Recently I had to search a secure WLAN solution for disabled Kids.

 

Keypoints:

  • Kids get WLAN on their own devices
  • Kids get LAN for own devices (Workstations/Playstations, ...)
  • Internet Access should be as secure as possbile
  • WLAN needs time based scheduling (Web configurator)
  • Restrict WAN Access to ports: 80,443,8080,8443 + 587,110,143,993,995
  • Restrict internet site access:
    • No porn
    • No violence
    • Secure Google search
    • Restricted Youtube
    • No proxy sites

 

Solution:

  • Buy TP-Link TL-WR1043ND, power on
  • Connect PC to LAN port and set manual IP: 192.168.0.100/24
    Log into the Router: admin/admin
    http://192.168.0.1
  • upload Firmware: wr1043nd.bin (original name zu lang -> umbenennen)
    Get Firmware here
    System > Firmware Upgrade > Upload
  • Router is booting, PC LAN reconnect LAN
    PC gets IP in range: 192.168.1.0/24
  • Log into OpenWRT Luci: root/"no pw"
    http://192.168.1.1
  • Restore KidsNet Router config:
    Backup-KidsNet-2017-02-02.tar.gz
  • Router is booting, PC LAN reconnect LAN
    PC gets IP in range: 192.168.77.0/24
  • Log into OpenWRT Luci: root/toor
    http://192.168.77.1
  • WLAN: KidsNet
    PW: SecureNet

Now, router configuration is finished:

  • Change Password
  • Change WLAN SSID and PW
  • Modify Wifi scheduling

 

Want to know how it works?
Examine Backup or see install draft below:

####################################################################################                                                                                                  
# PROJEKT: openwrt-parental                                                                                                                                                                                              
# VERSION: 20170201                                                                                                                                                                                                      
####################################################################################                                                                                                                                     
DESCRIPTION:                                                                                                                                                                                                             
----------------------                                                                                                                                                                                                   
HW: TP-Link TL-WR1043ND                                                                                                                                                                                                  
OS: OpenWrt Chaos Calmer 15.05                                                                                                                                                                                           
DESC: Parental Control Router                                                                                                                                                                                            
                                                                                                                                                                                                                         
IMPORTANT NOTES:                                                                                                                                                                                                         
------------------------------                                                                                                                                                                                           
mv openwrt-15.05.1-ar71xx-generic-tl-wr1043nd-v2-squashfs-factory.bin wr1043nd.bin                                                                                                                                       

ifconfig eth0 192.168.0.100 netmask 255.255.255.0
http://192.168.0.1
user: admin
pw: admin
System > Firmware Upgrade > Upload wr1043nd.bin

telnet 192.168.1.1
passwd # set new root password
uci set network.lan.proto=static
uci set network.lan.ipaddr=192.168.77.1
uci set network.lan.netmask=255.255.255.0
network.wan.peerdns=0   
network.wan.dns='208.67.220.123 208.67.222.123'

uci commit network
reboot
ssh -lroot 192.168.77.1

# --------------------------------------------------------------------------------------------------------------------
cp /etc/config/dhcp /etc/config/dhcp.orig
cat > /etc/config/dhcp << EOF
config dnsmasq
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option rebind_protection '0'
list server '208.67.222.123'
list server '208.67.220.123'
option local '/lan/'
option domain 'lan'
option authoritative '1'
option logqueries '0'

config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '20'
option limit '50'
option force '1'
#option dhcp_option '3,192.168.77.1' #default route
EOF

# --------------------------------------------------------------------------------------------------------------------
cp /etc/config/firewall /etc/config/firewall.orig
cat > /etc/config/firewall << EOF

config defaults 
option syn_flood '1' 
option input 'ACCEPT' 
option output 'ACCEPT' 
option forward 'REJECT' 
option drop_invalid '1'

config zone 
option name 'lan' 
list network 'lan' 
option input 'ACCEPT' 
option output 'ACCEPT' 
option forward 'REJECT'

config zone 
option name 'wan' 
list network 'wan' 
list network 'wan6' 
option input 'REJECT' 
option output 'ACCEPT' 
option forward 'REJECT' 
option masq '1' 
option mtu_fix '1'

config forwarding 
option src 'lan' 
option dest 'wan'

config rule 
option name 'Allow-DHCP-Renew' 
option src 'wan' 
option proto 'udp' 
option dest_port '68' 
option target 'ACCEPT' 
option family 'ipv4'

config rule 
option name 'Allow-Ping' 
option src 'wan' 
option proto 'icmp' 
option icmp_type 'echo-request' 
option family 'ipv4' 
option target 'ACCEPT'

config include 
option path '/etc/firewall.user'

config rule 
option target 'ACCEPT' 
option src 'lan' 
option dest 'wan' 
option family 'ipv4' 
option proto 'tcp' 
option name 'web traffic' 
option dest_port '80 8080 443 8443'

config rule 
option target 'ACCEPT' 
option src 'lan' 
option dest 'wan' 
option family 'ipv4' 
option proto 'tcp' 
option name 'mail traffic' 
option dest_port '587 110 143 993 995'

config rule 
option src 'lan' 
option dest 'wan' 
option name 'deny any' 
option target 'REJECT'

EOF

# --------------------------------------------------------------------------------------------------------------------
cp /etc/config/wireless /etc/config/wireless.orig
cat > /etc/config/wireless << EOF

config wifi-device 'radio0' 
option type 'mac80211' 
option channel '11' 
option hwmode '11g' 
option path 'platform/qca955x_wmac' 
option htmode 'HT20' 
option country 'CA' 
option txpower '25'

config wifi-iface 
option device 'radio0' 
option network 'lan' 
option mode 'ap' 
option ssid 'KidsNet' 
option encryption 'psk2+ccmp' 
option key 'SecureNet' 
option wmm '0'

EOF

# --------------------------------------------------------------------------------------------------------------------
cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
SIP="216.239.38.120"
echo '# youtube restricted search' > /etc/dnsmasq.conf
for u in www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
do
   echo "address=/$u/$SIP" >> /etc/dnsmasq.conf
done
echo >> /etc/dnsmasq.conf
echo "# mobile client restrictions" >> /etc/dnsmasq.conf
for u in android.googleapis.com www.googleapis.com android.clients.google.com 
do
   echo "address=/$u/$SIP" >> /etc/dnsmasq.conf
done
echo >> /etc/dnsmasq.conf
echo "# google safe search" >> /etc/dnsmasq.conf
for u in com ac ad ae af ag al am as at az ba be bf bg bi bj bs bt by ca cat cc cd cf cg ch ci cl cm cn co.ao co.bw co.ck co.cr co.hu co.id co.il co.im co.in co.je co.jp co.ke co.kr co.ls co.ma co.mz co.nz co.th co.tz co.ug co.uk co.uz co.ve co.vi co.za co.zm co.zw com.af com.ag com.ai com.ar com.au com.bd com.bh com.bn com.bo com.br com.by com.bz com.cn com.co com.cu com.cy com.do com.ec com.eg com.et com.fj com.ge com.gh com.gi com.gr com.gt com.hk com.iq com.jm com.jo com.kh com.kw com.lb com.ly com.mm com.mt com.mx com.my com.na com.nf com.ng com.ni com.np com.nr com.om com.pa com.pe com.pg com.ph com.pk com.pl com.pr com.py com.qa com.ru com.sa com.sb com.sg com.sl com.sv com.tj com.tn com.tr com.tw com.ua com.uy com.vc com.ve com.vn cv cz de dj dk dm dz ee es eus fi fm fr frl ga gal ge gg gl gm gp gr gy hk hn hr ht hu ie im in info iq ir is it it.ao je jo jobs jp kg ki kz la li lk lt lu lv md me mg mk ml mn ms mu mv mw ne ne.jp net ng nl no nr nu off.ai pk pl pn ps pt ro rs ru rw sc se sh si sk sm sn so sr st td tel tg tk tl tm tn to tt ua us uz vg vu ws
do
   echo "address=/www.google.$u/$SIP" >> /etc/dnsmasq.conf
done

mv /etc/dnsmasq.conf /etc/config/
ln -s /etc/config/dnsmasq.conf /etc/dnsmasq.conf
ls -l /etc/dnsmasq.conf

for d in /etc/init.d/cron /etc/init.d/dnsmasq /etc/init.d/uhttpd
do
   $d enable
   $d restart
done
# --------------------------------------------------------------------------------------------------------------------
cd /
wget http://www.bitbull.ch/dl/wifischedule-root.tar
tar vxf wifischedule-root.tar
rm -f wifischedule-root.tar

cp /etc/sysupgrade.conf /etc/sysupgrade.conf.orig
cat > /etc/sysupgrade.conf << EOF
/usr/bin/wifi_schedule.sh
/usr/lib/lua/luci/view/wifischedule/file_viewer.htm
/usr/lib/lua/luci/model/cbi/wifischedule/wifi_schedule.lua
/usr/lib/lua/luci/controller/wifischedule/wifi_schedule.lua
EOF

reboot