Family profiles?

technohippy29uk · February 2, 2021, 11:58am

Hi there. I am pretty new to the project. I have installed OpenWRT on a Raspberry Pi 4, and it works very well.

I have a question - is there a way to assign user-profiles to certain devices, then set rules for each profile around what categories of sites they can visit, when they can access the internet, etc?

I know it is possible using mac-address filtering, etc, but it would be great if there was a higher-level interface that understood who owned what device, and the ability to set schedules.

Is this a package that doesn't yet exist?

On the subject of site categories, I haven't found anything that can do that in OpenWRT. There are several free site-categorisation APIs available, which means instead of creating manual black/white lists, you can just say block {gambling, pornography, drugs}, etc. Is there a plugin for that I haven't found yet, or is this yet another that doesn't yet exist either?

If we could link user profiles and site categories together, it would be a great sell. Happy to lend some Bash scripting dev time if needed (with help), but not so great on Java, etc...

Thanks....

trendy · February 2, 2021, 1:35pm

You can do all these things that you mention, however there is no package or turn key solution. Content filtering should depend on some dns service, like cloudflare family.

technohippy29uk · February 9, 2021, 9:31pm

Thanks @trendy. This sort of helps. I have as a result configured a DNS HTTPS proxy to forward to CloudFlare family protection, and an "Intercept-DNS" rule which forwards all DNS requests to the local DNS proxy. Works fine!

What I think we could benefit from however is a way of grouping devices together into profiles. Ideally, a profile should contain a list of mac addresses. Then there should be the ability to write traffic rules, schedules, etc based on these profiles. I would be happy to contribute if anyone else thinks this is a good idea!

Looking into fw3, you have the option to use src_mac. Does anyone know if you can add multiple src_macs in a single rule? Thinking you could create a rule per device group, and then enable/disable them.

dl12345 · February 9, 2021, 9:45pm

You can allocate each of the devices a static dhcp lease and then filter based on source ip address. No need to use the mac address.

You can also then setup time based iptables rules : add a bunch of ip addresses to an ipset to treat it as a "profile/group" and then create the relevant iptables rule to match against the ipset.

dlakelan · February 9, 2021, 11:42pm

One way to do this is to create VLANs for the various groups, and different SSIDs for each VLAN. This is similar to how a company would classify say "developers" vs "accounting" vs "marketing" vs "DMZ" etc

So for example you could have:

VLAN 1 = trusted adults LAN... 192.168.1.0/24 wired and wifi ssid = "mynet"

VLAN 3 = kids LAN... 192.168.3.0/24 wired and wifi ssid "mynet-kids"

VLAN 4 = IoT LAN ... 192.168.4.0/24 wired and wifi ssid "mynet-iot"

etc... then have different policies based on which subnet the packets come from / head to.

technohippy29uk · February 15, 2021, 6:57pm

Thanks guys, great advice.

BTW, I am very aware of vlans, iptables, dhcp reservations, etc.

I am working on a project for a very large company that owns internet providers in multiple countries. They plan to bring out "family time", which effectively abstracts away mac filtering rules, etc into family profiles, where you can specify family members and group their devices, then set rules based on time, content categories, etc.

What I would love to see is an open-source version of this, which makes it "family friendly". No one wants to much around with vlans, iptables, dhcp reservations, etc - it needs to have a higher-level interface. It should ideally have an API which could be extended by home automation services, etc. Me, I am an architect rather than a developer, so I can offer design guidance, but need someone with some strong coding experience and willingness to help if we are to make this a real thing.

Thinking about the following scenario:

Devices screen:

You can see a list of known mac addresses and any existing profile associations
You can select one or more mac addresses and click "add to user profile"
You can create a new user profile or add to existing

Profiles screen:

You can see and edit a list of known user profiles
You can add a profile
You can edit a profile - change it's name, list of devices and assigned ruleset

Ruleset screen:

You can define a ruleset
You can edit a ruleset
When you edit a ruleset, you can:
- Add website categories from an external website categoriser such as website-categorization.whoisxmlapi.com to a blacklist or whitelist
- Add URL regex patterns to a blacklist or whitelist
- Add a schedule

Schedule screen:

You can view and edit schedules
When editing a schedule, you can define:
- A name for the schedule
- A time/day pattern with on/off times, using a graphical point/click interface or time/day/date strings

Browsing history

Probably part of the user profile screen
You can check the website history of a user profile, showing which device, which website, time/date of access
You can see attempted access to sites blocked by time or content filter
You can see search results (might be tricky if search engine uses SSL)

Ultimately, it should be a good enough to tempt even less tech-savvy families to use it and expand the userbase of OpenWRT. Given suitable hardware is becoming cheaper and more easy to install (I am using a Raspberry Pi 4), it could be a good solution for lots of families!