Firewall configuration for "www" and e-mail only

[Greeno]

Hello, my daughter is unfortunately addicted to the internet. Currently, if not controlled, he can play games for 10 hours a day or more. I'm trying to get her into therapy, but now I'd like to block her access to games and only allow access to the web and e-mail. If she wants to play, I will disable her firewall, e.g. for a maximum of 2 hours. She needs to have access to the internet because addiction has destroyed traditional school and now we have enrolled her in a cloud school so she can pass this school year. Can someone please check if the table below is correct. I would like everything to be blocked and only access to "www" and e-mail. In general, the "www" pages work, but sometimes there are some problems. Similarly with mail, the mail client synchronizes messages without any problems, but does not send them, even though the port is in the firewall.

Attached are screenshot of the firewall I used.

Is it possible to set the settings so that the firewall is turned off, for example, from 14 to 16. My daughter could play for 2 hours. Then the firewall turned back on at 4:00 pm.

 

[bennor]

There is a section on the Asus firmware called Parental Controls. Within it is a option to control internet access per client based on time scheduling.

[Wireless Router] How to set up Parental Controls?(WebGUI) | Official Support | ASUS Global

Time Scheduling

 

[Deleted member 84281]

Forget the router. If rules can not be followed then take the gameing equipment away. It's that simple. Your the parent not the router.

 

[Tech9]

AdGuard Home has the following options for services blocking:

Get a Raspberry Pi and run it as DNS server/filter for your network.

GitHub - AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

It is available for Asus routers via Asuswrt-Merlin/AMTM, but I don't know how well it will run on your router (RT-AC68U?).

 

[jata]

Forget the router. If rules can not be followed then take the gameing equipment away. It's that simple. Your the parent not the router.

In my experience (as a parent with teenage kids), it is hardly ever 'that simple'

I suppose the full blown 'bad cop' approach works sometimes but often triggers unintended consequences (probably more likely with a child with an addiction)

I have used screen time, blocking access etc over the years but what works best in our house is a combination of trust them and nag them.

Good luck OP finding a solution that works for you.

 

[tgl]

You didn't say what you are using for "email", but maybe you need to open up port 995 (pop3s) or 110 (pop3), and/or 587 (mail submission)?

 

[Greeno]

Dear forum users, when it comes to the problem of Daughter's addiction, this is not a topic for this forum.
It's not that easy.
"J23" - I can't take away my 16-year-old daughter's computer and cell phone, what world do you live in. Besides, as I wrote, he learns via the Internet.
Thanks for the kind words, but we won't solve it here.
If anyone knows how to technically fix it, please let me know. I also use parental controls which sets the internet time from 7am to 10pm. I want her to have access to websites and e-mail and that's it. I'd like to know if the rules I've used are good, and if not, what they should look like. As you can see in the attached image, postal ports are included. Although port 465 is included in the rules, the mail client (mozilla thunderbird) does not want to send mail.

Regards.

 

[BreakingDad]

Get a Raspberry Pi and run it as DNS server/filter for your network

works for me, flawlessly, although the service blocks are not on timers.

 

[Greeno]

Ok "BreakingDad" I installed AdGuardHome on virtualized debian.
I'll play with it and see what it can do. However, please see if anyone has any idea about my firewall rules on the asus router which I have attached as an image. Are they correct and if not, what should I correct.

 

[Greeno]

I sat longer and set all possible mail ports.
It turns out that to connect to the smtp server with the following parameters:
connection security: ssl/tls, authentication methods: plain password,

in addition to port: 465, port: 25 must also be open.

Apparently there must be some communication between the client and the server on port:25, because when this port is closed, the mail client doesn't want to send messages.

I specifically wrote to the administrator of the mail server where my daughter has a mail account to tell me what ports are needed for communication and they wrote me that only: 993 and 465.

What a massacre with the technical support of the mail administrator.

 

[ColinTaylor]

FYI @Greeno The Network Services Filter only effects LAN to WAN traffic, not the other way around. Therefore you can remove all of your rules in post #1 that have a destination address of 10.0.0.4 as they are not doing anything.

 

[drinkingbird]

Hello, my daughter is unfortunately addicted to the internet. Currently, if not controlled, he can play games for 10 hours a day or more. I'm trying to get her into therapy, but now I'd like to block her access to games and only allow access to the web and e-mail. If she wants to play, I will disable her firewall, e.g. for a maximum of 2 hours. She needs to have access to the internet because addiction has destroyed traditional school and now we have enrolled her in a cloud school so she can pass this school year. Can someone please check if the table below is correct. I would like everything to be blocked and only access to "www" and e-mail. In general, the "www" pages work, but sometimes there are some problems. Similarly with mail, the mail client synchronizes messages without any problems, but does not send them, even though the port is in the firewall.

Attached are screenshot of the firewall I used.

Is it possible to set the settings so that the firewall is turned off, for example, from 14 to 16. My daughter could play for 2 hours. Then the firewall turned back on at 4:00 pm.

No matter what you do, she'll find a VPN that uses port 443 and probably will be able to bypass your controls. It will turn into a constant battle of blocking IPs and ports.

Better to just use the scheduler to disable her access except for the 2 hours a day you want. Until she figures out how to change her MAC address to bypass that.

 

[BreakingDad]

Ok "BreakingDad" I installed AdGuardHome on virtualized debian.
I'll play with it and see what it can do. However, please see if anyone has any idea about my firewall rules on the asus router which I have attached as an image. Are they correct and if not, what should I correct.

You would need to enforce dns via dns director as well, to avoid local bypassing, it can of course still be bypassed via local vpn, you would have to restrict installations on windows to prevent that, but then there is vpn addons on browsers. It's a minefield to be honest.

In the end you can only protect your teens so far via network settings, i mean even if you are still allowing www, they will probably still play browser games. I've tried to educate mine to take some responsibility for themselves for their online safety and wellbeing.

One thought occured, give them an admin locked down cheap laptop for school work, where they can't install anything without an admin pass (much like a work machine), then a two hour slot of internet access on the gaming rig where everything (within reason) is open, that would be a lot easier to maintain rather than filters and timers.

 

[Greeno]

I think I already know what the problem is. I can't start openvpn in tap mode. Just why?
Originally I had it set like this and there was no problem. I would like to be on the same subnet when connected to the VPN.
Below you will find screenshots of the configuration and server logs with errors, maybe someone smarter will tell me something.

Mar 6 18:35:48 rc_service: httpds 1084:notify_rc restart_chpass;restart_vpnserver1
Mar 6 18:35:50 kernel: br0: topology change detected, propagating
Mar 6 18:35:50 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:35:50 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:35:50 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:35:50 kernel: br0: port 5(tap21) entering disabled state
Mar 6 18:35:51 kernel: device tap21 entered promiscuous mode
Mar 6 18:35:51 kernel: ADDRCONF(NETDEV_UP): tap21: link is not ready
Mar 6 18:35:51 ovpn-server1[11831]: OpenVPN 2.5.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 6 2023
Mar 6 18:35:51 ovpn-server1[11831]: library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.08
Mar 6 18:35:51 ovpn-server1[11833]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Mar 6 18:35:51 ovpn-server1[11833]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 6 18:35:51 syslog: PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded
Mar 6 18:35:51 ovpn-server1[11833]: PLUGIN AUTH-PAM: initialization succeeded (fg)
Mar 6 18:35:51 ovpn-server1[11833]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mar 6 18:35:52 ovpn-server1[11833]: Diffie-Hellman initialized with 2048 bit key
Mar 6 18:35:52 ovpn-server1[11833]: TUN/TAP device tap21 opened
Mar 6 18:35:52 ovpn-server1[11833]: TUN/TAP TX queue length set to 1000
Mar 6 18:35:52 ovpn-server1[11833]: ovpn-up 1 server tap21 1500 1655 init
Mar 6 18:35:52 kernel: ADDRCONF(NETDEV_CHANGE): tap21: link becomes ready
Mar 6 18:35:52 kernel: br0: topology change detected, propagating
Mar 6 18:35:52 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:35:52 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:35:52 ovpn-server1[11833]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Mar 6 18:35:52 ovpn-server1[11833]: Listening for incoming TCP connection on [AF_INET][undef]:1194
Mar 6 18:35:52 ovpn-server1[11833]: TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Mar 6 18:35:52 ovpn-server1[11833]: TCPv4_SERVER link remote: [AF_UNSPEC]
Mar 6 18:35:52 ovpn-server1[11833]: MULTI: multi_init called, r=256 v=256
Mar 6 18:35:52 ovpn-server1[11833]: IPv4 pool size is too small (1), must be at least 2
Mar 6 18:35:52 ovpn-server1[11833]: Exiting due to fatal error
Mar 6 18:35:52 ovpn-server1[11833]: Closing TUN/TAP interface
Mar 6 18:35:52 ovpn-server1[11833]: ovpn-down 1 server tap21 1500 1655 init
Mar 6 18:35:52 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:36:01 rc_service: service 11880:notify_rc restart_vpnserver1
Mar 6 18:36:02 kernel: br0: port 5(tap21) entering disabled state
Mar 6 18:36:02 kernel: br0: port 5(tap21) entering disabled state
Mar 6 18:36:04 kernel: device tap21 entered promiscuous mode
Mar 6 18:36:04 kernel: ADDRCONF(NETDEV_UP): tap21: link is not ready
Mar 6 18:36:04 ovpn-server1[11948]: OpenVPN 2.5.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 6 2023
Mar 6 18:36:04 ovpn-server1[11948]: library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.08
Mar 6 18:36:04 ovpn-server1[11949]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Mar 6 18:36:04 ovpn-server1[11949]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 6 18:36:04 ovpn-server1[11949]: PLUGIN AUTH-PAM: initialization succeeded (fg)
Mar 6 18:36:04 ovpn-server1[11949]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mar 6 18:36:04 syslog: PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded
Mar 6 18:36:04 ovpn-server1[11949]: Diffie-Hellman initialized with 2048 bit key
Mar 6 18:36:04 ovpn-server1[11949]: TUN/TAP device tap21 opened
Mar 6 18:36:04 ovpn-server1[11949]: TUN/TAP TX queue length set to 1000
Mar 6 18:36:04 ovpn-server1[11949]: ovpn-up 1 server tap21 1500 1655 init
Mar 6 18:36:04 kernel: ADDRCONF(NETDEV_CHANGE): tap21: link becomes ready
Mar 6 18:36:04 kernel: br0: topology change detected, propagating
Mar 6 18:36:04 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:36:04 kernel: br0: port 5(tap21) entering forwarding state
Mar 6 18:36:04 ovpn-server1[11949]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Mar 6 18:36:04 ovpn-server1[11949]: Listening for incoming TCP connection on [AF_INET][undef]:1194
Mar 6 18:36:04 ovpn-server1[11949]: TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Mar 6 18:36:04 ovpn-server1[11949]: TCPv4_SERVER link remote: [AF_UNSPEC]
Mar 6 18:36:04 ovpn-server1[11949]: MULTI: multi_init called, r=256 v=256
Mar 6 18:36:04 ovpn-server1[11949]: IPv4 pool size is too small (1), must be at least 2
Mar 6 18:36:04 ovpn-server1[11949]: Exiting due to fatal error
Mar 6 18:36:04 ovpn-server1[11949]: Closing TUN/TAP interface
Mar 6 18:36:04 ovpn-server1[11949]: ovpn-down 1 server tap21 1500 1655 init

 

[ColinTaylor]

As the error message says, your DHCP pool setting is invalid. Either set your pool size to 2 or more, or set Allocate from DHCP to Yes.

 

[Greeno]

You are indeed right, thank you.
There was no problem with the previous software. However, I would like the address not to be assigned via DHCP because dhcp is disabled. Only me (one client) will connect. Therefore, address allocation was disabled and set to a fixed range to the IP address for the VPN (10.0.0.9 to 10.0.0.9). How to configure it?

 

[ColinTaylor]

If DHCP is disabled on the server then you must have been setting a static address on the client. Therefore it doesn't really matter what DHCP options you set. I would set Allocate from DHCP to Yes and leave it at that.

 

[Greeno]

VPN Works, thank you very much.
I still have problems with the new software, but maybe not all at once.
Can someone explain to me how a firewall/web service filter works. In previous firmware I had a firewall/network filter defined such that I had a whitelist for ports 80, 443, 993, 25, 465 for IP: 10.0.0.4. Thanks to this, the Daughter had access only to websites and e-mail. Currently, when I configured the web service filter, when the whitelist filter is running, all network devices are not allowed to access the internet, except for the IP address: "10.0.0.4" which has full access.
When I go to the blacklist, the IP address: "10.0.0.4" is blocked on the Internet. It's as if port filtering doesn't work at all!
Is something messed up in the router or I just don't understand the current working principle?

Attached is a screenshot of the configuration.