Setting up a Gargoyle router
This is a guide to configuring Gargoyle for a family or share house, to ensure everyone plays fair with your internet connection. It will cover mainly quotas, time limits and site blocking, and the settings to make it as difficult as possible to bypass the restrictions you put in place.
- You already have a suitable router with Gargoyle version 1.2 or later installed. If you don't, this is not the correct place to start. Instead, go to the Gargoyle project page. This guide does not cover installing Gargoyle, or what type of router is needed, except to say that I have tested it on a Linksys WRT54GL and I am now using an Asus WL-500GPv2. Either will work fine, but the Asus has double the RAM and Flash memory (meaning possibly better performance).
- Your internet connection and wireless network are already configured and working through your Gargoyle router.
- You have some basic knowledge of networking, IP addresses, MAC addresses, and how to find them.
- The devices connected to your network are known and relatively static, occasional visitors are ok.
Start with a device list
You first need to know all the devices normally connected to your network. This could include PCs, Servers, PVRs, VoIP hardware, other routers, game consoles, iPhones, etc. In your list give each one a meaningful name, assign it an IP address, and if possible find out it's MAC address. You can type "arp -a" in a command window to list devices currently on the network. The IP addresses you assign can be any address in the same subnet as the Gargoyle router. The default range available is 192.168.1.2 to 188.8.131.52. The actual addresses used are not important, but it is critical that each device is assigned a fixed address. The exception is for occasional visitors, for these an optional DHCP address range is used (say 5 to 10 addresses).
Configure your devices (Connection > DHCP)
If required, enable the LAN DHCP server and set a small address range for visiting devices.
Then add a Static IP for each of your known devices, entering a hostname and MAC address. Note that the hostname can not include spaces (use underscores instead). The static IP addresses should not be within the DHCP range configured above. Make sure you tick the box to block alternate addresses. This will prevent anyone manually over-riding their own IP and getting a new quota! Adding hostnames also makes monitoring easier as they are shown in place of IP addresses on most status screens.
Setting up Quotas (Firewall > Quotas)
Firstly you should decide what type of quotas you require, and start with a "catch all" minimum that applies to the entire network.
- Download only, Combined or Upload only
- Daily, Weekly or Monthly reset
- How many megabytes per quota period
Personally I recommend daily combined quotas for fairest sharing in a family setting. Then the monthly download allowance from my ISP is divided by 30 days, then by 5 people. A bit extra can be added as it's unlikely all devices will use their full quota every day. Once you have come to a value, add it as a quota for "All individial hosts". A bit of monitoring and trial and error may be needed to adjust the quota if required. The example below gives a 300MB daily quota to each device on the network.
Then you can add extra quota exceptions if required, for example to limit night time use of the VoIP phone, or give the parents larger quotas.
Setting up Time Limits (Firewall > Restrictions)
As with quotas, you should set these up to apply to the entire network, then add exceptions if required. All the enabled restrictions are added together and applied, so they can overlap without a problem. Each one can be enabled or disabled as required for special circumstances.
When adding/editing a rule, give it a meaningful description and fill out other details as needed. Generally they should apply to all hosts and restrict all internet access. Enter the hours of restriction in 24 hour format.
Then you can add tighter restrictions for individual devices (eg, earlier cutoff for a younger child).
It is possible to have restrictions on only certain protocols (eg. to block a game or MSN) but that is beyond the scope of this guide. You should experiment with the port and protocol settings if this is required.
You can add individual addresses to the exceptions (white list) for unrestricted access if required. Keep these to a minimum.
Blocking access to websites using restrictions
You can also block access to websites, but since millions of new pages are created every day this would require constant updating. It's not really all that useful as a filter unless you just need to block a few specific sites. I don't know how it would affect performance if you had a large list here.
For younger kids you could use a whitelist of allowed sites for specific PCs. This may be more useful than trying to block things!
If you are concerned about inappropriate websites being accessed, switch on web monitoring through Status > Web usage. You can exclude some devices from this monitoring if required. Make it known that you are relying on trust but can check this at any time; this is often a better aproach than relying on filtering.
Blocking access using OpenDNS
If you really want to do website filtering, a better solution in my opinion is to use OpenDNS. Here I will explain how to set that up in Gargoyle. For more help with OpenDNS itself refer to their website. If you need different restrictions on each PC, then K9 Web Protection is my recommended solution. In fact you could use both OpenDNS and K9.
- You need to create a free OpenDNS account.
- Add a network to your account and give it a name (eg. HOME). You'll need your WAN IP address as shown on the Gargoyle status page.
- Set up the OpenDNS filtering level (low/moderate/high/custom) on your created network.
- Configure Gargoyle to keep your WAN address up to date with OpenDNS (if you have a dynamic IP).
- Configure Gargoyle to use OpenDNS servers and block access to others
Go to Connection > Dynamic DNS and add a new service. Select opendns.com and enter your new account username and password. Click the force update button and make sure the last update date and time is shown, this confirms that your settings are correct.
Go to Connection > Basic and enter OpenDNS server IP addresses. Select the oprion to force these DNS servers to be used, otherwise a manual DNS setting on any client PC could bypass it.
Tips to prevent bypassing the restrictions
This is not a 100% failsafe solution, since it is based on IP addresses. A technically competent user may be able to partially bypass your restrictions. To reduce the chances of this you should use all the security options mentioned previously and summarised below.
- Secure your wireless network using WPA or WPA2 encryption. There is no point using WEP, MAC address filtering or SSID hiding as these are all easily bypassed. Don't believe those that say "it's an extra layer of security"; it's pointless and just makes administering your network harder.
- Block MAC addresses assigned a static IP that connect from a different IP. This can still be bypassed using MAC spoofing though.
- Have the most restrictive quota and least restrictive time limits apply to the entire network. That way, someone getting a different IP will still be subject to some restrictions, as will guest devices.
- Keep whitelist and exceptions to a minimum, and try to keep those addresses separate and secret.
- Assign a hostname to all known fixed IP addresses. That way any rogue addresses will be more obvious on the various status pages.
- Monitor website and quota usage now and then, and investigate any rogue IP addresses that appear.
- Have a clear policy to deal with breaches of the rules (eg. no internet for a week)
General tips for Gargoyle
- If possible, leave your Gargoyle router on the default IP address (192.168.1.1) as this makes firmware upgrades far easier.
- Back up your configuration regularly after changes and before any firmware upgrade, using System > Backup / Restore.
- Use only individual IP addresses in your settings, not ranges (unless you have a good reason to do so).
to be continued...