Child Safety: How to sandbox your children’s web traffic cheaply using a Raspberry Pi




You can pick up one of these for under £30

Heavy Disclaimer Although the Raspberry Pi described here is super cheap, you will have to have some slightly specialized network equipment to do this. In particular you will need a VLAN aware network switch and a VLAN aware Wifi Access Point at a minimum. These used to be costly but are getting cheaper. I HIGHLY recommend the:

Q: OK so what exactly is this thing and what can I do with it?

A: Quite simply you will have absolute control of your kids’ network traffic while at the same time enjoying complete freedom of your own. It will be like having two separate internet connections to your home and you can say goodbye to slow downs whenever your kids are on you tube.

It allows you to do many cool things such as:

  • Schedule access times for your children’s internet.
  • Set up a transparent porn/ content filter for your kids internet.
  • Log & capture your childrens network traffic.
  • Monitor speeds & bandwidth usage and set caps on data.
  • Separate the rest of your network from your kids (protecting your home office etc)
  • Block certain sites, filter adverts, and many more things!

Child Safety How to sandbox your children's web traffic cheaply using a Raspberry Pi

All this can be done with free, libre, open source software and a cheap raspberry pi computer that you can get for under £30.00!

My rough network topology

My network topology. We are only interested in the left hand side.[/caption] Note the left hand side of the above diagram and in particular the dashed blue line. This represents your children’s wireless network connection to the internet. Basically what we will be creating is known as a ‘One Armed Router’. It’s a router with only a single network port, yet it is able to capture traffic at the hardware level using the power of VLANs , and then change the traffic before spitting it out again. This happens in both directions effectively creating a sandbox. VLANs are used by ISP’s and enterprises; they are a way to have two or more networks sharing the same physical wires. The white circular object shown above is the Ubiquiti Unifi Wifi access point I described above. It allows you to create multiple separate wifi connections which is key because you can have a separate password for each and then give your kids their own wifi connection. All their traffic becomes the blue dashed line shown above and is sent to the Raspberry Pi by the switch yet your own green traffic passes freely through. You can even have your wifi connection completely hidden so that only the sandboxed connection shows up, this is also great for guests & strangers who want to use your internet because all your green network including your LAN (in my case) is completely separated

Q: OK I’m ready to do this. How do we get started? A: First of all you will need the following:-

  • A Raspberry Pi (case optional)
  • A spare SD card (at least 4GB)
  • About 90mins of time (+ some download time)
  • Some VLAN capable network hardware. (Check your router/network gear. Admittedly at the time of writing these are fairly rare, especially as most people stick with the BT Home Hub/router that your ISP has provided which mostly suck. If you don’t have these things then please scroll to the bottom where I will try to convince you to invest in some top gear and if you live in the south east of england I will even come and install it for you. Just head over to my business website https://www.onebytetoomany.co.uk )

1) Install Arch Linux onto the SD Card Instructions for this can be found here :- http://archlinuxarm.org/platforms/armv6/raspberry-pi

2) Boot up and Log in to your Raspberry Pi as root, either physically or via SSH. (If you use windows you can download a tool called PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/ )

3) Set up your raspberry pi for VLAN.

$ cd /etc/netctl
$ cp examples/vlan-static .
$ cp examples/ethernet-dhcp .
$ (vi or nano) vlan-static

# [edit the file to look like this ]
Description='Virtual LAN 32 on interface eth0'
Interface=eth0.32
Connection=vlan
BindsToInterfaces=eth0
VLANID=32
Address="10.13.37.1/24"
Gateway="10.13.37.1"
DNS=("10.13.37.1")
ExecUpPost=("route del default dev eth0.32")
Hostname="RpisRCool"

$ (vi or nano) ethernet-dhcp
# [edit the file to look like this ]
Description='A basic dhcp ethernet connection'
Interface=eth0
Connection=ethernet
IP=dhcp

$ netctl enable ethernet-dhcp
$ netctl enable vlan-static

$ netctl start ethernet-dhcp
$ netctl start vlan-static

4) Enable forwarding of packets between the two virtual network cards we just set up on the Pi

$ echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
$ echo 1 >> /proc/sys/net/ipv4/ip_forward # so we don't have to restart.

5) Set up the iptables firewall to act as a Network Address Translation (NAT) router between the two virtual network cards.

$ cd
$ touch onearm.sh
$ vi onearm.sh
# [make a file like this (we can expand it later but for now this will do]
ETH="eth0.32"
WAN="eth0"
SUBNET_LOCAL="10.13.37.0/24"

function clean {
iptables -F
iptables -t nat -F
}

function onearm {
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
}

clean
onearm

# [EXIT & SAVE the file ]
:wq (for vi)

$ ./onearm.sh # run our script
$ iptables-save > /etc/iptables/iptables.rules

6) Set up your hardware to VLAN tag the port your Pi is plugged into as VLAN ID = 32.

Refer to your manual. If you are using a Ubiquiti Toughswitch then you simply log into the switch, go to the VLANs tab and set the port to ‘T’ and the VLAN ID to 32 or whatever you chose your VLAN ID to be.

7) Set up your Wifi access point and create a separate SSID & Network on VLAN 32 (or whatever you chose as your tag).Child Safety How to sandbox your children's web traffic cheaply using a Raspberry Pi schematic

On the Ubiquiti Unifi this can be done through the management interface, simply create a network and set it’s VLAN ID to be the same. Make sure the port on the switch is similarly set up as the Pi with tag enabled on the port.

8) Enable a DHCP Server on your VLAN’d Raspberry Pi interface so that the kids get given an IP address from their sandboxed network (10.37.37.0).

$ vi /etc/dnsmasq.conf

interface=eth0.32
domain=somedomainofmychoosing.local,10.37.37.0/24
dhcp-range=10.13.37.30,10.13.37.60,12h
:wq

$ systemctl enable dnsmasq
$ systemctl start dnsmasq

Thats it!. You now have a sandboxed connection running through a separate network (10.13.37) and your kids have their own network on 10.13.37.0 which gets ‘N.A.T.’ted through the Raspberry Pi onto the normal network which then gets N.A.T.ted again and out onto the public internet. Double firewall.

Drop me a mention on twitter @cedeon if you need any help!.

Now you have the basic functionality set up you can do lots of cool things with it. I’ll leave it up to your imagination but here are a few ideas:

  • Set up a cron job to turn off eth0.32 at night and then turn it back on again in the morning.
  • Install a traffic analysis tool like IPTraf ( http://iptraf.seul.org/ ) and have a look at whats going on with your kids online.
  • Install a content filter like safesquid / OpenDNS / squidguard
  • Install ‘snort’ intrusion tool
  • Make some advanced firewall rules & traffic shaping rules.

 

For more detail: Child Safety: How to sandbox your children’s web traffic cheaply using a Raspberry Pi


© 2015 Powered By Engineering Projects Team, Raspberry Pi Projects

Scroll to top