I'm running LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685) on my Linksys WRT1900ACS and I've been very happy with it.
But now I want to install software that will help me accomplish two general goals:
on a per device basis, monitor network usage including not just bandwidth, but actual domains and ip addresses that each device connected to the router visits on the internet. (my kids have begun to find sites on the internet that they are not telling me about and that I don't want them to visit, but before I make the decision to block these sites, I want to know what sites they are going to so I can try to keep up with what they are doing on the internet that they are trying to hide from me)
on a per device basis, make either black lists to prevent certain devices from visiting certain sites and or white lists to allow certain devices to visit no other sites than the few sites I list explicitly.
I installed vnstat and it looks like it does not implement the high resolution type of monitoring that I'm looking for in goal number 1 above.
Can someone recommend some packages I can install on my LEDE to accomplish those two goals? I'm guessing I can use the pre-installed firewall to accomplish goal 2. I think that is just iptables, right? If that's the best way to accomplish goal 2 above, then can someone recommend some getting started documentation on how to use iptables to implement black or white lists for certain devices?
For access control to web sites a proxy is far preferred to iptables. You use iptables to block outgoing 443 and 80 ports and then manually set the proxy in the clients, use squid for proxy and it has very full featured access control rules, and will work well.
Thank you both for the suggestions for access control.
But does anyone have any suggestions for just high-resolution (which host, domain, and IP address did this or that device visit) monitoring without access control?
proxy can log everything without restricting anything (just enable access to all sites and log).
the firewall can log every SYN packet to port 80 or 443 with a firewall rule, but you'll just get an ip address, you won't know what site that corresponds to. lots of sites are actually served from something like cloudflare or akamai or similar... so one IP serves hundreds of sites, this is why a proxy is really best for controlling at the site name level.
+1; best proxy for this approach is squid; however, needs quite some learning, as this is an advanced function, because of https.
To do sophisticated access control perhaps, but I think if all you want is to log all the websites, squid should take less than an hour to set up. Perhaps less than 10 minutes if you use the luci app and don't try anything other than logging.
The biggest pain is the one-time pain of going around and setting a proxy on your internet settings for all the devices. Android is pretty simple, linux machines are simple, macos is simple, windows isn't too bad (though I've had issues with proxy settings for windows updates... but I'm not a windows person at all), I'm not sure about things like xbox or playstation or roku etc.
You are correct for explicit proxy, I was correct, assuming transparent/intercept squid.
…all that, just to see https in action.
https + explicit proxy will still let you see the site names. The client connects to the proxy and asks it to tunnel to somesite.somedomain.com and you can log that... anything else is hidden in the https.
Which, having kids seems like a decent trade-off between privacy and parental control. I guess I will need to look into that soon...
Ask me about my YouTube quota system and MWF no web access system some time
Also (still) possible using transparent/intercept proxy.
BTW: What is MWF ?
Monday Wednesday Friday days when my kids should be getting ready for activities we plan and not begging to watch Minecraft videos.
Intercepting site names on SSL is possible but not for long as encrypting the relevant info is in active development.
Thanks everyone for all the thoughtful suggestions! I'll try squid today.
In general, I seriously question the purpose of this log info. First of all, a matter of trust to the children. Second, matter of usability of these logs, as they also show accesses to URLs, which were not intentional. It is practically impossible, to decide, whether porno.com was directly accessed using the browser, OR simply linked from CNN.com
Not to mention the huge amount of loginfo, to check.
A proxy has lots of uses in terms of setting and enforcing policy (time of day, day of week, transfer quotas, whitelisted domains, blacklisted domains, etc) providing quality of service differentiation (DSCP tag on the LAN affects WMM queues, QoS in switches, etc. My IPTV never stutters), caching of non https traffic (
apt-get update is pretty dang fast on the second computer) and to some extent monitoring. I personally don't find the logs useful. I think there are some log analysis tools that might help.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.