Guest network lockdowns

I have reason now to configure a guest network, at a facility I maintain the network for, to deal with what might be called “untrusted users” - or, a bunch of Jr High/High School students. The goal is to provide network access for legitimate-ish purposes, while still maintaining a solid set of filtering because it is a church building, and, no, I’d rather you not be watching adult material in the basement.

What’s state of the art on this sort of thing these days? Most of it seems to be DNS filtering, and I’m planning to run a local PiHole instance that all DNS is redirected to. Disabling Firefox’s DNS-over-HTTPS seems straightforward enough with their canary domain, though it doesn’t seem like this will actually disable it if the user has forced it on - and there are other browser that use this too. I would like to force all users on the guest network to legacy DNS only, and anything that looks like DNS gets redirected to the pihole instance.

I’m not aiming to block all workarounds possible (I’m the sort of person who’s prone to leave a SSH daemon running on some server instance on ports 22, 25, 80, 110, 443, and some oddball high ports), but I’d at least rather it not be easy. And, sadly, I don’t control the endpoints. I do, however, have full control over the router and a local Linux server I can use for services.


Hm… VLAN and isolate the guest network to only be able to hit the Internet, and as you sai, the PiHole for DNS filtering? Or if the guest APs are already going to be completely isolated without other SSIDs on them, then stick them in a port on the router and isolate that way.

Not sure about the DNS over HTTPs though. I mean, I get the motivation, but really Mozilla… I guess it’s just because most people just DGAF. Ah, I see what you mean by the canary domain, yeah, should work I’d think. Then again, if they have that, why doesn’t all the ISPs just implement that and thus rendering the DNS over HTTPS irrelevant. I digress.

I mean, depends on how intrusive you’re OK with, you could go all the way up to requiring your own CA cert to do full on HTTPS-Proxy MITM…but doesn’t sound like you want/need to go that far. DNS filtering should be pretty good. Obviously won’t be perfect, but trying too hard will probably just end up with them finding enough on the Internet at home or elsewhere (or on their phones NOT connected to the WiFi) to find workarounds.

Hm… do you want them to be able to ‘host’ temp game servers like Minecraft or the like? Might be better to have official support/instructions for that, then them having to try and figure out a workaround/VPN/whatever.

I’m using Mikrotik, so it’s CapsMAN - the remote APs are just managed by the main router, and do what it says. No problems there, I’ll blanket the church with the SSIDs.

As part of the change, though, I’m dropping 2.4GHz for everything but the IOT network. Finally.

I like it from the consumer/privacy side. I don’t like it from the network admin side… when I’m told to filter stuff.

Nope, not going to require that for random people’s phones and laptops. However, I don’t want to make it very easy for them to get around the blocks either.

Not My Problem ™. I only care about what is being accessed from the network infrastructure I control.

Uh. No? Think kids doing homework, not a gaming cafe. :stuck_out_tongue:

Sure, that’s how they’re managed, but you did say you wanted the guests isolated from the rest of the network? Wouldn’t you need VLANs to do that properly? Obviously managed through CapsMAN since that’s what you’re using to manage the hardware, but unless my brief reading of it is incorrect, that’s basically just like Ubiquiti’s Controller, e.g. just manages them, doesn’t have anything directly to do with what traffic control/shaping/VLAN/etc is actually present.

Wasn’t sure if this was to also allow social time together, including playing video games. You also didn’t specifically say for homework/educational type purpose, just Jr/Sr HS students (e.g. teens) in the basement. Could have included social gatherings and the like.

Ah, fair.

The VLANs are handled by just having stuff on different bridges and firewalling between them. It works fine.

As for gaming, I can mention it, but I don’t think that’s likely to be a use case. However, if they wanted a local Minecraft server or something, I could certainly do that.

On the wifi client side, I’ve always preferred disabling client-to-client traffic. However, then it prevents people from doing things like bringing in a wifi connected 3d printer for kids to send stuff to. or something like a chromecast and setting it up and controlling it (requires client-to-client connections). Not sure what other odd use cases you might be interested in supporting. A quick workaround is to use a mifi or tether off a phone.