This is Part 2. Part 1 is a “technology parenting” overview. Part 2 is the technical “horsepower” and resource for securing your home internet connection. Securing your router is a foundation of Part 1 and, in my professional opinion, a best practice for anyone using the internet.
By the end of this post, you will have a very cheap and powerful DD-WRT router with two SSIDs (wireless network names). One for you and your older kids with a less-restricted or no content filtering. Another wireless network for your kids that is secured with OpenDNS’ family content filter.
A quick technical commentary: A simple approach to this is a creating a “kids” VLAN. The major, which is unacceptable for most homes, is that in a home/SMB network you want everything to be on the SAME VLAN. Having separate VLAN breaks every “newer” convience such as AirPrint, DLNA, Rokus, Screen Mirroring, wireless printers, etc; basically anything that relies on SSDP and mDNS. Said another way, if you have separate VLANs, kids on their “kids” content filtered network could not print to your wireless printer on the “parents” VLAN; and vice versa. The solution I propose eliminates this issue by putting everyone on one VLAN, uses ebtables to “mark” packets from the “kids” SSID, and then enforces these “marked” packets to use a parallel instance of dnsmasq for DNS which relays to OpenDNS Family Filter (or whatever DNS servers of your choice).
On a semi-related topic, you could add a third SSID to create a guest VLAN: here is a DD-WRT guide for builds >23020 for simple creation of a guest VLAN.
Notes, Assumptions, & Prerequisites:
- Refer to the next section for a support-router
- You have broadband internet.
- You want to protect your home. You recognize that the steps below will not protect you/your family against over-the-air data. Refer to the handout in Part 1. The steps below along with your new router protect your local wireless network only.
- Connect the blue port on the router to port #1/WAN port on your modem.
- As you go through the following steps, please fill out of the “Checklist and Documentation”. This is required in order to properly troubleshoot and keep you organized in the future when making changes.
- When you see text in quotations (e.g. “password”), only use the text inside the quotes. Do not copy/paste the quotes. The quotes are there to make it clearer for you to read.
- If you have Comcast, make sure you enable bridge mode if you have Comcast phone service; follow these instructions closely.
- If Comcast, make sure you disable Xfinity Hotspot; follow these instructions.
Hardware Needs & Original Flashing
- These steps are specific to the TP-LINK TL-WR841N Wireless Router (available on Amazon for >$20). It is a cheap, DD-WRT supported router. You want a “v9.x” version router. Be aware: TP-LINK may release newer revisions that do not support DD-WRT under the same “TL-WR841N” model number.
- You can flash the TP-LINK TL-WR841N v9 flashed to DD-WRT rather easily.
- Download a recent build (I tested on this one from April). This is for v9 ONLY. See the bottom of the router to make it its “v9.x”. You can flash this version directly in the TP-LINK GUI. Just login to 192.168.0.1 and browse to the firmware you just downloaded from DD-WRT. For step-by-step instructions, see this post by Gregg Borodaty. Remember: you have to flash the v9 firmware.
- I cover in another post how to revert back to the original TP-LINK OEM firmware if desired. Or how to cross-flash to Gargoyle which has certain benefits that I am not going to cover here.
- If you have another DD-WRT router, the below configuration is basically the same with some minor but critical changes to the copy/paste steps. Post a comment if you want specific help. E.g. instead of “ath0.1” it may be “wl0.1” for Broadcom-based routers or “ath1.1” for 5GHz dual band Atheros routers (wl1.1 for Broadcom dual band 5GHz routers).
- Go to OpenDNS and signup for a free account: https://www.opendns.com/home-internet-security/parental-controls/opendns-home/. Hit the “SIGN UP NOW” orange button. At right, enter your information to setup your account. Write your username and password down on the checklist at the end; #1.
- Check your email for an account confirmation email from OpenDNS. Not all email services allow hyperlinks within the content of messages, if the link in your email is not clickable copy and paste the link into your browser to confirm your account. If you click (or copy and paste) the link in the confirmation email you will be taken to your OpenDNS dashboard.
- Once confirmed, move on to router setup.
DD-WRT TP-LINK TL-WR841N Router Setup
- Go to http://192.168.1.1/Click “Setup” at the top and enter the following when the webpage prompts you:Username: “root” / Password: “admin” (admin is the default DD-WRT password)
- First, change the default password. At the top, go to “Administration”. Scroll down and enter “root” as the username (overwriting the ••/***). Please enter a new password and re-confirm it; please make it something your kids cannot guess. Write your username and password down on the checklist at the end; #2. Scroll further down and check the box next to “Info Site Password Protection”. Go to the bottom and hit “Save”. This is the router password that you will need to make changes to the router in the future, and prevents your kids from changing settings.
- Next, click on the upper left tab “Setup”. It should take you to the “Basic Setup” sub-tab. Scroll down, feel free to name your router whatever you would like under “Router Name”. Scroll to the bottom and enter the “Time Settings” as follows:
Copy/paste to make data entry easier: 0.us.pool.ntp.orgHit “Save”.
Click on the “DDNS” sub-tab at the top (next to “Basic Setup”). Select “Custom”. Enter the following information. Copy/paste below.
- DDNS Service: “Custom”
- DYNDNS Server: “updates.dnsomatic.com”
- <Enter your OpenDNS username and password you setup earlier; should be #1 on your checklist>
- Hostname: “all.dnsomatic.com”
- Under URL: “/nic/update?hostname=”
Hit “Save” at the bottom.
Click on the “Wireless” tab at the top. Under “Wireless Network Name (SSID)” enter whatever you want the parents/adult/older kids network to be named. For demonstration, I am calling it “Home Wireless”. Hit Save.
Once saved, click on “Add” under “Virtual Interfaces” and enter a network name “Wireless Network Name (SSID)” for the kids. For demonstration, I am calling it “Kids Wireless”. Hit Save.
At the top, go to “Wireless Security” and under “Security Mode” select “WPA2 Personal”. Under “WPA Shared Key” enter whatever password you want for your parent wireless network. In the example, this is the “Home Wireless” network. It must be 8 characters and should not be easily guessable and not shared with kids. Hit “Save”. Write down the “Home Wireless” key on the checklist at the end; #3.
- Do the same for the “Virtual Interfaces ath0.1“below. Make sure you hit “Save” from the step before then add the security information for the virtual interface. Select “WPA2 Personal”, under “WPA Shared Key” enter whatever password you want for your kids wireless network. In the example, this is the “Kids Wireless” network. It must be 8 characters and given to your kids. Write down the “Kids Wireless” key on the checklist at the end; #4.
- Next click on the “Services” tab at the top. Scroll down to the “DNSMasq” section. Enable “Query DNS in Strict Order”and copy/paste the following carefully into the “Additional DNSMasq Options”. Hit “Save”.
no-resolv server=220.127.116.11 server=18.104.22.168 address=/google.com/22.214.171.124 address=/google.ca/126.96.36.199 address=/www.google.com/188.8.131.52 address=/www.google.ca/184.108.40.206
- Go to the bottom of the “Services” table and disable the last option: “ttraff Daemon” (this prevents excess nvram writes over time; leave it enabled if you want WAN traffic history). Hit “Save”.
- At the top, go to the “NAT /QoS” section. Then go to the “UPnP” submenu at top. Enable both the “UPnP Service” and “Clear port forwards at startup” options and hit save. See below.
- At the top, go to “Administration”. Next, click on the “Keep Alive” sub-menu at top. Hit enable for “Schedule Reboot”. Enter when you want the router to automatically reboot itself to stay healthy. E.g. below at 2:00am Sunday morning. Select the radio button to the right of “At a set time” and choose “2” under the first drop-down menu. Hit “Save”.
Go to the “Commands” sub-menu.
Copy/paste very carefully the following code into the “Commands” box.
#KidsWireless DNS repeater instead of directly forwarding to OpenDNS to handle Google SafeSearch sleep 5 dnsmasq -S 220.127.116.11 -S 18.104.22.168 -R -i br0 -p 54 --address=/google.com/22.214.171.124 --address=/google.ca/126.96.36.199 --address=/www.google.com/188.8.131.52 --address=/www.google.ca/184.108.40.206
Hit “Save Startup” at the bottom.
- Next, Copy/paste very carefully the following code into the “Commands” box.
#Append HomeWireless/non-marked traffic to local DNS server, NortonDNS, using the integrated DNSMASQ instance iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) #Mark packets coming out of ath0.1 (KidsWireless) insmod ebtables insmod ebtable_filter insmod ebt_mark.ko sleep 2 ebtables -I INPUT -i ath0.1 -j mark --set-mark 2 #Append traffic for KidsWireless to local DNS server, OpenDNS, running on the manual instance of DNSMASQ on port 54 iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -m mark --mark 2 -j DNAT --to $(nvram get lan_ipaddr):54 iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -m mark --mark 2 -j DNAT --to $(nvram get lan_ipaddr):54 #For 5GHz dual band Atheros routers with virtual SSID #ebtables -I INPUT -i ath1.1 -j mark --set-mark 2 #For Broadcom Routers #ebtables -I INPUT -i wl0.1 -j mark --set-mark 2 #For 5GHz dual band Broadcom routers with virtual SSID #ebtables -I INPUT -i wl1.1 -j mark --set-mark 2 #CRON key for setting up a wireless schedule #minute (0-59), #| hour (0-23), #| | day of the month (1-31), #| | | month of the year (1-12), #| | | | day of the week (0-6 with 0=Sunday). #| | | | | commands # #For example to disable wireless between 9pm-6am (and disables it every hour the hour in between). To override/extend access another hour just reset the router. #0 21-23,0-5 * * * root ifconfig ath0.1 down #0 6 * * * root ifconfig ath0.1 up # #Now how about turning off wireless only on S,M,T,W,TH nights? (O=Sunday) #0 21-23 * * 0-4 root ifconfig ath0.1 down #0 0-5 * * 1-5 root ifconfig ath0.1 down #0 6 * * 1-5 root ifconfig ath0.1 up
After pasting the code above, hit “Save Firewall”. It will take roughly 30 seconds for the firewall script to save.
- Lastly, go back to the “Management” sub-tab at the top, scroll the entire way to the bottom, and click the red “Reboot Router” button.
Linking OpenDNS to your home internet
(Do NOT do this away from home; These steps must be done directly on your broadband connection at your home)
- First, go re-read section #1, “Notes, Assumptions, & Prerequisites” and ensure you have your Comcast or internet connection setup correctly. Confirm you modem/internet connection is in bridge mode. Your best option is to purchase your own modem (Motorola SB6141 is recommended) that does bridging by default.
- The key is getting a public IP address assigned directly to your router. Not only will it make filtering work correctly, it will make the internet faster and allow ports to automatically be opened for certain devices (e.g. AppleTV, Roku, Chromecast, etc.) making those devices work better.
- To check if your router is getting a proper public IP address, login to http://192.168.1.1 and look at the upper right. You will see a “WAN Address” line in white text. If that number does NOT start with “10.x.x.x” or “172.x.x.x” or “192.x.x.x” (where “x” represents any number) you are good to go. If that line starts with a 10, 172, or 192, then your modem is also a router and not in bridge mode correctly. Please call your internet provider and have them walk you through getting the modem into bridge mode.
- Login to OpenDNS. www.opendns.com. At the top, click on “Dashboard”(The steps and screenshots are from https://support.opendns.com/entries/53936430-Configuring-OpenDNS-on-your-Network with edits for working with DD-WRT.)
- Next you need to “Add a Network”. You will see a big box on your Home screen that says Add a network as shown below. Adding a network to your OpenDNS dashboard allows you to use our custom content filtering and stats features. Click on the Add a network box to get started:Once you click Add a network you will get the below screen which asks you to add an IP address. If you are on your home network you will see your current IP address displayed at the top of your dashboard where it says Your current IP is. Copy this number from the top of the screen. This is your current external (public) IP address that is assigned to you by your internet service provider as your network. Use that IP address for your dashboard network:
- Next you will get a screen that asks you for a network name and whether or not you have a Dynamic IP address. If you are unsure, you most likely have a dynamic IP address. Most internet service providers lease dynamic IP addresses which means that your IP address can change. Check off “Yes, it is dynamic”.Do not download the software under #3. The DD-WRT software on the router will handle the auto updating for you if you followed the router setup instructions above under “DDNS”. If you have more questions regarding dynamic IP addresses please see Dynamic IP Addresses : Technical Detail and FAQ.
- After you add your network you will see the screen below. Time to check your email to verify your IP address.
- You should receive an email that looks like the one below, once you click the link your IP address will be verified and you will be taken back to the dashboard.
- Configuring Content Filtering Settings: After you have added a network, content filtering can be configured in the Settings tab. Click on the Settings tab and choose the network you added from the Settings for: drop down to open the Web Content Filtering menu for this network. In the Choose your filtering level settings you can choose from one of the levels that are pre-set or chose Custom to select the categories you would like to filter on your network. Custom is powerful and recommended to filter specific categories like Social Media, File Sharing, and Webmail.
- Based on our PG-13 presentation, especially for younger kids, please enable the following categories: Adult Themes, Alcohol, Dating, Lingerie/Bikini, P2P/File Sharing, Pornography, Adware, Chat, Drugs, Hate/Discrimination, Gambling, File Storage, Classifieds, Nudity, Phishing, Proxy/Anonymizer, Social Networking, Tasteless, and Webmail (to block web-based email). This is the “magic” of the router. These categories will only apply to those connected to the “Kids Wireless” connection. “Home Wireless” is filtered via Norton ConnectSafe for general pornography and adware.
- You can also manage individual domains to customize your filtering settings. For example, if you choose to block the Lingerie/Bikini category but would still like to shop at victoriassecret.com you can add victoriassecret.com to your Never Block list which will allow access to victoriassecret.com while blocking all other domains in that category.For more information on content filtering please see: Web Content Filtering and Security.For more information on configuring the Manage individual domains section please see: Getting Started: Blocking/Allowing Specific Domains with Whitelist/Blacklist.
- Configuring Reporting/Statistics: If you would like statistics for your network, first you must Enable stats and logs on your network. To do so, click on the Settings tab, choose the network you added from the Settings for: drop down and click on Stats and Logs from the left hand menu. You will see the option to enable stats and logs, check the box and hit APPLY to enable stats as shown below:
It can take up to 24 hours for stats to initially populate after you enable them, so if you don’t see them right away don’t fret they are coming! When stats begin to populate you can view them in the Stats tab. There are several different ways you can view your stats by choosing the options in the left hand menu:
Testing, FAQs, and more technical information
- Almost done. Well done. Now time to test. The “Home Wireless” network uses Norton ConnectSafe. To test your “Home Wireless” network go to playboy.com. IT SHOULD BE BLOCKED. As of 4/15/2015 (and since 2010) the playboy.com homepage is “safe” and does not have pornographic images on the homepage. Assuming you followed the steps above correctly, you should NOT get the playboy.com site and instead get the Norton ConnectSafe block page.
- Thankfully OpenDNS has an easy testing website. To test OpenDNS, connect to the “Kids Wireless” connection and go to www.opendns.com/welcome. You should get a large checkmark indicating OpenDNS is setup correctly. If you do NOT get a large checkmark, you have something incorrect in the “Commands” section above (or see NOTE2 below) where you copied/pasted the large block of gray-colored code. Retry and reboot router and PC and retest on “Kids Wireless”.NOTE: OpenDNS will “work” with a green checkmark but that does NOT mean your low/medium/high/custom OpenDNS filtering settings are being applied. You must try a website that you know should be blocked in a category you specified and look for the OpenDNS block page instead of the website loading. For example, if you select “Custom” filtering profile and you then check off to block “Social Media”, this should block Facebook.com. When you go to facebook.com when using the “Kids Wireless” connection it should NOT load facebook.com and instead give you the OpenDNS block page.If for example, you expected Facebook to be blocked based on your OpenDNS categories, and it is not AND you correctly get the checkmark indicator when you go to www.opendns.com/welcome, then your issue is with the “DDNS” section above. Your router is not correctly telling OpenDNS what your home internet connection IP address is and thus not applying your custom filtering categories. This could also be an issue if you did not properly put your modem into bridge mode.
NOTE2: The commands above in the “Commands” step that start with “iptables” handle the DNS enforcement. If your kids try to specify their own DNS settings to bypass the filter, the router redirects everything back to its local DNS server (called DNSMasq) which then forwards everything to either OpenDNS (for kids) and Norton ConnectSafe (for parents/Home Wireless).
KEEP THIS PAGE
Checklist and Documentation
- OpenDNS.comUsername: ________________________Password: _________________________
- Router Configuration: http://192.168.1.1Router Username (root): _________________________Password: __________________________
- Parent/Home Wireless (≥8 characters): __________________________
- Kids Wireless Password (≥8 characters): __________________________
Last Thoughts: Support & Sharing with Others
I will do my best to assist families. As mentioned in Part 1, I share a passion for Christ and helping parents navigate technology to strengthen families and faith. I, with the help of the pastors, have spent >30 hours putting together this material: the presentation, handout, this router workshop material and equipment. I am trying, in good faith, to have this material stand on its own. That being said, I also know there will be many questions and many unique situations that we cannot document or anticipate. I do anticipate issues; with your internet provider, with a device, with setup questions. I will do my best to respond to comments and questions. Cheers.