Monitoring user activities on home network

terrymate

Posts: 10   +0
I am using Unifi devices (Unifi Dream Machine as router, and Unifi Access Points and Switches). Though the device touts to have DPI (deep packet inspection), yet I am not able to get the live nor recorded/stored visibility of :

-> Where users are going (websites, or apps)
-> Block their usage (websites and/or apps)

Is there a device that I can introduce in the network (without replacing my router) which can monitor users behaviors and block accordingly?

I don't mind using VM's too.

Thanks
 

Gabriel Pike

Posts: 253   +69
Whenever I blocked websites or services I did it through DNS. Using OpenDNS.
You may be able to use something like a pi-hole to get similar results.
 
Last edited:

terrymate

Posts: 10   +0
Whenever I blocked websites or services I did it through DNS. Using OpenDNS.
You may be able to use something like a pi-hole to get similar results.
Unfortunately, instagram app so as whatsapp app (via mobile phone) is not blocked using OpenDNS and alike services. I'm still finding it difficult, any other luck?

What about monitoring?
 

MattS

Posts: 679   +193
Unfortunately, instagram app so as whatsapp app (via mobile phone) is not blocked using OpenDNS and alike services. I'm still finding it difficult, any other luck?

What about monitoring?

With the method gabriel mentioned should work fine.

I run a pihole myself and it should be easily blacklisted by entering the domains. bear in mind that the mobile app in the background probably has different links/domains which are used to connect to their backends.

You can try a packet sniffer such as wireshark trace the domains and block whatever necessary.
 

terrymate

Posts: 10   +0
With the method gabriel mentioned should work fine.

I run a pihole myself and it should be easily blacklisted by entering the domains. bear in mind that the mobile app in the background probably has different links/domains which are used to connect to their backends.

You can try a packet sniffer such as wireshark trace the domains and block whatever necessary.

Thank you for the guidance. What about live monitoring of where users on my network are going to?
 

MattS

Posts: 679   +193
Thank you for the guidance. What about live monitoring of where users on my network are going to?
With the Unifi DPI feature you should be able to see this I think maybe some rules have not yet been applied to it if it is not collecting the necessary data

Pihole also does this.

Edit: For live there are options and sections which shows you when the client was last active and all the timestamps of each query and is easily traceable.

Example: The below has some bad practices. I am showing you my own mobile device. Ideally since you know whos phone this is you can setup static reservations/dns names for devices for easier identification.

1615700111003.png

1615700136369.png

While I think blacklisting and tinkering with this stuff is ok, please be careful because at the end of the day you should respect others privacy especially if this is going to be setup at home.
 

terrymate

Posts: 10   +0
Sadly this is true as the path via the cell tower does not engage the LAN ISP DNS.

All the mobile devices are connected via the wifi (and not via the cell tower). However, the mobile apps must be using backend links that are not seen or blocked by the ISP DNS. Thats my opinion.
 

terrymate

Posts: 10   +0
With the Unifi DPI feature you should be able to see this I think maybe some rules have not yet been applied to it if it is not collecting the necessary data

Pihole also does this.

Edit: For live there are options and sections which shows you when the client was last active and all the timestamps of each query and is easily traceable.

Example: The below has some bad practices. I am showing you my own mobile device. Ideally since you know whos phone this is you can setup static reservations/dns names for devices for easier identification.

View attachment 87579

View attachment 87580

While I think blacklisting and tinkering with this stuff is ok, please be careful because at the end of the day you should respect others privacy especially if this is going to be setup at home.

Thank you and I agree entirely on the privacy concern. What I wish to be able to do is really protect our children (users) by knowing what they do, and also how to block non-good places they may go.

Is there specific app or device which would do the job? I feel pi-hole job is really to block ads.
 

MattS

Posts: 679   +193
Blocking from Pi-hole is simply being suggested since most people already filter out ad's and domains from it. It simplifies the setup quite heavily.

What you can do is check if with the DPI in unifi if you can extract a list of content and block it.

Strictly speaking you can block any traffic you want from the firewall but then again, it will take a lot of manual intervention.

What could probably help is maybe investing in a software or lookup a firewall or agent solution which has a predefined block list and tick it for the appropriate device.

Sophos have some great solutions I think Sophos UTM can do the job you are looking for, its free and can be run in a vm however this will require quite some tinkering.
 

terrymate

Posts: 10   +0
Blocking from Pi-hole is simply being suggested since most people already filter out ad's and domains from it. It simplifies the setup quite heavily.

What you can do is check if with the DPI in unifi if you can extract a list of content and block it.

Strictly speaking you can block any traffic you want from the firewall but then again, it will take a lot of manual intervention.

What could probably help is maybe investing in a software or lookup a firewall or agent solution which has a predefined block list and tick it for the appropriate device.

Sophos have some great solutions I think Sophos UTM can do the job you are looking for, its free and can be run in a vm however this will require quite some tinkering.

I read and know about Sophos UTM. However, will this mean I have to replace my current firewall (the UDM router)?
 

MattS

Posts: 679   +193
I read and know about Sophos UTM. However, will this mean I have to replace my current firewall (the UDM router)?

Not really, you can put the UTM vm in-between the Unifi and the clients.

For the scope of this I think it would be best if you check on the unifi solution first.

Do you not have the below section on your unifi controller? You should be able to specify exactly what traffic to block.

1615735655047.png
 

terrymate

Posts: 10   +0
Not really, you can put the UTM vm in-between the Unifi and the clients.

For the scope of this I think it would be best if you check on the unifi solution first.

Do you not have the below section on your unifi controller? You should be able to specify exactly what traffic to block.

View attachment 87582

Yes I do but it is pre-configured, I can't for instance block a site of my own selection. Only configured categories. Also, when I block social media e.g. instagram, it only blocks the website but using app, it works despite it :(
 
Last edited by a moderator:

MattS

Posts: 679   +193
I think you can add a new category,

tonight I will try to check with wireshark regarding instagram and will let you know.
 

terrymate

Posts: 10   +0
I think you can add a new category,

tonight I will try to check with wireshark regarding instagram and will let you know.

Thank you Matts. I appreciate it.

On different note, I tried using pihole to block instagram but only thing success was the web and not app instagram.

Out of curiosity, do I install Wireshark on my local PC then monitor the interface? Hows setup like and what should I ensure in terms of settings and configuration to monitor?
 

MattS

Posts: 679   +193
Thank you Matts. I appreciate it.

On different note, I tried using pihole to block instagram but only thing success was the web and not app instagram.

Out of curiosity, do I install Wireshark on my local PC then monitor the interface? Hows setup like and what should I ensure in terms of settings and configuration to monitor?
You need a wireless device like a laptop and connect to your home wifi network that way you can intercept all wireless traffic on your network including your mobile traffic.

Please remember that any blocking you can do down the line can be easily avoided via vpn or turning 4g on.
 

terrymate

Posts: 10   +0
You need a wireless device like a laptop and connect to your home wifi network that way you can intercept all wireless traffic on your network including your mobile traffic.

Please remember that any blocking you can do down the line can be easily avoided via vpn or turning 4g on.

Perfect. So:

1) install wireshark on my wireless mac.
2) configure capture on promiscuous mode on wifi interface
3) view the traffic from the source I.e. mobile IP

Am I on right track?
 

terrymate

Posts: 10   +0
Done. However, there is too much information for me to look into :) What I did to progress is filter the information to only source IP, however, there are too many protocols http, tcp, dns, etc. Also going over each protocol, I was not able to find for instance when I browsed cnn.com , I couldn't be able to see it in any of those protocols. So, is there a guide you can advice? Let's try one thing.

For instance, can I see http(s) requests and if so to what sites or IPs is it going to? how can I find that out if you can provide me example to try and then I will be able to probably find out how does devices log to instagram app.

Thanks Matt