Help me block access to certain sites / apps at different locations

tniland

Active Member
Joined
Aug 25, 2008
Messages
58
Hi all,

I'm very much a networking beginner. :)

I managed to bumble my way through setting up a wireless network on a game farm where internet is access through Vox Yahclick at the main lodge and distributed to two guest cottages (approx 300m away) using the following:

Main lodge - Ubiquiti AirMax Sector + Rocket M2
Cottages - Nanostation M2

As you'll know, YahClick data is expensive so we'd like to manage the internet activity at the cottages quite closely. We've noticed considerable data depletion when certain guests are around, ones that use facebook and instagram a lot.

Is there a way I can use the Ubiquiti hardware to block these sites and apps?

Also, while I'm there, I'd love to block access to iCloud (I'm sure that iCloud Photos is using a TON of data) and Apple App Store.

Final question, what tool can I install at the main lodge to see where data is going?

Thanks in advance for your valued input! :)
 

Fuzzbox

Expert Member
Joined
Jun 10, 2009
Messages
1,187
Are these guests not paying thousands of rands a day to stay in your lodge.
Stop being a cheapskate and get uncapped data account.
No data no stay.
That's my motto
 

Arthur

Honorary Master
Joined
Aug 7, 2003
Messages
25,150
Are these guests not paying thousands of rands a day to stay in your lodge.
Stop being a cheapskate and get uncapped data account.
No data no stay.
That's my motto
get uncapped
It's quite conceivable that uncapped is not available to the OP.

My personal solution is to use pfSense as soft router and firewall, with OpenDNS to manage access to websites. It's not so easy for a n00b to set up and configure. Basically, you need a PC to run BSD, with pfSense on top. I use an HP Microserver running ESXi, with the rest in a VM.
 
Last edited:

syntax

Executive Member
Joined
May 16, 2008
Messages
7,803
or get a "brand" name device like a fortigate which is really simple to use and can block, shape and restrict as much as you would need.
they are definitely more expensive than a pfsense deployment, but not that bad considering this is a commercial deployment
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
40,012
or get a "brand" name device like a fortigate which is really simple to use and can block, shape and restrict as much as you would need.
they are definitely more expensive than a pfsense deployment, but not that bad considering this is a commercial deployment
Ubiquity is a brand name. One of the higher end devices out there.
 

d7e7r7

Executive Member
Joined
May 30, 2009
Messages
8,830
What do you want people to be able to do using the Internet? I'd be pretty pissed off if I booked a stay at a game lodge that advertises internet access but then blocks Facebook among other social media sites...
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
37,922
Either get uncapped...or start charging.

Put a Mikrotik Hotspot in between the Yahclick and wireless to the guest lodges.

Give them a reasonable amount free after which they need to buy more data.

Limiting it selectively pisses people off and there are endless ways to get around it anyway if you want to. So unless you want on managing it every hour of every day just start charging above the limit.
 

Zipkoppie

Well-Known Member
Joined
Jul 1, 2009
Messages
155
I've used satellite connections for some of my sites in Africa and I don't think uncapped is even an option.

The way I see it, you have 2 options.
1. Swallow the cost of the data so that you can offer it as a perk of staying on your game farm.
2. Don't offer internet access at all, if you start blocking the site that your guest use the most, then you are going to have a lot of unhappy guest on your hands.

If I were you visit your game farm and you advertise that you offer internet access, but I get there and find that you are blocking all the sites I want to access, you can bet I would have something to say about that :)
 

tniland

Active Member
Joined
Aug 25, 2008
Messages
58
Are these guests not paying thousands of rands a day to stay in your lodge.
Stop being a cheapskate and get uncapped data account.
No data no stay.
That's my motto
get uncapped
What do you want people to be able to do using the Internet? I'd be pretty pissed off if I booked a stay at a game lodge that advertises internet access but then blocks Facebook among other social media sites...
This type of response is totally unnecessary, and will only drive noobs away from this forum.

I was clearly asking for technical assistance not commercial advice. None of you bothered to ask me if this was indeed for paying guests or whether internet access was advertised. The parts of the farm that accommodate paying guests don't have internet access in any event as they're too remotely located.

Not that it matters but this actually to control internet access when kids of the family use the guesthouses. We'd still like to keep the internet access on for those that need it for work, browsing, etc., but having kids spend hours on instagram and facebook, syncing photos with icloud, is not feasible. Now I guess you can lecture me on how to raise / discipline children because that's also clearly what I asked for.


To everyone else that tried to be helpful - thanks for the feedback, I'll look into your proposed solutions.

Zipkoppie, I wouldn't be happy if it was advertised either but, in this case, it isn't. We are currently doing option 1 but when certain people (not customers) stay here, they use a lot of data which then begins to impact other (non-paying) guests.
 

RVQ

Expert Member
Joined
Apr 30, 2007
Messages
1,789
Setup OpenDNS

A proper solution will require additional hardware and skills...
 

Zipkoppie

Well-Known Member
Joined
Jul 1, 2009
Messages
155
This type of response is totally unnecessary, and will only drive noobs away from this forum.

I was clearly asking for technical assistance not commercial advice. None of you bothered to ask me if this was indeed for paying guests or whether internet access was advertised. The parts of the farm that accommodate paying guests don't have internet access in any event as they're too remotely located.

Not that it matters but this actually to control internet access when kids of the family use the guesthouses. We'd still like to keep the internet access on for those that need it for work, browsing, etc., but having kids spend hours on instagram and facebook, syncing photos with icloud, is not feasible. Now I guess you can lecture me on how to raise / discipline children because that's also clearly what I asked for.


To everyone else that tried to be helpful - thanks for the feedback, I'll look into your proposed solutions.

Zipkoppie, I wouldn't be happy if it was advertised either but, in this case, it isn't. We are currently doing option 1 but when certain people (not customers) stay here, they use a lot of data which then begins to impact other (non-paying) guests.

In everyone's defense, you did say: "We've noticed considerable data depletion when certain guests are around, ones that use facebook and instagram a lot." so its easy to assume you were referring to paying guests, but that's irrelevant now :)

As for technical advice, it really depends on your skill level or budget, you will need one of the two.

You can use something like squid proxy, its free and then setup you firewall to automatically redirect any traffic via your proxy (also called transparent proxying). Without the firewall rule to redirect to the proxy, people will have to manually configure the proxy on their device, which is an option, as long as you only allow the proxy server out, to stop people from simply bypassing the proxy.

Otherwise you can buy a dedicated device that does both, maybe something like a fortigate etc. but since these devices are aimed at the small to medium enterprise market, they come at a price. There is untangle, that offers some of that functionality for free (https://www.untangle.com/) but you'll have to check if the web filtering module is included in the free version, it might not be.

There are a few other ways of doing it as well, but it really depends on how much you want to block. You could for example, just block all the facebook IPs directly on your firewall, but that gets messy and unmanageable very fast and not considered the right way of doing it.
 
Last edited:

syntax

Executive Member
Joined
May 16, 2008
Messages
7,803
Ubiquity is a brand name. One of the higher end devices out there.
I was actually referring to the pfsense and i used "brand" names in quotations.
Although on that, where is ubiquity on the gardner report for UTM devices again?
Sure they are great for other purposes, probably not my first thought for web filtering and application control though
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
40,012
I was actually referring to the pfsense and i used "brand" names in quotations.
Although on that, where is ubiquity on the gardner report for UTM devices again?
Sure they are great for other purposes, probably not my first thought for web filtering and application control though
Depends what ubiquity device I suppose, but in my case.


Squid and squidguard are already integrated in EdgeOS:

Code:
God@RTR# set service webproxy ?

administrator        domain-noncache      minimum-object-size
append-domain        enable-access-log    proxy-bypass
cache-size           listen-address       reply-block-mime
default-port         maximum-object-size  reply-body-max-size
domain-block         mem-cache-size       url-filtering
Only drawback is https so Facebook is a pain in the bottom.


http://community.ubnt.com/t5/EdgeMAX/Best-way-to-setup-web-internet-filtering/td-p/1360021


I personally use pfsense and squid as cache server.
 

Electron1

Expert Member
Joined
Jan 29, 2009
Messages
4,130
Technically there are many solutions you can use to proxy the Internet connection.
What you need to consider before doing anything is how will you control who gets full access and who doesn't?
Most solutions will use either a hotspot scenario - i.e. login or control by hardware address (MAC address and/or IP address).

So now you have to set up and maintain lists of privileged and unprivileged users. If you are always onsite it is easy, otherwise you will need remote access usually via VPN on the device in order to login and configure as you need. This also requires co-ordination with the users onsite so you can figure out which device must be added to the privileged list.

This also will only work if the privileged users do not assist their family members to get past your controls.

Anyhow my suggestion is to look at endian community edition (free) as a solution as it is easy to install, and can be configured via the GUI. http://www.endian.com/
 

bigboy529

Expert Member
Joined
Apr 23, 2012
Messages
2,771
Rather than totally blocking Facebook etc, I would suggest you look at enforcing daily data limits per device, then whatever they do on the internet, they only have X amount of data per day.
Totally blocking Facebook will tick off everyone and will be unfare towards those who's not abusing it, you can't punish them because of a few abusers.
Find a way to set up daily data limits per device say 50 MB per device per 24 hour period and then clearly make all guests paying and non paying aware of the fact that their usage is limited.

I have no clew how to go about setting up something like this, but I know it's possible, a while ago I talked to someone who had something similar set up at his company. After his employees hhevilly abused the internet hogging all the bandwidth, he had it set up that employees got 100 MB of data per week per device for their personal devices, this worked out well for him, eventually after a while most people didn't even use up their 100 MB per week.
 
Top