Home wifi and restricting others' usage
Thread Starter
Join Date: Apr 2009
Location: UK
Posts: 816
Likes: 0
Received 0 Likes
on
0 Posts
Home wifi and restricting others' usage
I will shortly be taking in a couple of colleagues as lodgers in my home and as part of the deal they will have access to the internet through the house wifi network.
I am concerned that as the bill payer, I could potentially have problems if my housemates use the internet connection for anything dodgy or illegal. I am particularly thinking of illegal filesharing, copyright theft, downloading movies and music but also if they happen to be into dwarf porn or, God forbid, something worse.
Is there any simple way of blocking undesirable internet usage on a home wifi network?
I am concerned that as the bill payer, I could potentially have problems if my housemates use the internet connection for anything dodgy or illegal. I am particularly thinking of illegal filesharing, copyright theft, downloading movies and music but also if they happen to be into dwarf porn or, God forbid, something worse.
Is there any simple way of blocking undesirable internet usage on a home wifi network?
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
sign up to OpenDNS and set the router DNS settings to use that
And make sure access to the router is secured.....
OpenDNS for Homes and Families
I use the free version at a residential rehab home for mentally /emotionally /morally challenged patients, and it works quite well
And make sure access to the router is secured.....
OpenDNS for Homes and Families
I use the free version at a residential rehab home for mentally /emotionally /morally challenged patients, and it works quite well
Last edited by Milo Minderbinder; 4th Feb 2013 at 01:22.
Join Date: Feb 2012
Location: Cape Town / UK / Europe
Posts: 728
Likes: 0
Received 0 Likes
on
0 Posts
I read the article about OpenDNS with interest as it looked like a simple way of solving a couple of minor concerns, primarily my teenage son spending too much time (in my view anything in excess of a nanosecond is too much!) on Faecesbook. It looked too good to be true, and is is often the case, it was.
Unfortunately the DNS settings on the router are preset and can't be changed, and I can't work out how (if possible) to do it on my browser (FF) but if I can change them on the browser he could change them back. For what it's worth he uses Chrome and also accesses it via his mother's Ipad. Anyway it's a losing battle as kids are always light years ahead when it comes to things like this.
That said, thanks for an informative and interesting article, and it will solve a problem for me at one of the sites I work at where I have been put in charge
of their network (in the land of the blind ....!) and they will expect me to stop employees accessing certain sites.
Unfortunately the DNS settings on the router are preset and can't be changed, and I can't work out how (if possible) to do it on my browser (FF) but if I can change them on the browser he could change them back. For what it's worth he uses Chrome and also accesses it via his mother's Ipad. Anyway it's a losing battle as kids are always light years ahead when it comes to things like this.
That said, thanks for an informative and interesting article, and it will solve a problem for me at one of the sites I work at where I have been put in charge
of their network (in the land of the blind ....!) and they will expect me to stop employees accessing certain sites.
Last edited by Tableview; 4th Feb 2013 at 06:31.
Spoon PPRuNerist & Mad Inistrator
The DNS settings are in the connection IP properties in the OS, not the browser. You are still correct, though - if you have access rights you can change them there and bypass what's set on the router.
Ideally you should use a web proxy, such as Websense or Bluecoat, for this as these cannot be bypassed as above if setup correctly with a properly configured firewall.
Depends on your budget and number of employees.
SD
it will solve a problem for me at one of the sites I work at where I have been put in charge
of their network (in the land of the blind ....!) and they will expect me to stop employees accessing certain sites.
of their network (in the land of the blind ....!) and they will expect me to stop employees accessing certain sites.
Depends on your budget and number of employees.
SD
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
I would think it a bit unusual for DNS settings in a router to be preset. What happens if you change ISP? Is this a specialist one such as Sky, where you don't have any access?
In that case the best answer may be a new router (and change the Admin password!)
In that case the best answer may be a new router (and change the Admin password!)
Join Date: Feb 2006
Location: UK
Posts: 592
Likes: 0
Received 0 Likes
on
0 Posts
I would think it a bit unusual for DNS settings in a router to be preset.
Me? I would simply replace the Home Hub with a better router anyway.
Last edited by The late XV105; 4th Feb 2013 at 08:54.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
Is there any simple way of blocking undesirable internet usage on a home wifi network?
Anything simple is going to be simple to bypass.
You're going to have to put some degree of effort into anything worth doing.
If you want something simple... get a second broadband line with BT Retail (assuming you are not currently a BT Retail customer)... and allow BT to enable the Openzone public hotspot feature.... that way, you will force people to have their own BT Openzone account and are therefore legally accountable for any actions taken under their own Openzone account.
Last edited by mixture; 4th Feb 2013 at 10:33.
Join Date: Dec 2011
Posts: 2,460
Likes: 0
Received 0 Likes
on
0 Posts
At home I have set up a second wifi AP for kids' use. They tend to have infected laptops because they click on every link they see; on one occassion I found 13 trojans on one laptop.
That AP is an old Linksys one (don't recall the P/N but it is about £20 on Ebay) which allows 3 port number ranges to be blocked.
IIRC, I blocked everything below 53, everything above 443, and everything between 81 and 442 inclusive.
The last one in particular blocks ports 137 138 139 which are used in windows networking and that stops somebody with a windows-compatible computer seeing other PCs on the internal LAN. It also pretty well blocks the use of the connection for P2P which is a perpetual hassle with internet usage, in both potential illegality and blowing away your monthly GB allowance.
The users can do HTTP and HTTPS which is about all you can do on most public wifi anyway.
But you cannot stop your customers from downloading illegal material. The only way is to have a 2nd phone line installed and have another ADSL service running on that, and you put the "clients" wifi AP on that.
That AP is an old Linksys one (don't recall the P/N but it is about £20 on Ebay) which allows 3 port number ranges to be blocked.
IIRC, I blocked everything below 53, everything above 443, and everything between 81 and 442 inclusive.
The last one in particular blocks ports 137 138 139 which are used in windows networking and that stops somebody with a windows-compatible computer seeing other PCs on the internal LAN. It also pretty well blocks the use of the connection for P2P which is a perpetual hassle with internet usage, in both potential illegality and blowing away your monthly GB allowance.
The users can do HTTP and HTTPS which is about all you can do on most public wifi anyway.
But you cannot stop your customers from downloading illegal material. The only way is to have a 2nd phone line installed and have another ADSL service running on that, and you put the "clients" wifi AP on that.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
IIRC, I blocked everything below 53, everything above 443, and everything between 81 and 442 inclusive. The last one in particular blocks ports 137 138 139 which are used in windows networking and that stops somebody with a windows-compatible computer seeing other PCs on the internal LAN.
The OP was talking about "lodgers", not kids here.... so you have to assume some lodgers will have more than a degree of technical competence.
The only way is to have a 2nd phone line installed and have another ADSL service running on that, and you put the "clients" wifi AP on that.
Last edited by mixture; 4th Feb 2013 at 14:19.
Join Date: Jan 2008
Location: Bracknell, Berks, UK
Age: 52
Posts: 1,133
Likes: 0
Received 0 Likes
on
0 Posts
I think you all might be frightening the OP a little here.
DNS port lockdown plus OpenDNS *should* be sufficient, and I don't think law enforcement agencies would be expecting you to have put in £xxxk's worth of SPI firewalls and full network architecture just to limit the exploits of a couple of lodgers.
If you're that worried, then a legal agreement is probably the easiest way to ensure safety, but whilst prudent even then that's going above and beyond what's expected.
I'd suggest a Tomato router would be a useful addition though. It gives you options above and beyond the basic BT HH, at a reasonable price point. I can talk you through setting one up if you want to PM me.
Cheers,
Mike.
DNS port lockdown plus OpenDNS *should* be sufficient, and I don't think law enforcement agencies would be expecting you to have put in £xxxk's worth of SPI firewalls and full network architecture just to limit the exploits of a couple of lodgers.
If you're that worried, then a legal agreement is probably the easiest way to ensure safety, but whilst prudent even then that's going above and beyond what's expected.
I'd suggest a Tomato router would be a useful addition though. It gives you options above and beyond the basic BT HH, at a reasonable price point. I can talk you through setting one up if you want to PM me.
Cheers,
Mike.
Spoon PPRuNerist & Mad Inistrator
Mike,
The thread topic has been expanded by Tableview, so there's 2 questions being discussed - the OP's one relating to the "lodgers", and another relating to a work scenario.
As long as the "lodgers" have admin rights to their PCs, there's no way of preventing them from inserting whatever DNS servers they want in their IP config, and simply bypassing what's in the router or ISP.
If you could block outbound DNS queries on the home router and use the router as a DNS forwarder that could work, but there aren't many home router/firewall/switch/adsl modems/WAPs that support that level of functionality. And as already been noted, on some home devices you can't even specify a DNS server!
Both Mixture and PeterH suggest that you would actually have to provide a separate access method for "lodgers" to achieve the desired result, and I have to agree.
In a work environment a proxy is essential, combined with a firewall blocking ports such that all traffic MUST traverse the proxy. Whether the proxy is a dedicated device or a SW device (e.g. MS ISA server, sorry TMG) depends on budget and technical capability. DNS can be handled in a number of ways, but at least the administrator will have control of it.
SD
The thread topic has been expanded by Tableview, so there's 2 questions being discussed - the OP's one relating to the "lodgers", and another relating to a work scenario.
As long as the "lodgers" have admin rights to their PCs, there's no way of preventing them from inserting whatever DNS servers they want in their IP config, and simply bypassing what's in the router or ISP.
If you could block outbound DNS queries on the home router and use the router as a DNS forwarder that could work, but there aren't many home router/firewall/switch/adsl modems/WAPs that support that level of functionality. And as already been noted, on some home devices you can't even specify a DNS server!
Both Mixture and PeterH suggest that you would actually have to provide a separate access method for "lodgers" to achieve the desired result, and I have to agree.
In a work environment a proxy is essential, combined with a firewall blocking ports such that all traffic MUST traverse the proxy. Whether the proxy is a dedicated device or a SW device (e.g. MS ISA server, sorry TMG) depends on budget and technical capability. DNS can be handled in a number of ways, but at least the administrator will have control of it.
SD
Mixture
No need to get a 2nd BT Broadband line. As long as the existing BT broadband account is "Opted in" to BT WiFi then the BT HomeHub will broadcast a BT WiFi with Fon and a BT WiFi SSID along with the normal hub SSID.
Anyone who sets up a BT WiFi account can then log into the BT WiFi service and get speeds of between 0.5 and 3.0 Mb/s. None of this usage counts against the owner of the broadband account. Up to 5 IP addresses are available on the BT WiFi from a HomeHub. The broadband account owner always gets preference over the available bandwidth.
No need to get a 2nd BT Broadband line. As long as the existing BT broadband account is "Opted in" to BT WiFi then the BT HomeHub will broadcast a BT WiFi with Fon and a BT WiFi SSID along with the normal hub SSID.
Anyone who sets up a BT WiFi account can then log into the BT WiFi service and get speeds of between 0.5 and 3.0 Mb/s. None of this usage counts against the owner of the broadband account. Up to 5 IP addresses are available on the BT WiFi from a HomeHub. The broadband account owner always gets preference over the available bandwidth.
Thread Starter
Join Date: Apr 2009
Location: UK
Posts: 816
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for the replies. It looks like I have a few options to investigate.
Whilst I have no reason to distrust my lodgers I am aware that the filesharing lawyers tend to hold the bill payer accountable for all use of the internet connection, and with that in mind my guests may be inclined to download a few MP3s or movies. I am just keen to minimize the risk of any legal bother.
In the absence of blocking, would it be possible to log traffic through the router so as to provide some evidence, if necessary.
Thanks for all the helpful suggestions.
Whilst I have no reason to distrust my lodgers I am aware that the filesharing lawyers tend to hold the bill payer accountable for all use of the internet connection, and with that in mind my guests may be inclined to download a few MP3s or movies. I am just keen to minimize the risk of any legal bother.
In the absence of blocking, would it be possible to log traffic through the router so as to provide some evidence, if necessary.
Thanks for all the helpful suggestions.
Join Date: Jan 2008
Location: Bracknell, Berks, UK
Age: 52
Posts: 1,133
Likes: 0
Received 0 Likes
on
0 Posts
As long as the "lodgers" have admin rights to their PCs, there's no way of preventing them from inserting whatever DNS servers they want in their IP config, and simply bypassing what's in the router or ISP.
If you could block outbound DNS queries on the home router and use the router as a DNS forwarder that could work, but there aren't many home router/firewall/switch/adsl modems/WAPs that support that level of functionality. And as already been noted, on some home devices you can't even specify a DNS server!
If you could block outbound DNS queries on the home router and use the router as a DNS forwarder that could work, but there aren't many home router/firewall/switch/adsl modems/WAPs that support that level of functionality. And as already been noted, on some home devices you can't even specify a DNS server!
Coupling that with a little legalese surrounding the computer misuse act in the tenancy agreement, and you can practically solve the problem for the home user.
Most routers with a built-in firewall have this ability. Certainly the Netgear, Draytek, Linksys, etc consumer range do (all bets are off with the HomeHub!)
Both Mixture and PeterH suggest that you would actually have to provide a separate access method for "lodgers" to achieve the desired result, and I have to agree.
In a work environment a proxy is essential, combined with a firewall blocking ports such that all traffic MUST traverse the proxy. Whether the proxy is a dedicated device or a SW device (e.g. MS ISA server, sorry TMG) depends on budget and technical capability. DNS can be handled in a number of ways, but at least the administrator will have control of it.
SD
SD
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
As far as I'm aware there has still not yet been a succesful UK prosecution in which the owner of a wireless network has been found guilty of what others have downloaded on the network
When it came to providing evidence, the copyright police have always caved in. They make their money by scaring people into compromising and paying up before it goes to court......
the biggest crook (sorry lawyer) in the game got his wings clipped last year anyway, and was bankrupted after being caught indulging in legally incorrect practices: sending out thousands of threatening letters with no evidence to back them up
When it came to providing evidence, the copyright police have always caved in. They make their money by scaring people into compromising and paying up before it goes to court......
the biggest crook (sorry lawyer) in the game got his wings clipped last year anyway, and was bankrupted after being caught indulging in legally incorrect practices: sending out thousands of threatening letters with no evidence to back them up
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
Giving out the aforementioned OpenDNS servers via DHCP would then render any config change other than a mass 'hosts' file edit impractical.
Last edited by mixture; 4th Feb 2013 at 21:26.
Join Date: Jan 2008
Location: Bracknell, Berks, UK
Age: 52
Posts: 1,133
Likes: 0
Received 0 Likes
on
0 Posts