[SOLVED] Router with white listing by user?

cgott42

Distinguished
Jul 2, 2013
32
0
18,530
I currently have Optimum Internet Service and an Arris cm8200 modem. Which connects to Deco M9+ AC2200 Mesh Wifi System.
The Deco has parental controls so that I can limit internet access to specific users/devices at specific times/and on demand.
However - the option is to either turn it on or off, with pre programmed categories to block or allows individual sites to be blocked.
Question - does anyone know of a router (doesn't have to have a mesh system) which allows whitelisting so that I can allow internet access but limited to a few sites?
 
Solution
Makes it somewhat simpler I guess. It is a matter of coming up with the list of IP.

Not sure the best way to get them and not miss some. The brute force approach is to run something like wireshark on the end device if it is a pc. You would set it to send the capture to some file. It would be best if you filter it to only capture the first 40 bytes or so that way the file won't be as large. You could then run a report and get a list of all the IP addresses that used. There likely is some junk if anything else is running on the machine.

If you are very lucky all the addresses needed will be in the same subnet and you can use a single rule to do them all using the correct subnet mask. It likely though there are at least 2...
Most features like this are outdated and no longer really work.

Almost all traffic is encrypted so it is impossible to do so called "deep packet inspection". The last hole of spying on the DNS has also been mostly closed by newer browsers that encrypt the DNS.

So you are left with trying to block by IP address but even that does little since everything is now running cloud servers so the IP just come back to large cloud providers and many times many different servers will share the same ip blocks.

That said maybe if you can identify a very small list of IP that you want to allow that might work. I would look at tplink and asus they tend to have better firewall options.

It tends to be pretty easy to hack around these. Things like mac addresses are easily changed and unless you extremely limit the list of destination IP there are many vpn services. Even some browser have free proxy stuff that lets you bypass many filters because it look like the traffic is going to google or some other common destination.

The only way to really do this is with software on the end device that can see the traffic before it is encrypted. You can also use more commercial solution. Things like radius servers using 802.1x ( this is called enterprise mode on wifi) can prevent the changing of mac addresses and commercial firewalls can filter traffic somewhat better but all traffic is still encrypted so even those are limited.
 
Most features like this are outdated and no longer really work.
That said maybe if you can identify a very small list of IP that you want to allow that might work. I would look at tplink and asus they tend to have better firewall options.
My son has a few sites that he needs + access to ea.com gaming servers for online gaming. Those are the only ones that I'll include on the whitelist. I want everything else blocked by default. I can do this from the PC, but I was hoping for something that works on the router that I can control via an app.
 
I know asus and tplink can both do this with their firewall rules. They have a limited amount of whitelist rules but if you want more you can load third party firmware like dd-wrt on many routers and that using the messy IPTABLES can pretty much do anything you can think of.

You have 2 fairly major issues. First you can not just key in EA.COM and magically allows stuff. You have no way to see the domain you can only see the IP addresses. If it was only the main domain then you could just look that up I guess. Problem is you need the main domain and whatever other servers they use
to authenticate a account. After that you need actual lists of all the game servers and they have a massive amount of different games so you will never be able to whitelist them all. I am not sure how you would go about even getting the list of IP addresses for their servers.

Next the reason most router only allow you to put in a limited number of rules is it takes cpu power to process them and routers have tiny cpu chips. So even though you can use dd-wrt to bypass this limit and put in really fancy firewall rules the cpu capacity will quickly cap you when you have large lists.

The other concern will depend on how fast a internet connection you have. Again because of the limited power of cpu chip router manufactures have a feature that lets NAT traffic bypass the cpu chip. Without this feature it will cap your speeds at 250-300mbps. Just turning on any form of filtering without any rules
disables this the cpu bypass so the cpu is now doing all the NAT function as well as any rules you put in.
 
thanks for the info. disappointing but appreciate you providing it.
FWIW - he has only 1 game on the ea.com servers that he plays (star wars battlefront) - fi that helps any
 
Makes it somewhat simpler I guess. It is a matter of coming up with the list of IP.

Not sure the best way to get them and not miss some. The brute force approach is to run something like wireshark on the end device if it is a pc. You would set it to send the capture to some file. It would be best if you filter it to only capture the first 40 bytes or so that way the file won't be as large. You could then run a report and get a list of all the IP addresses that used. There likely is some junk if anything else is running on the machine.

If you are very lucky all the addresses needed will be in the same subnet and you can use a single rule to do them all using the correct subnet mask. It likely though there are at least 2 major groups since the servers you log into many times are in different data centers than the game servers.

People think stuff like this is easy until they start to look at how complex the back end to thing like games and even web sites really are.
 
Solution
For blocking bad content, you can use OpenDNS Family Shield which is free and OpenDNS family security. Instead of using your normal ISP DNS, you can set your router to use the OpenDNS Family SHield DNS. This will block alot of bad content. OpenDNS family security is a little different where you can customize what sites to block: https://www.howtogeek.com/79998/protect-your-kids-online-using-open-dns-2/

For whitelisting, you may be able to find a PROXY that'll allow you to do that. But I'm not sure if you can set a proxy to individual users on your router, however, you can set up the computer to use a proxy server and require admin privileges on the PC to change the proxy setting. That's how it's done on the corporate world. You might even be able to do this with a firewall. Deny internet access to every app except EA/Origin and specific games. Then lock down the firewall with admin rights.

You can also make your own proxy server on your network with a Raspberry Pi Single board computer. A popular software package is called pi-hole. It's very customizable. I haven't used pihole myself, but I now you can set up GROUPS. So adults in one group and kids in another group. Set the kids group to block everything, except whitelisted websites. Then set static ip addess for clients in your router, and attached the ip to the kids group.

According to this thread, you block the entire internet with .* in your regex, then simply create a whitelist of the sites allowed to visit for the kids group: View: https://www.reddit.com/r/pihole/comments/inp6un/regex_syntax_question_block_entire_internet/
 
Last edited:
The problem with using OPENDNS is you can really only use that to block the main web site. You can't block the game servers themselves. Those are never resolved via dns and most games seem to get the list from the server using some other method.

The other problem with opendns is many browsers like chrome now allow you to directly override the system DNS setting in the browser itself. It even gets by a firewall that attempt to force you to use internal DNS servers. You can pretty much just set it to cloudflare and then set it to use fully encrypted DNS over HTTPS and it will pass through just about any firewall.