I will shortly be taking in a couple of colleagues as lodgers in my home and as part of the deal they will have access to the internet through the house wifi network.

I am concerned that as the bill payer, I could potentially have problems if my housemates use the internet connection for anything dodgy or illegal. I am particularly thinking of illegal filesharing, copyright theft, downloading movies and music but also if they happen to be into dwarf porn or, God forbid, something worse.

Is there any simple way of blocking undesirable internet usage on a home wifi network?

sign up to OpenDNS and set the router DNS settings to use that
And make sure access to the router is secured.....

OpenDNS for Homes and Families (http://www.opendns.com/home-solutions/)

I use the free version at a residential rehab home for mentally /emotionally /morally challenged patients, and it works quite well

A well written thingy.

OpenDNS - What is OpenDNS and Why You Absolutely Need It ? (http://www.labnol.org/internet/tools/opendsn-what-is-opendns-why-required-2/2587/)

I will shortly be taking in a couple of colleagues as lodgers
having read your concerns - don't take them? :hmm: And save the tips for the time you need it for your kids.

I read the article about OpenDNS with interest as it looked like a simple way of solving a couple of minor concerns, primarily my teenage son spending too much time (in my view anything in excess of a nanosecond is too much!) on Faecesbook. It looked too good to be true, and is is often the case, it was.

Unfortunately the DNS settings on the router are preset and can't be changed, and I can't work out how (if possible) to do it on my browser (FF) but if I can change them on the browser he could change them back. For what it's worth he uses Chrome and also accesses it via his mother's Ipad. Anyway it's a losing battle as kids are always light years ahead when it comes to things like this.

That said, thanks for an informative and interesting article, and it will solve a problem for me at one of the sites I work at where I have been put in charge
of their network (in the land of the blind ....!) and they will expect me to stop employees accessing certain sites.

The DNS settings are in the connection IP properties in the OS, not the browser. You are still correct, though - if you have access rights you can change them there and bypass what's set on the router.

it will solve a problem for me at one of the sites I work at where I have been put in charge
of their network (in the land of the blind ....!) and they will expect me to stop employees accessing certain sites.

Ideally you should use a web proxy, such as Websense or Bluecoat, for this as these cannot be bypassed as above if setup correctly with a properly configured firewall.

Depends on your budget and number of employees.

SD

I would think it a bit unusual for DNS settings in a router to be preset. What happens if you change ISP? Is this a specialist one such as Sky, where you don't have any access?

In that case the best answer may be a new router (and change the Admin password!)

I would think it a bit unusual for DNS settings in a router to be preset.

There may be others too, but on the BT Home Hub (all versions) this is certainly the case; DNS settings are locked down and cannot be changed by a User without reflashing the firmware. Of course there are other workarounds too, but they involve additional hardware. Here's (http://punj-technology.********.co.uk/2011/02/using-opendns-with-bt-homehub-broadband.html) an example of using OpenDNS via a cheap secondhand router together with a Home Hub.

Me? I would simply replace the Home Hub with a better router anyway.

Is there any simple way of blocking undesirable internet usage on a home wifi network?

In a nutshell. NO. Anyone who tells you to the contrary doesn't know what they are talking about.

Anything simple is going to be simple to bypass.

You're going to have to put some degree of effort into anything worth doing.

If you want something simple... get a second broadband line with BT Retail (assuming you are not currently a BT Retail customer)... and allow BT to enable the Openzone public hotspot feature.... that way, you will force people to have their own BT Openzone account and are therefore legally accountable for any actions taken under their own Openzone account.

At home I have set up a second wifi AP for kids' use. They tend to have infected laptops because they click on every link they see; on one occassion I found 13 trojans on one laptop.

That AP is an old Linksys one (don't recall the P/N but it is about £20 on Ebay) which allows 3 port number ranges to be blocked.

IIRC, I blocked everything below 53, everything above 443, and everything between 81 and 442 inclusive.

The last one in particular blocks ports 137 138 139 which are used in windows networking and that stops somebody with a windows-compatible computer seeing other PCs on the internal LAN. It also pretty well blocks the use of the connection for P2P which is a perpetual hassle with internet usage, in both potential illegality and blowing away your monthly GB allowance.

The users can do HTTP and HTTPS which is about all you can do on most public wifi anyway.

But you cannot stop your customers from downloading illegal material. The only way is to have a 2nd phone line installed and have another ADSL service running on that, and you put the "clients" wifi AP on that.

IIRC, I blocked everything below 53, everything above 443, and everything between 81 and 442 inclusive. The last one in particular blocks ports 137 138 139 which are used in windows networking and that stops somebody with a windows-compatible computer seeing other PCs on the internal LAN.

Yes and no. Port blocking is easily bypassed.... particularly if you've implemented it on a cheap firewall that doesn't do anything more than basic packet filtering.

The OP was talking about "lodgers", not kids here.... so you have to assume some lodgers will have more than a degree of technical competence.

The only way is to have a 2nd phone line installed and have another ADSL service running on that, and you put the "clients" wifi AP on that.

That won't protect you from legal troubles if you just used a simple shared password setup. You need a proper hotspot setup where each person is registered and you maintain the logs.... hence my Openzone suggestion, because maintaining logs in a legally admissible format is probably too much hassle for your average Joe.

I think you all might be frightening the OP a little here.

DNS port lockdown plus OpenDNS *should* be sufficient, and I don't think law enforcement agencies would be expecting you to have put in £xxxk's worth of SPI firewalls and full network architecture just to limit the exploits of a couple of lodgers.

If you're that worried, then a legal agreement is probably the easiest way to ensure safety, but whilst prudent even then that's going above and beyond what's expected.

I'd suggest a Tomato router would be a useful addition though. It gives you options above and beyond the basic BT HH, at a reasonable price point. I can talk you through setting one up if you want to PM me.

Cheers,
Mike.

Mike,

The thread topic has been expanded by Tableview, so there's 2 questions being discussed - the OP's one relating to the "lodgers", and another relating to a work scenario.

As long as the "lodgers" have admin rights to their PCs, there's no way of preventing them from inserting whatever DNS servers they want in their IP config, and simply bypassing what's in the router or ISP.

If you could block outbound DNS queries on the home router and use the router as a DNS forwarder that could work, but there aren't many home router/firewall/switch/adsl modems/WAPs that support that level of functionality. And as already been noted, on some home devices you can't even specify a DNS server!

Both Mixture and PeterH suggest that you would actually have to provide a separate access method for "lodgers" to achieve the desired result, and I have to agree.

In a work environment a proxy is essential, combined with a firewall blocking ports such that all traffic MUST traverse the proxy. Whether the proxy is a dedicated device or a SW device (e.g. MS ISA server, sorry TMG) depends on budget and technical capability. DNS can be handled in a number of ways, but at least the administrator will have control of it.

SD

Mixture
No need to get a 2nd BT Broadband line. As long as the existing BT broadband account is "Opted in" to BT WiFi then the BT HomeHub will broadcast a BT WiFi with Fon and a BT WiFi SSID along with the normal hub SSID.

Anyone who sets up a BT WiFi account can then log into the BT WiFi service and get speeds of between 0.5 and 3.0 Mb/s. None of this usage counts against the owner of the broadband account. Up to 5 IP addresses are available on the BT WiFi from a HomeHub. The broadband account owner always gets preference over the available bandwidth.

EGTE, that looks like a reasonable solution - although the D/L speeds look a bit stingy.

SD

Thanks for the replies. It looks like I have a few options to investigate.

Whilst I have no reason to distrust my lodgers I am aware that the filesharing lawyers tend to hold the bill payer accountable for all use of the internet connection, and with that in mind my guests may be inclined to download a few MP3s or movies. I am just keen to minimize the risk of any legal bother.

In the absence of blocking, would it be possible to log traffic through the router so as to provide some evidence, if necessary.

Thanks for all the helpful suggestions.

The thread topic has been expanded by Tableview, so there's 2 questions being discussed

And therein lies the problem inherent with reading threads on an iPhone screen! Apols all.


As long as the "lodgers" have admin rights to their PCs, there's no way of preventing them from inserting whatever DNS servers they want in their IP config, and simply bypassing what's in the router or ISP.

If you could block outbound DNS queries on the home router and use the router as a DNS forwarder that could work, but there aren't many home router/firewall/switch/adsl modems/WAPs that support that level of functionality. And as already been noted, on some home devices you can't even specify a DNS server!

Creating 2 rules in cascade, one specifically ALLOWing port 53 to 208.67.220.220 and 208.67.222.222 and then a second rule specifically DENYing all access to port 53 should sort all but ubergeek access to DNS on the LAN. Giving out the aforementioned OpenDNS servers via DHCP would then render any config change other than a mass 'hosts' file edit impractical.

Coupling that with a little legalese surrounding the computer misuse act in the tenancy agreement, and you can practically solve the problem for the home user.

Most routers with a built-in firewall have this ability. Certainly the Netgear, Draytek, Linksys, etc consumer range do (all bets are off with the HomeHub!)

Both Mixture and PeterH suggest that you would actually have to provide a separate access method for "lodgers" to achieve the desired result, and I have to agree.

The Tomato router I mention above gives you the ability to provide multiple virtual Wifi SSIDs, and combines it with a captive portal, web access monitoring, and specific VLANs and bandwidth throttling to ensure decent separation of home and lodger.

In a work environment a proxy is essential, combined with a firewall blocking ports such that all traffic MUST traverse the proxy. Whether the proxy is a dedicated device or a SW device (e.g. MS ISA server, sorry TMG) depends on budget and technical capability. DNS can be handled in a number of ways, but at least the administrator will have control of it.

SD
No issue there. Something like Squid would solve the issue as well.:ok:

As far as I'm aware there has still not yet been a succesful UK prosecution in which the owner of a wireless network has been found guilty of what others have downloaded on the network
When it came to providing evidence, the copyright police have always caved in. They make their money by scaring people into compromising and paying up before it goes to court......
the biggest crook (sorry lawyer) in the game got his wings clipped last year anyway, and was bankrupted after being caught indulging in legally incorrect practices: sending out thousands of threatening letters with no evidence to back them up

Giving out the aforementioned OpenDNS servers via DHCP would then render any config change other than a mass 'hosts' file edit impractical.

Erm... Control Panel and change the DNS to manual whilst maintaining DHCP IP provision ? Not exactly rocket science to bypass DHCP DNS !

Erm... Control Panel and change the DNS to manual whilst maintaining DHCP IP provision ? Not exactly rocket science to bypass DHCP DNS !

....which then doesn't work as only the OpenDNS servers are allowed access to port 53 on the firewall at the router.

Mike, thanks for Tomato router. Focussing on large corporate IT I haven't come across it.

I admit I would have some wariness in replacing the firmware on my home router, though. If it all goes Pete Tong you are on your tod.

Installing it on an older piece of kit that's out of warranty and you intend to replace anyway - why not.

SD

Mike, thanks for Tomato router. Focussing on large corporate IT I haven't come across it.

I admit I would have some wariness in replacing the firmware on my home router, though. If it all goes Pete Tong you are on your tod.

Installing it on an older piece of kit that's out of warranty and you intend to replace anyway - why not.

SD

I'd even go a little further than that - I view it as something that sits between prosumer and enterprise (it's that good).

I run it on an Asus RT-N16 at home, which you can pick up for circa £60, and then with a bit of tweaking you have something that can run with low to mid range Cisco/Juniper kit and has a 140Mbit/s firewall throughput (and a 480mhz chip)

Stick that alongside PFSense, and you've got a pretty impressive firewall range for not much money.

you have something that can run with low to mid range Cisco/Juniper

Even low-end Juniper kit does more than basic packet filtering .... does your Tomato have any ALGs ? Can your Tomato do "apply-path",candidate configs, "show | compare", "commit confirmed" and rollbacks ? :E

Tomato is probably better than a cheap Cisco, but better than a Juniper ? No way ! :=

Even low-end Juniper kit does more than basic packet filtering .... does your Tomato have any ALGs ? Can your Tomato do "apply-path",candidate configs, "show | compare", "commit confirmed" and rollbacks ? :E

Tomato is probably better than a cheap Cisco, but better than a Juniper ? No way ! :=

- Yes
- No
- Not specifically
- It's GUI-configured in the main but has access to the Linux underside for commands if necessary
- See above x2

p.s. - never said it was better :)

I have not read the whole thread, so forgive me if I am repeating something already said.

I have a Netgear router which specifically offers a "guest" WiFi network.This effectively separates your lodgers from your own computers and thus stops any unwanted snooping .

What I am not sure about is if the firewall and URL blocking functions which the router also offers can be configured differently for guest and main users (any guests of mine may be upset to find that they cannot use Tw@tter or Facebook).

I have not read the whole thread, so forgive me if I am repeating something already said.

I have a Netgear router which specifically offers a "guest" WiFi network.This effectively separates your lodgers from your own computers and thus stops any unwanted snooping .

What I am not sure about is if the firewall and URL blocking functions which the router also offers can be configured differently for guest and main users (any guests of mine may be upset to find that they cannot use Tw@tter or Facebook).

That really depends upon the functionality of the specific router in question.