Creating a Safe Kids Network with pfSense, Unifi and NextDNS

... and a healthy dose of common sense.
This is an old post!

This post is over 2 years old. Solutions referenced in this article may no longer be valid. Please consider this when utilizing any information referenced here.

Well, here we are five months later and COVID-19 is still a thing. And like many parents we are facing the need to continue our daughter’s education at home. Our local school district has stated that all learning will be conducted online for at least the first nine weeks. And even if they allow for students to return, we will probably opt to keep her at home for awhile longer until things are more stable.

Now, our daughter is seven and will be turning eight in a couple months. So she’s at that age where she’s old enough to do some things independently. But, as most of us know, the Internet is not a safe place for a seven year old and we as parents need to exercise some level of control over the things they can access. And while the best solution is a set of eyes, we obviously can’t be everywhere at all times. So this is the solution I came up with.

Defense In Depth

My strategy for keeping my daughter safe relies on Defense in Depth. Basically it means there are multiple levels of control at various points, with the idea that most problems will be caught at some level. And it starts at the social level.

Her main computer that she uses for schoolwork is in the kitchen, in clear view of everyone. She also has a Kindle and a very old iPod. We also discussed with her what is appropriate on the Internet and what isn’t, and that you need to tell an adult if you see something that makes you feel unsafe or weird.

That’s the first level.

On Device Safety

The next level is on-device. We are using Apple’s Parental Controls to enforce time and usage limits on her computer, as well as Kaspersky Safe Kids. These are the first line of defense and are mostly about preventing excess usage. There was awhile there where she was getting up early to watch videos on YouTube, so time limits keep her from doing that. We also want her to not be around screens for the few hours before bed.

I am not really sure how well Kaspersky is working, so the jury is still out on that. Hopefully I will have something more to report later. I did also try Qustodio as well. It did “work” but it works by MitM‘ing her network connections (on the Mac). This actually broke a bunch of the stuff she needed for school like Google Classroom and a math game she plays, all of which had certificate pinning enabled. So that was a no-go.

On her Kindle, the browser is disabled and parental controls are turned on through our account. I generally allow her free range on books that are age appropriate or a little above. I think I have her age limit set at 11, since she is mature for her age and can handle some older stories like Harry Potter. The Kindle also has slightly longer time limits on it because I don’t mind her staying up a bit later to read.

Same with her iPod. The browser is disabled, but, truthfully, that thing is so old that it probably wouldn’t be any good even if it was.

Network Level Safety

The next layer is at the network level. And this is where pfSense, Unifi and NextDNS comes in.

I created a separate wifi network for kids devices (mine is called Eclipse-Kids) in the Unifi admin, and I tagged it with a separate VLAN ID. Over in pfSense, I added the VLAN as a separate network for kids devices, along with a separate DHCP server for them. I also added some rules around it. Besides the obvious pass rules to the WAN and LAN interfaces, I added some time-limiting rules to more fine-tune access control. Namely, they shut off almost all Internet access at 9PM (internal traffic is still allowed). Internet traffic is allowed from midnight to 4am primarily to allow devices to do automated updates, then is disabled again until 7:15am to keep her from getting up early.

And the final step is NextDNS. If you aren’t familiar with them, they are a DNS service that also has built-in blocking. You can select from a list of domains to block and also add your own as well. They block ads, trackers, malware, etc, as well as adult content if you opt in to it. They also purport to be able to block adult content out of search engines and YouTube results.

DNS filters set up for the Kids network.
DNS filters set up for the Kids network.

But the cool part is that you can have multiple NextDNS profiles, and each get different DNS servers! This way I can have a Kids profile that is more locked down, and an Adults profile that is more open.

With that in mind, I edited the DHCP config for the Kids VLAN to be sure those devices get the NextDNS DNS servers from the Kids profile. And to prevent bypassing it, I set up a rule in pfSense that only allows DNS traffic to those servers. So trying to change the DNS servers on the device will result in a useless device.

Network rules for the Kids network.
Network rules for the Kids network.

Conclusions

I struggle with this a lot, primarily for ideological reasons.

Growing up I was given pretty free reign to explore “cyberspace” as we called it back then. First GEnie, then later AOL, then later the Internet. There really wasn’t such a thing as parental control tools back then, and the Internet by and large was a much safer place. I got a feel early on for what places where “good” and “bad.” I am endlessly thankful that I got to grow up in that world and the friendships I made back then, many of which I still keep up with to this day.

But the reality is that world doesn’t exist anymore. When we added all of society to the Internet, they brought the world’s problems with them. And it would be wrong of me, as a parent, not to try to protect her from some of the worst parts of the online world if I am able to. Actually, the same reason we chose to keep her out of school amid the ongoing pandemic even before the school system announced that they were going online-only for everyone.

As my daughter gets older and more experienced in working online, I will be able to loosen some of these restrictions. But right now she, like the rest of us, is being thrown into the fire of needing to be online for a significant period of time. And while we all would like to think that everything will be fine, most of us realize that the Internet is not a safe place for a child and that there are a lot of questionable things out there.

Ultimately, our goal as parents is to teach her how to safely navigate the online world. But we can’t be sitting next to her at all times. The protection system is primarily in place for those times when we can’t be supervising her.

Did something I wrote help you out?

That's great! I don't earn any money from this site - I run no ads, sell no products and participate in no affiliate programs. I do this solely because it's fun; I enjoy writing and sharing what I learn.

All the same, if you found this article helpful and want to show your appreciation, here's my Amazon.com wishlist.

Read More

More collectd and pfSense Fun!

Extending my post from last year, here’s some additional data I’m grabbing from pfSense and stuffing into collectd via a script. I’m now grabbing: DHCP Leases CPU Temperature Thermal Zone Temperature SSD Drive Temperature UPS information (via NUT) Here’s the exec script: