, say I could get benefit from Pi-hole on phone...

I have set up isolated networks in an ESXi host and using things like passive bridge mode to chain multiple network appliances together, it is really pretty cool. But as I am going through my research on these as well as trying some of them, such as setting up pfsense for multiple LANs (which I have not played with before) I am asking myself how far to take this, because I don't have unlimited time to throw at this.

So wondering what others have done in these areas?

I know nothing can replace simple good parenting, but being an IT guy I also can't resist implementing some technology as well, I do have a reputation to uphold ;-)

-JCL
 
  • Like
Reactions: Patrick

ehorn

Active Member
Jun 21, 2012
342
52
28
Everything you mentioned is good. I run vyos and suricata in-line. Just a variant of what you have listed. The most valuable thing I found with my children is education. Teach them about the internet and the benefits and dangers. Make learning fun.

best
 

ReturnedSword

Active Member
Jun 15, 2018
526
232
43
Santa Monica, CA
One thing us adults forget about our time as kids is the odd case of children being much smarter than they seem. I've found that heavy handedness only teaches kids to be more sneaky. I'd probably just run simple parental controls to filter out the obvious bad stuff, and rely on educating them for the rest. IMHO I'd be less worried about them accidentally landing on a adult website than being groomed on social media by their peers, or worse, an adult.
 
  • Like
Reactions: fohdeesha

azev

Active Member
Jan 18, 2013
760
240
43
I recently tested sophos xg which is free and it works great. One thing I really like about the feature is forcing youtube into restricted mode via the network. I recently noticed that my kid figure out how to un-select restricted mode in youtube app and found that sophos xg have a way to do it based on firewall rules you set.
 

jcl333

Active Member
May 28, 2011
229
53
28
One thing us adults forget about our time as kids is the odd case of children being much smarter than they seem. I've found that heavy handedness only teaches kids to be more sneaky. I'd probably just run simple parental controls to filter out the obvious bad stuff, and rely on educating them for the rest. IMHO I'd be less worried about them accidentally landing on a adult website than being groomed on social media by their peers, or worse, an adult.
From this perspective I am basically already there. I am trying to keep up somewhat with more advanced issues as they come available, and this is not just for my kids but for me as well. A good recent example is the increasing interest in secure DNS / DNS over https.

Social media is indeed completely different animal. I don't allow access to any right now, and they have not asked. But when the time comes that they do, it will certainly be a learning opportunity to be sure.

-JCL
 

jcl333

Active Member
May 28, 2011
229
53
28
I recently tested sophos xg which is free and it works great. One thing I really like about the feature is forcing youtube into restricted mode via the network. I recently noticed that my kid figure out how to un-select restricted mode in youtube app and found that sophos xg have a way to do it based on firewall rules you set.
Yeah, I have been reading up on the difference between XG and UTM, I have also looked at Untangle. The force restricted mode is good, I am also looking at restricting time because really the signal-to-noise ratio on YouTube is extremely low. That is where the Circle with Disney comes in, and teaching them to use their time wisely.

-JCL
 

jcl333

Active Member
May 28, 2011
229
53
28
Everything you mentioned is good. I run vyos and suricata in-line. Just a variant of what you have listed. The most valuable thing I found with my children is education. Teach them about the internet and the benefits and dangers. Make learning fun.

best
I have not heard of those, maybe I will check them out.

-JCL
 

azev

Active Member
Jan 18, 2013
760
240
43
Both sophos xg and utm have ways to limit access based on hours. At home I used combination of both Sophos XG firewall rules which only allows youtube & roblox until 8pm and screen time to limit their access to the devices it self. I even taught my wife how to manually turn off the access completely via either screen time or firewall rules until the kids are done with homeworks :)
 

Evan

Well-Known Member
Jan 6, 2016
3,347
595
113
I use a Meraki MX setup but I didn’t mind to pay for it (steep discount). For free option I would say Sophos is probably the best I have seen. The advantage of the commercial or close to commercial products is this detail to how well restrictions are managed and up to date info.

while it good to block some things I would tend not to do it for older kids and try to educate them but I have small children so it’s a just in case situation. Malware blocking is less of an issue as children only have iPad’s and are too young for a real PC (it’s very possible this generation will not see a ‘real PC’ like we know it, I would think that’s probably even a safe assumption)
 

zer0sum

Well-Known Member
Mar 8, 2013
734
392
63
I believe it would be worthwhile checking out OPNsense firewall, which is a fork of pfsense but much better :D

DNS over TLS is trivial to setup, and there are some cool plugins like Sensei for it that allow deep parental controls - https://www.sunnyvalley.io/sensei
 

ReturnedSword

Active Member
Jun 15, 2018
526
232
43
Santa Monica, CA
Back to the topic of network security, pfSense works pretty well for me, although my requirements are much lower. I've just been using it for years and am used to it. The thing with pfSense is configuration is often counter-intuitive, sometimes things don't work as they seem, and it probably needs a deep overhaul. Everything in pfSense beyond the firewall and networking side are exposed as plug-ins. Sophos is probably much more polished in this sense, but I haven't had the time or will to make the jump yet beyond playing around with it a while back in a VM.
 

ehorn

Active Member
Jun 21, 2012
342
52
28
I have not heard of those, maybe I will check them out.

-JCL
cool..

vyos is forked from vyatta. It’s command line only, like juniper os. Just a good ole open source router, firewall. But it’s fast and efficient and I like the way the firewall confirms work.

suricate is another flavor of ids, ips... Securityonion is a pretty slick package of open source tools as well for the tinkerer. Sophos is a nice “set it and forget it” type of system too though.

Best
 

ehorn

Active Member
Jun 21, 2012
342
52
28
Back to the topic of network security, pfSense works pretty well for me, although my requirements are much lower. I've just been using it for years and am used to it. The thing with pfSense is configuration is often counter-intuitive, sometimes things don't work as they seem, and it probably needs a deep overhaul. Everything in pfSense beyond the firewall and networking side are exposed as plug-ins. Sophos is probably much more polished in this sense, but I haven't had the time or will to make the jump yet beyond playing around with it a while back in a VM.
lots of folks use pfsense. I am sure it gets the job done, I just never liked it... lol I used Sophos for many years and never had issue with it. It was a polished package for Home nerd usage. Nowadays, I love vyos for its simplicity, performance, and effectiveness.

Best
 

DanP

New Member
Jan 8, 2016
24
11
3
43
Bumping an old post. It's been nearly 3.5 years from the last update on this. Where do you guys stand now? I actually came across this post when doing a google search for "pfsense opnsense parental controls" It looks like the suggestion earlier in this was Sensei which looks to have morphed into a fairly high priced commercial firewall setup with a home lab option.

I was mainly using Gryphon routers as coverage was good and they have been making pretty good progress on app feature updates over the years. but I have reached the point that their bugs are getting anoying.

I figured by now there would be some kick ass options out there. I did recently pick up a set of TP-LINK (I know most claim garbage brand) 6E routers, speeds on them are pretty impressive, their app / lower cost paid services look interesting, a little more mature than I remember them being but still not enough in my mind. If paying for that I would assume the small bump to what Sensei has become would be a superior option.

So those with kids (9-mid teens) what are you guys doing now-a-days? something that doesn't take a stupid amount of time tinkering with, easy enough options to kick over to the wife for kid controls, etc. I have found after all of these years my desire to tinker when at home has dropped way down on the list. I guess its the 12 hour days 6 to 7 days a week at the datacenter, alot like the mechanics that no longer enjoy working on their own cars when they are at home :)

Thanks for any suggestions!
 

Stephan

Well-Known Member
Apr 21, 2017
640
431
63
Germany
1) Kids friendly curated search engine set as default start page in all browsers.

2) Quarterly reminder-talk that on the internet, there is everything from humanity's biggest achievements to very very dark and disturbing things. If they stumble upon the latter, or are sent such stuff from class mates, enouragement to talk to the parents for a second opinion.

3) They can watch or read stuff in their free time all they want, provided it is not in their native language.

4) No Windows or MacOS because of malware, only Linux. microG/LineageOS on phones.

5) Kids are on a separate VLAN, routed in toto i.e. also DNS via VPN through a country, which when it comes to civil internet use, basically gives a damn. To thwart cases where some kid brings a device for a sleep-over, which has some P2P software installed. In a litigious society this can mean a lawyer's note 6-8 weeks after, demanding 800-5000 fiat in damages, and a reply with a signed cease-and-desist letter.

6) All payments either prepaid, or cleared by parent machines/accounts.

7) No other controls except for the usual Pi-Hole or Pi-Hole-like DNS filtering.

8) All employed services, platforms or devices must be a 100% ad-free. By themselves, or by virtue of an ad-blocker.