Internet access by user management

Hi everybody,
I'm looking for a solution to manage the internet access of the usées of my home network.
I used to play with firewall rimes to allow/block Access depending on time for smartphones (teenagers :crazy_face:), but I need to find another way to filter their access from their laptop... I don't want to block the computer's Access, just some users !
I was considering using SQUID, but would it be really useful ? Or maybe another way ?
Do you have any suggestion ?

Is this what yo are looking for?
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls

1 Like

Not exactly.
This solution manages internet access by website -and IP/MAC address (like what I'm already doing).
Since we have a shared laptop between 2 teenagers, their mother and the little sister, this is not relevant.
I need to manage the access by user: block 1 teenager depending on time, block the other one depending on other timetable, but let my wife fully use the laptop... More, the management needs to be flexible, I'd like to be abble to modify it without too much effort !
I know there are parental control softwares, but they are -generally- paid solutions, and the laptop is running Linux Mint...
This is why I was considering installing a proxy like SQUID, but from what I know, it's very ressource consumming, so if there is another lighter solution ...

Does Mint allow different WiFi settings for different users?

You can potentially create 3 different APs which would only be up during certain times (or their firewall zone forwardings would work at specific times) and each Mint user would only have access to their own WiFi AP.

Not saying this is the best solution (best would probably be captive portal with individual logins), but probably the easiest.

2 Likes

yes, it would be a solution if Mint allows it, wich I don't know.
But the advantage of a proxy is the ability to later check the visited websites (I don't want to have to maintain a whitelist) ...

OK, let's say you've set up the proxy. How's the router supposed to know which one of your family members is connected to it?

The same way it works in enterprise: login/password !

Then you can use squid. Or a real Captive Portal (CP) like nodogsplash or coova-chilli.
However, all of these solutions have a more or less steep learning curve. coova is the hardest.

I don't think captive portals are suitable for restraining internet access depending on timetable, am I wrong ?

Good luck!

lol
Thanks !

Hello,

You should use squid with basic auth enabled. You can keep the user database in a text file.

OpenWrt's squid doesn't include any auth helpers, so you would need to customise the Makefile for this purpose.

You may look into older release source code (BB or CC) which had certain auth helpers enabled.

Moreover, you can't use transparent proxy if you want to authenticate the users.

-N

OK understood, thanks !

You are right, and you are wrong. You are right in the respect, that the CP itself can not help in access depending on timetable. BUT coova-chilli works in coop with a radius server. And the radius server (also) manages time based access.
However, this is a very steep learning curve. And probably too steep for a single install. Unless you want to invest a lot of time for learning.
To configure coova properly is almost black magic. And to configure freeradius properly is not a piece of cake, either.
As I am doing this for commercial systems, I am authorized to warn you.
What you described, is the typical scenario of a commercial, time based hotspot.

As I don't plan to install coova-chilli for now, nor any Radius, I think I will give it a try with SQUID ! :wink:
Plus my firewall rules, it should be enough to prevent unauthorized access from the teens !
thx for your advice !

You can do it with squid, shure, but squid is rather heavy stuff, requires lot of RAM.
Do serious streamlining of squid.conf. You might consider custom image, with a shrinked down squid, after editing the Make - file, because you can drop lot of code for squid functionality, you do not need.
In principle, you need Basic Auth only, as you can verify the time limits in the connected shell script. But Basic Auth only works for explicit proxy settings,so you have to define squid as proxy on every client device.

Then, any other proxy suitable for this task, but lighter ?

I read about some enhancement/patches to tinyproxy, to do BasicAuth. Whether its really stable, is another question. For a serious development, I would use squid.
Be advised, that any proxy will need to inspect every request for valid user credentials. Which will lead to another serious performance hit, besides RAM usage.
Anyway, for a Proof of Concept, you might try following path:

  • Set up full LINUX server, i.e. ubuntu. Can be VM, of course.
  • Configure full blown, packaged squid to do BasicAuth.
  • Test it
  • When happy, install squid package on your openwrt, and use squid.conf etc. from your real LINUX. When I use squid on openwrt, no usage of LuCI, "native" configuration of squid. Easier to port LINUX -> openwrt, then.
  • After successful test, consider custom image with shrinked down squid (edited Make).
    Happy learning !

Thx, I'll try this way !