Thursday, December 28, 2017

Setting up an EdgeRouter -- Blocking by device and time

In may last post, I described the initial setup of my new EdgeRouter X by Ubiquiti.  I connected it to my ISP, and pointed it to OpenDNS as the DNS server. Now, I am going to setup a rule to block access to the internet for specific devices at specific times. In this way, I can effectively turn off the internet for my kid's devices overnight without turning off my internet access. Plus, each kid can have a different schedule. If I want to take away internet access as a punishment, I can easily do this by changing the settings for the specific kid's rule.

First Failed Attempt
As an aside, on my first attempt, I managed to block all traffic on my internal network.  I created a ruleset that dropped all packets as a default action.  I turned it on for the interface for the switch and immediately lost connection to the router.  The only way to fix it was to reset the device to factory settings and start over.  Doh!

Resetting the Router
There are several ways to reset the router.  I tried simply holding in the reset button while the device was powered on.  This did not seem to do anything.  In order to get the reset to work, I had to push in the reset button, then plug in the power until the reset sequence finished.

One other thing.  After I changed the IP address of the switch to 0.1, I had to plug the cable from my PC into port eth1 on the switch.  It took me a few minutes to figure out why I could not connect to the switch while plugged in to port eth0 after it was configured to connect to the internet on port eth0.  Maybe this will help someone who reads this blog.

Configuring the Router to Block Traffic
Here are the steps I followed to configure the router.

After logging in to the device, I clicked on the Firewall/NAT button and then the Firewall Policies tab.

I clicked on the "Add Ruleset" button and created a new ruleset named "Blocking".  This ruleset will contain all of the rules for each device I want to block on my network.  The default action is set to Accept all traffic.  This way, all traffic is allowed by default.  The firewall will only block traffic for specific rules.  The mistake I made was to set the Default Action to Drop.

After saving the new ruleset, I clicked on the Actions dropdown for the new Blocking ruleset and chose the Interfaces option.  I set the Interface to eth0 and the Direction to out.  The ruleset was now finished after saving it.

The next step was to create a default rule.  I clicked on the Actions dropdown and chose "Edit Ruleset".  Next, I clicked on the "Add New Rule" button.  On the Basic tab, I entered a description that was for the device I wanted to block.  The Enable box was checked by default.  Drop was selected as the Action.  (Reject would have also worked.)  The "All protocols" radio button was selected.  I did not choose logging because I don't want an entry in the log for every blocked packet.  Here is a screen shot of the settings.

That is it for the Basic tab.  Nothing needs to be set on the Advanced tab. 

The MAC Address of the device to block is entered on the Source tab.  I could also use the IP address to identify the device but that is easy for a kid to change.  In theory, the MAC address can also be spoofed to get around the rules.  If I find out that they are doing that, I will have to drop all packets by default and make rules to allow traffic by specific MAC address.

Finally, the time to block the device is entered on the Time tab.  In this case, I wanted to block traffic from this device from midnight to 4am every day.  I could have blocked traffic for certain days and could even make multiple rules for the same device to have different times during the week and on weekends.

That is it.  Now that I have one rule made, I can use the Actions button to copy the rule and simply change the MAC address and time for each kid's device.

1 comment: