Mesh Wifi with good parental controls: porn blacklisting

Modred189

Can't Read the OP
Joined
May 24, 2006
Messages
15,708
Currently have a gen 1 Google mesh wifi, and really do love it. It provides good coverage for my 3600 sq foot house (2 floors).
But my kids are getting to that age where we will begin having "the talk' and I want to get ahead of any curious google searches. Any recommendations? Or is there some other option I'm missing? I really don't want to mess with software products.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,361
Currently have a gen 1 Google mesh wifi, and really do love it. It provides good coverage for my 3600 sq foot house (2 floors).
But my kids are getting to that age where we will begin having "the talk' and I want to get ahead of any curious google searches. Any recommendations? Or is there some other option I'm missing? I really don't want to mess with software products.
Best way is DNS filtering with something like Pi-Hole.

https://raw.githubusercontent.com/c...lists/master/lists/pi_blocklist_porn_all.list

You could also use NextDNS and just set that in the router. The problem there is the child filter lists aren't going to be nearly as robust as a Pi-hole list that has been curated by the community.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
840
Assuming they are tech savvy keep in mind that you'll need to block all other DNS and that if they have phones turning off wifi makes your efforts moot.
 

Modred189

Can't Read the OP
Joined
May 24, 2006
Messages
15,708
Assuming they are tech savvy keep in mind that you'll need to block all other DNS and that if they have phones turning off wifi makes your efforts moot.
They are currently 7 and 9 and will not be having phones ANY time soon.

Best way is DNS filtering with something like Pi-Hole.

https://raw.githubusercontent.com/c...lists/master/lists/pi_blocklist_porn_all.list

You could also use NextDNS and just set that in the router. The problem there is the child filter lists aren't going to be nearly as robust as a Pi-hole list that has been curated by the community.
Both good options, but at least the pi-hole option seems, in terms of cost, close to a new wifi system. Which, you know, upgrade itch.
 

Modred189

Can't Read the OP
Joined
May 24, 2006
Messages
15,708
Where there's a will, there's a way.
As a reasonably tech savvy parent, I look forward to that arms race.

But for now, I'm not really worried about them searching out porn, but more along the lines of 'innocent' searches following up on conversations we have. Just want to put some barriers in the way of the most hard core stuff just in case.
 

Westwood

Supreme [H]ardness
Joined
Nov 17, 2012
Messages
7,215
Understood. As a parent myself, I'll have this barrier before long. My kid is still young though. I'm probably the least tech savvy person on [H], so I don't have any decent options. I just think that the more you try to limit access, the more they'll try to get it. Not sure if that makes sense.

I digress. =]
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,361
They are currently 7 and 9 and will not be having phones ANY time soon.


Both good options, but at least the pi-hole option seems, in terms of cost, close to a new wifi system. Which, you know, upgrade itch.
A Raspberry Pi is all you need. $100 tops for the starter kit which has everything you need. A lot less than a new mesh system.
 

vxspiritxv

[H]ard|Gawd
Joined
Feb 10, 2001
Messages
1,574
Chrome (should you be using it) bypasses dns now going to their own servers over https/spdy. Have to disable that or use a different browser. Ur prob better off getting some paid nannyware software that takes screenshots every X seconds. Decently sure I saw porn at 8. Good luck lol
 

philb2

Gawd
Joined
May 26, 2021
Messages
839
I'm glad my kids are now 40ish.

i do remember that when my son was about 16,his friend's laptop had issues, so i looked at it. Full of viruses and porn.
 

Nobu

[H]F Junkie
Joined
Jun 7, 2007
Messages
8,524
I was putting porn filters up AND bypassing them when I was a kid...I also watched the windows 3.1 install process because I thought it was fun.
 

FSCDiablo

Limp Gawd
Joined
Jul 3, 2003
Messages
344
I don’t use parental controls, but Netgear‘s Orbi mesh Wi-Fi has it built in. I bought the router/2 satellites version in a 3500 sq/ft 2 story and had to really spread out the routers to get all of my devices to spread out across them. That is, good range on them so you might get by fine on a router/1 sat system. These three cover almost 4 acres of my place.
 

Red Falcon

[H]F Junkie
Joined
May 7, 2007
Messages
11,584
A Raspberry Pi is all you need. $100 tops for the starter kit which has everything you need. A lot less than a new mesh system.
Sadly, the lowest cost Raspberry Pi 4 available is around $130 USD, and the 8GB RAM models are going for upwards of $200, assuming they can even be found.
Starter kits are going for around $140 to $280.

Good suggestion, bad era for Raspberry Pi availability. 🪦
 

Modred189

Can't Read the OP
Joined
May 24, 2006
Messages
15,708
I don’t use parental controls, but Netgear‘s Orbi mesh Wi-Fi has it built in. I bought the router/2 satellites version in a 3500 sq/ft 2 story and had to really spread out the routers to get all of my devices to spread out across them. That is, good range on them so you might get by fine on a router/1 sat system. These three cover almost 4 acres of my place.
Yea, turns out mine does too. It's just buried in the one bad part of the Google Mesh system: the phone-only UI. Did a quick test, and it looks like it reasonably works.
Sadly, the lowest cost Raspberry Pi 4 available is around $130 USD, and the 8GB RAM models are going for upwards of $200, assuming they can even be found.
Starter kits are going for around $140 to $280.

Good suggestion, bad era for Raspberry Pi availability. 🪦
This is what I noticed too. A Pi plus case, power, ram, etc got up to $300-400 real quick.
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,695
Do you have an old system that you can host VM on? You also don't need the latest and greatest PI Model. Look for something used.
 

Red Falcon

[H]F Junkie
Joined
May 7, 2007
Messages
11,584
Do you have an old system that you can host VM on? You also don't need the latest and greatest PI Model. Look for something used.
The cheapest used Raspberry Pi units are going for 2-3x the cost of a new one, and these aren't the latest and greatest models...
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,361
Then run PI-Hole off of this. It takes little to no resources :)

Bingo!

You can absolutely run Pi-Hole off a VM. My Pi-hole server is bare metal but it is only taking up 317MiB of RAM on Ubuntu 22.04.

Once you get it up and running you will see visions of cell phones and iPad's connecting to a home based VPN for filtering and security when away from the mother ship...

Your poor kids though...no pr0n anywhere! ;)

I joke though. I already filter that shit and the eldest of my three kids is 10! LOL
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,695
Bingo!

You can absolutely run Pi-Hole off a VM. My Pi-hole server is bare metal but it is only taking up 317MiB of RAM on Ubuntu 22.04.

Once you get it up and running you will see visions of cell phones and iPad's connecting to a home based VPN for filtering and security when away from the mother ship...

Your poor kids though...no pr0n anywhere! ;)

I joke though. I already filter that shit and the eldest of my three kids is 10! LOL
This my next step LOL now that my Pixel 6 for me and my wife support Tmo's "real" C-Band 5G :)
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,361
This my next step LOL now that my Pixel 6 for me and my wife support Tmo's "real" C-Band 5G :)

Tasker is your best friend on Android. Disconnect from home WiFi -> auto-connect to home VPN. iOS blows in that respect though. No way to auto connect so I have to deal with all the manual bullshit everywhere on the kid devices. The wife's iPhone I have pointed to NextDNS at all times.
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,695
Tasker is your best friend on Android. Disconnect from home WiFi -> auto-connect to home VPN. iOS blows in that respect though. No way to auto connect so I have to deal with all the manual bullshit everywhere on the kid devices. The wife's iPhone I have pointed to NextDNS at all times.
Android for life. Never will cross to the dark side :)
 

hity645

Supreme [H]ardness
Joined
May 11, 2005
Messages
7,609
I have an Unraid server that can host VMs.
I installed a NIC I grabbed off ebay ($10) to passthrough to an Ubuntu VM running Pihole giving it a static IP address along the way.
I haven't done it yet, but on your router you'd just update your DNS to the Pihole. Or configure each device to use the pihole as DNS. I'm currently doing this to test it out on a few machines before I go network wide.
 

Modred189

Can't Read the OP
Joined
May 24, 2006
Messages
15,708
I installed a NIC I grabbed off ebay ($10) to passthrough to an Ubuntu VM running Pihole giving it a static IP address along the way.
I haven't done it yet, but on your router you'd just update your DNS to the Pihole. Or configure each device to use the pihole as DNS. I'm currently doing this to test it out on a few machines before I go network wide.
I am not big on networking, so I'm going to have to do my research on this. This seems like an easy solution.my only issue is that the unRAID box is in a separate room from my router.
 

Modred189

Can't Read the OP
Joined
May 24, 2006
Messages
15,708
I installed a NIC I grabbed off ebay ($10) to passthrough to an Ubuntu VM running Pihole giving it a static IP address along the way.
I haven't done it yet, but on your router you'd just update your DNS to the Pihole. Or configure each device to use the pihole as DNS. I'm currently doing this to test it out on a few machines before I go network wide.
I guess what I'm thinking, based on your post, is that if I point my router at the pi hole instance running in a VM on my server, all the devices in my home will check with that pi hole instance for DNS lookup?
So, pi hole maintains its own whitelist and blacklist?
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,695
I guess what I'm thinking, based on your post, is that if I point my router at the pi hole instance running in a VM on my server, all the devices in my home will check with that pi hole instance for DNS lookup?
So, pi hole maintains its own whitelist and blacklist?
In your router config you change your DNS servers from DHCP to static and point it to your Pi-Hole Servers IP address. This way clients get the correct DNS server via DHCP. You change it once and thats it.
 

hity645

Supreme [H]ardness
Joined
May 11, 2005
Messages
7,609
I guess what I'm thinking, based on your post, is that if I point my router at the pi hole instance running in a VM on my server, all the devices in my home will check with that pi hole instance for DNS lookup?
So, pi hole maintains its own whitelist and blacklist?
Pretty much, Yep.

Any device on your network setup for DHCP typically hit the router first or DHCP server for DNS. Most home routers just use the default or your ISPs. Telling your router no, you do not want it dynamically looked up here is the DNS server, all DNS requests hit the Pihole first. Pihole checks the list(s) and denies or allows the connection. You'd want to setup your primary DNS as the pihole static IP and the secondary as whatever (ISPs, Google or Cloudflare DNS). Just in case your pihole dies or gets powered off.

I've read that it can cause issues if you have say a Firestick or other WiFi devices. So there is some growing pain after implementing (which is why I haven't set it up network wide yet). You'll have to check the logs and see which device is making a request and whitelist it to restore any normal function that may have been lost. Or whitelist that devices IP. Just takes a little bit of time.
 

Modred189

Can't Read the OP
Joined
May 24, 2006
Messages
15,708
Pretty much, Yep.

Any device on your network setup for DHCP typically hit the router first or DHCP server for DNS. Most home routers just use the default or your ISPs. Telling your router no, you do not want it dynamically looked up here is the DNS server, all DNS requests hit the Pihole first. Pihole checks the list(s) and denies or allows the connection. You'd want to setup your primary DNS as the pihole static IP and the secondary as whatever (ISPs, Google or Cloudflare DNS). Just in case your pihole dies or gets powered off.

I've read that it can cause issues if you have say a Firestick or other WiFi devices. So there is some growing pain after implementing (which is why I haven't set it up network wide yet). You'll have to check the logs and see which device is making a request and whitelist it to restore any normal function that may have been lost. Or whitelist that devices IP. Just takes a little bit of time.
Lots of wifi devices. Fire sticks, Google home devices (minis and alarm clocks), smart TVs etc. Thanks for the heads up.
 

kydsid

Supreme [H]ardness
Joined
Mar 9, 2006
Messages
5,741
Fwiw, pihole on Unraid was my previous network setup. Did indeed have some growing pains but worked. Have since moved on to another solution but for the OP it will do what you want for sure.

I did the pihole btw after buying an orbi with circle parental controls. God don't bother with that charlie foxtrot anyone here. For your family that asks, maybe but it's hot garbage with a sub cost for any decent features.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,361
I guess what I'm thinking, based on your post, is that if I point my router at the pi hole instance running in a VM on my server, all the devices in my home will check with that pi hole instance for DNS lookup?
So, pi hole maintains its own whitelist and blacklist?
Correct. I ran mine like this (minus the VM) for a long time. On my Google WiFi I set the DNS to point to the IP of the Pi-hole (in my case it was a 192.168.x.x IP). Blacklist and Whitelist are both stored on the Pi-hole and you can add more filter lists for just about anything. I use quite a few from the gentleman here: https://www.github.developerdan.com/hosts/

I don't agree with hity645 with adding a normal public DNS your secondary. Having an open secondary DNS like that some devices will bounce to if they can't connect via the first. So you just need a primary. However, in your case if you want redundancy spin up TWO pi-hole VMs and set one at primary and one as secondary. I ran my system like that for a while with my secondary being another PI-hole instance running on the system that was also my VPN at the time. Nowadays my network is quite different so I only have a primary for the moment.

This is a good write up on how to do the setup. Just skip the Raspberry Pi piece and jump straight to the Setting Up Pi-hole chunk. https://github.com/notasausage/pi-hole-unbound-wireguard
 

hity645

Supreme [H]ardness
Joined
May 11, 2005
Messages
7,609
Correct. I ran mine like this (minus the VM) for a long time. On my Google WiFi I set the DNS to point to the IP of the Pi-hole (in my case it was a 192.168.x.x IP). Blacklist and Whitelist are both stored on the Pi-hole and you can add more filter lists for just about anything. I use quite a few from the gentleman here: https://www.github.developerdan.com/hosts/

I don't agree with hity645 with adding a normal public DNS your secondary. Having an open secondary DNS like that some devices will bounce to if they can't connect via the first. So you just need a primary. However, in your case if you want redundancy spin up TWO pi-hole VMs and set one at primary and one as secondary. I ran my system like that for a while with my secondary being another PI-hole instance running on the system that was also my VPN at the time. Nowadays my network is quite different so I only have a primary for the moment.

This is a good write up on how to do the setup. Just skip the Raspberry Pi piece and jump straight to the Setting Up Pi-hole chunk. https://github.com/notasausage/pi-hole-unbound-wireguard
That's a good point. I set my backup to a public DNS after my son decided to simulate a power failure on my server. Until pihole came back up I couldn't do diddly on my PC. I chalked that up to growing pains, haven't attempted any other scenario yet. (Mostly because Netgear released a firmware update last month that bricked web interfaces and their app login, that was recently fixed). Sometime in the next 30 days I will be turning it on network wide.
 

kydsid

Supreme [H]ardness
Joined
Mar 9, 2006
Messages
5,741
after my son decided to simulate a power failure on my server. Until pihole came back up I couldn't do diddly on my PC.

lol this is why I moved away from server hosted VM and to a bare metal with UPS all housed inside a locked network cabinet :D The UPS powers the gateway, central switch and modem, will run that for almost 2 hours before powering down. I hope that outlasts the little bastards patience. We will see.
 

Nobu

[H]F Junkie
Joined
Jun 7, 2007
Messages
8,524
lol this is why I moved away from server hosted VM and to a bare metal with UPS all housed inside a locked network cabinet :D The UPS powers the gateway, central switch and modem, will run that for almost 2 hours before powering down. I hope that outlasts the little bastards patience. We will see.
Don't mention the Lock Picking Lawyer around him and you might be okay. ;)
 

kydsid

Supreme [H]ardness
Joined
Mar 9, 2006
Messages
5,741
Don't mention the Lock Picking Lawyer around him and you might be okay. ;)

If they figure out how to pick the locks (which wont be from home because thats a web filtered topic, and we have no cell signal), or figure out that the network cabinet panel blocked by the server isn't locked and they only have to move the tower server, and pull the panel, they deserve the next step, which is to get console access to the gateway, good luck to them at that point. I'll be mad and proud at the same time. :D
 
  • Like
Reactions: Nobu
like this

hity645

Supreme [H]ardness
Joined
May 11, 2005
Messages
7,609
lol this is why I moved away from server hosted VM and to a bare metal with UPS all housed inside a locked network cabinet :D The UPS powers the gateway, central switch and modem, will run that for almost 2 hours before powering down. I hope that outlasts the little bastards patience. We will see.
I have it running on a VM for now because I wanted to test out a few builds. If I like pihole long term, I've got a Pi3 with it's name on it.

Server is sitting on a box in my office and the little one ran over and pressed the power button. Elsewise it's not an issue. Typically if the power goes out, the internet is down too so slapping everything on a UPS would do no good in my situation.
 

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
3,910
I second/third the recommendation for PiHole as the easiest option, since the community lists are better than most commercial products. Or you can go one step further and setup pfSense with pfBlockerNG/DNSBL, but that would take considerably more time if you needed to set it up from scratch. In any case, you still need a decent enough firewall to prevent DNS lookups from anything except your PiHole. This might break smart TV's and devices that have hardcoded DNS servers, so you'll have to check the logs and maybe put a rule ahead for them to just do what they want. Or, if your firewall is good enough, NAT/redirect/proxy all udp-53 traffic back to the PiHole.

For all their PC's, turn off DoH (secure DNS) on all installed browsers. Chrome and Firefox have that in the settings. Depending on their aptitude, they may have the ability to turn it back on though. More advanced firewalls (like pfSense) have the ability to block some of that, but it's not a perfect science.

And finally, I hope they don't figure out how to use public VPN's....
 

kydsid

Supreme [H]ardness
Joined
Mar 9, 2006
Messages
5,741
And finally, I hope they don't figure out how to use public VPN's....

Trying to block everything at your gateway is going to be a never ending arms race. At some point you have to assume that if all you are using is some sort of web filtering, DNS, IPSec or etc it will be bypassed by your kids. VPN is a good example where its better to control the endpoint and prevent the install of the software, use of the hash or cert used by the offending software (Ultrasuff comes to mind here) than it will be to try to keep ahead of it at the gateway. That's not to say there aren't products out there that aren't better at doing this than piHole, they just cost more money. piHole is the best community oriented version. Next step up is UTM of some variation.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,533
It's always interesting to read these threads. No one ever thinks about the 'easier target' situation--go to a friend's house where their parents don't have anything locked down. :D



And then there's reddit's subs that have some really good sh...err...lots of adult content. :ROFLMAO::ROFLMAO:
 
Top