I’m working to set up my home network with seperate Virtual APs for the kids. The goal is to be able to control various aspects of their usage by controlling which AP is used for a connection (hours of operation, what sites can be accessed, etc.)
I’m planning on using:
DNS: Some Virtual APs will use a service like OpenDNS to block time wasters, etc.
Firewall Rules: Create some drop rules which use a blacklist. Populate/update the blacklist by using /resolve.
Script scheduling: Bring the Virtual APs up/down on a schedule.
Network looks like this:
Modem/Router from Provider
(NAT/DHCP for next level down)
|
V
RB750GL
(NAT/DHCP for the network)
1 PC
1 Network Printer (manual ip)
|
V
RB951G-2HnD (bridge mode)
- wlan1
- virtual-wlan1
- virtual-wlan2
...
Various wired connections
I’m looking to solve the first challenge mentioned above.
How can I configure DHCP to serve one config for some of the SSIDs (e.g. OpenDNS) and serve a “normal” DNS address to others based on the interface?
I’m open to running DHCP on the 951 instead of the 750 if that helps.
What’s your plan regarding subnets? For blocking stuff, it would be easiest to have different ones for virtual APs. Just let them be independent interfaces, add different subnet and DHCP server to each, set up firewall, and there’s no chance for anyone to escape. But it may be possibly a problem for some services in LAN, for example for something that depends on brodcasts. The other way is one big LAN with common subnet (all interfaces bridged), enabled IP firewall for bridge and filtering done based on source port.
In any case, you can’t just give different DNS server to clients using DHCP, without some extra steps. Anyone will get around that. You need to hijack any DNS request from these clients and send them to right server.
I was initially hoping to avoid subletting but am starting to think I would need to do that. If I do subnet I know I’ll have some issues to sort with the printer but I’m willing to deal with the printer issues to get the DNS restrictions in for the time being.
I do understand that I’ll need some firewall rules to prevent using external DNS directly. There are example I’ve come across for this already.
Sounds like I could set up 2 DNS servers, one for each subnet. One delegates to a unfiltered DNS and the other which delegates to OpenDNS. If I set up a subnet for each virtual AP then I suppose I can use a DHCP server for each to serve those subnets. For the subnet with the restrictions, firewall rules to forward all DNS to the local server.
I suppose I could also not use local DNS and just the 2 DHCP servers and write the traffic capture firewall rules to route to the filtering DNS.
The setup doesn’t need to be escape proof. This is a home network and I’m just trying to prevent my kids from wasting all their time instead of doing homework. I figure if they break out then at least they are learning some networking basics.
If you have any pointers and suggestions on where to read in the manual or howtos I’d appreciate it.
