Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Segment Airport-based Home Network

HyperliteG4

HyperliteG4

macrumors regular
Original poster
Jul 18, 2002
248
164
Southern California
I would like to segment my network up so that I can better lock down my kids as they are getting to the ages where I'll need to get them a computer.

I would prefer to use OpenDNS's filtering services on a router level, however I don't want to lock my wife and I down too much which is why I'm wondering about segmenting.

I currently have a Airport Extreme A/C, Airport Extreme (2011 model) and 2 current Airport Express'. We are a pretty well Mac-based household with 1 iMac, 2 MBP's, 3 iPad mini's, 2 iPhones and 2 ATV's.

I did some digging and found a tip about creating a separate pool for the kids devices where they use OpenDNS for their DNS and I could leave everything else untouched. I already lock them out of modifying the network settings on their devices, so them changing this shouldn't be much if an issue.

Here's a link to that article: http://joeywhelan.blogspot.com/2013/09/dns-jailed-network.html

Does anyone have any recommendations they could share or give me a pointer of what equipment I might need or whatnot? I'm wondering if I should use a Mac Mini as a home server and do the DHCP there or are there other devices? Any help is greatly appreciated!!
 
Les Kern

Les Kern

macrumors 68040
Apr 26, 2002
3,063
76
Alabama
If you truly want to lock out various web sites, OpenDNS won't work since it doesn't do deep-packet inspection (that was why I switched to Cymphonix Composer a few years ago). Using proxy servers or simply bypassing using
https is a breeze, and kids being kids...
Without the expensive equipment there are few choices. One is using a whitelist on the Mac itself, and THAT will mean quite a bit of hands-on making settings changes. There's also the "access window" method, which is to have your router set up access only during certain hours, and starting the DHCP higher up allowing your own machine 24/7 access with no filter. And there's "in full view", in that they can't cuddle up in bed all alone when they do have full access.
It's been awhile since I've had to think of a solution as my daughter is 20 now and she has of course full access. I'd be interested in seeing any other solutions from readers.
 
B

BS_Squasher

macrumors newbie
Jan 31, 2016
1
1
Les Kern said:
If you truly want to lock out various web sites, OpenDNS won't work since it doesn't do deep-packet inspection (that was why I switched to Cymphonix Composer a few years ago). Using proxy servers or simply bypassing using
https is a breeze, and kids being kids...
Without the expensive equipment there are few choices. One is using a whitelist on the Mac itself, and THAT will mean quite a bit of hands-on making settings changes. There's also the "access window" method, which is to have your router set up access only during certain hours, and starting the DHCP higher up allowing your own machine 24/7 access with no filter. And there's "in full view", in that they can't cuddle up in bed all alone when they do have full access.
It's been awhile since I've had to think of a solution as my daughter is 20 now and she has of course full access. I'd be interested in seeing any other solutions from readers.
Click to expand...
[doublepost=1454250557][/doublepost]I don't believe you understood the technical details of the article that Hyperlite posted. I don't see bypassing that configuration specified "a breeze", at all. Https is no help and neither is "kids being kids." If you believe differently still, go ahead and show a detailed example of how you would bypass the VLAN/OpenDNS configuration specified. Feel free to get as technical as you like in that scenario description.

"Deep-packet" inspection is certainly necessary in firewalls. It is not necessary for our kids. It's unnecessary complexity and unnecessary cost.

OpenDNS protections alone could be circumvented by kids that understand DNS; however, they will not easily get around the additional barriers implemented using a VLAN with an ACL, as described.

So to answer Hyperlite's question: you simply need a router that can implement VLAN's and ACL's. Put your kids in a VLAN that has an ACL that restricts all DNS queries to OpenDNS. Then, use OpenDNS's interface to lock down their content.
 
Last edited:
  • Like
Reactions: phrehdd
Altemose

Altemose

macrumors G3
Mar 26, 2013
9,189
488
Elkton, Maryland
If you prefer to use Open DNS then simply set that as the default on the router and switch your devices over to Google DNS, or manually configure their devices to use Open DNS. Keep in mind that when they leave your network they will lose your settings.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom