Re: Limit internet connection by time of day and number of hours
On 7/5/2017 6:19 PM, Stefan Wollny wrote:
Please: I am just curious and interested to learn about my (realistic)
options.
I had a problem where a member of the household would spend too much
time watching Netflix. Rather than blocking the traffic, I just
degraded it. Your case is a little different, but this may be useful.
I no longer have the rules enabled, but I think this is what I had:
table { 64.120.128.0/17 66.197.128.0/17 192.173.64.0/18 \
198.45.48.0/20 108.175.32.0/20 198.38.96.0/19 23.246.0.0/18
45.57.0.0/17 \
54.236.0.0/15 23.20.0.0/14 }
# Throttle rules
queue rootqv2 on vlan2 bandwidth 1000M min 1M max 1000M
queue mainv2 parent rootqv2 bandwidth 1000M min 1M max 1000M
qlimit 100 default
queue netflixv2 parent rootqv2 bandwidth 50K min 0K max 100K
burst 10M for 1ms qlimit 10
match out to \
set queue netflixv2 set prio 5
match in from \
set queue netflixv2 set prio 5
match out proto tcp from any port 443 to 10.0.2.53 \
set queue netflixv2 set prio 5
match in proto tcp from 10.0.2.53 to port 443 \
set queue netflixv2 set prio 5
The main match was for traffic to Netflix's servers; the other was
because Netflix uses AWS for iPad traffic, so that was her iPad's address.
The result was hilarious. Movies would start out in high-def, and run
for a few minutes. Then Netflix would start downgrading the video. It
would actually run for some time with absolutely awful video and audio
before buffering; I was impressed by the app's response to terrible
bandwidth.
Of course, this didn't really solve the underlying problem, and I didn't
expect it to.
Anyway, others have mentioned using cron scripts to manage rules by
time. You can maybe work around the static IP issue by setting up a
required VPN or authpf, or blocking direct access and using a proxy.
That'll at least work until they tether a phone, hack the neighbor's
wireless, or remember the game system has a web browser.
Re: Limit internet connection by time of day and number of hours
I'm at a small ISP. One thing we do is provide free Internet to the kids at the city park. We start it at 8 am in the morning and shut it off around dark. My approach was just to add the park access point's IP address to the shutoff table (for people who need to come pay their bills) every night and then delete the IP address at 8 am. Eric
Re: Limit internet connection by time of day and number of hours
On 2017-07-06, Maxim Bourmistrov wrote: > > Hey, > I have somewhat similar situation at home. > However, I never found a straight forward setup. > > I can do a manual BLOCK OUT with a script, and probably, if I’d link this > script > to a cron, I’d get some how setup you are after. > > I do depend on dhcpd giving out static IP to a give MAC and thus > I don’t expect kids to take over MACs on the LAN. > They are not there yet :) By doing something like this you encourage them (not that this is a bad thing :-) Lack of access to internet is quite motivating. Of course they don't need to take over a MAC, just set a static address. Putting them on a separate vlan (or completely separate switch) is another way. > Following I have in pf.conf. Script is up to you (or I can share prvtly what > I have). > > table persist > > ### block machines out > block out quick on egress tagged BLOCK > pass out quick on egress from to any nat-to (egress:0) keep > state \ > (max-src-conn 1, max-src-conn-rate 1/1, overload > flush global) tag BLOCK > > > Script adds adresses to . > - really, as name implies, not defined at all, anywhere >in pf.conf. Ha, overload - that's a cunning trick to avoid using "pfctl -k" :)
Re: Limit internet connection by time of day and number of hours
Hey, I have somewhat similar situation at home. However, I never found a straight forward setup. I can do a manual BLOCK OUT with a script, and probably, if I’d link this script to a cron, I’d get some how setup you are after. I do depend on dhcpd giving out static IP to a give MAC and thus I don’t expect kids to take over MACs on the LAN. They are not there yet :) Following I have in pf.conf. Script is up to you (or I can share prvtly what I have). table persist ### block machines out block out quick on egress tagged BLOCK pass out quick on egress from to any nat-to (egress:0) keep state \ (max-src-conn 1, max-src-conn-rate 1/1, overload flush global) tag BLOCK Script adds adresses to . - really, as name implies, not defined at all, anywhere in pf.conf. Br Mxb > 6 juli 2017 kl. 00:19 skrev Stefan Wollny : > > Hi there! > > "Security" means to constantly re-evaluate your options and processes - > right? So the other day I checked the settings in the Fritz!Box router > and remembered that they had implemented a time quota for a defined > group of users (=IPs). > > Example: My young son has a tablet and a mobile phone (both Android) and > has access to the internet with any device within a defined time frame > and an overall maximum of x hours, individually set for each day of the > week. In the rare cases that he needs more time he uses the joker named > "Mama" ... ;-) (Side note: Just like pocket money the allowed time is > regularly revised for age and experience - not behaviour!) > > Consider other situations where you'd like to meet your responsibilities: > - There may be usual office times from 06:30 am to 21:00 pm (some people > like to work early, other late): Outside of this time frame access to > the internet may not be acceptable (with rare exections) - or might mean > that a machine is hijacked to be a part of a bot or to do some bitcoin > calculations... whatever. > - Within this time frame noone is legally permitted to work longer than > 8 hours based on his login credentials to the office net (not device). > - Just some specified servers do backups to the cloud and e.g. are > granted access the internet exclusively at night time (thus being > exceptions to the general rule above). > - The web and mail servers are seperate to the office net and always-on. > > The technical quest is in principal the same as the one I described > above. Simply spoken: If noone of the 'guys and gals' responsible for > safe and smooth operations is around the internet is turned off (or s/he > gets paid overtime hours :-)). > > Can s.th. like this set up with OpenBSD being the central router? I > searched the FAQ and several man-pages but didn't get an idea of how to > proceed. My very first idea (=dream) was "e.g. set the general time > frame with PF" and "the individual quotas or access times within > anchors". Unfortunately nothing appropriate was found by the "leading" > internet search engine. > > If someone has found a solution to such a task it would be great to get > to know how this was achieved, of course with OpenBSD. > > Please: I am just curious and interested to learn about my (realistic) > options. > > TIA. > > Best, > STEFAN >
Limit internet connection by time of day and number of hours
Hi there! "Security" means to constantly re-evaluate your options and processes - right? So the other day I checked the settings in the Fritz!Box router and remembered that they had implemented a time quota for a defined group of users (=IPs). Example: My young son has a tablet and a mobile phone (both Android) and has access to the internet with any device within a defined time frame and an overall maximum of x hours, individually set for each day of the week. In the rare cases that he needs more time he uses the joker named "Mama" ... ;-) (Side note: Just like pocket money the allowed time is regularly revised for age and experience - not behaviour!) Consider other situations where you'd like to meet your responsibilities: - There may be usual office times from 06:30 am to 21:00 pm (some people like to work early, other late): Outside of this time frame access to the internet may not be acceptable (with rare exections) - or might mean that a machine is hijacked to be a part of a bot or to do some bitcoin calculations... whatever. - Within this time frame noone is legally permitted to work longer than 8 hours based on his login credentials to the office net (not device). - Just some specified servers do backups to the cloud and e.g. are granted access the internet exclusively at night time (thus being exceptions to the general rule above). - The web and mail servers are seperate to the office net and always-on. The technical quest is in principal the same as the one I described above. Simply spoken: If noone of the 'guys and gals' responsible for safe and smooth operations is around the internet is turned off (or s/he gets paid overtime hours :-)). Can s.th. like this set up with OpenBSD being the central router? I searched the FAQ and several man-pages but didn't get an idea of how to proceed. My very first idea (=dream) was "e.g. set the general time frame with PF" and "the individual quotas or access times within anchors". Unfortunately nothing appropriate was found by the "leading" internet search engine. If someone has found a solution to such a task it would be great to get to know how this was achieved, of course with OpenBSD. Please: I am just curious and interested to learn about my (realistic) options. TIA. Best, STEFAN
