New home network rig
Old system
- Netgear CM1100 cable modem
- Google WiFi mesh router (3 pucks)
- A couple ethernet switches
New system
- Netgear CM1100 cable modem (same as above)
- Firewalla Gold SE firewall/router
- HPE Networking (f.k.a. Aruba) AP22 WiFi access points
- A couple new PoE ethernet switches to power the APs
Why?
I originally had no intention of embarking on this project or spending this much money. I just wanted to block porn on my home network, since I have two young kids in the house.
I started with Cloudflare for Families. Cloudflare and some other companies offer DNS servers that are configured to block “inappropriate” content. You just point your home router’s DNS to those servers, and voila, the bad stuff is blocked. It couldn’t be much easier.
Preliminary testing in Chrome signaled success.
Chuffed, I considered this a job well done.
That is until I went to test it on my kid’s iPad.
I tapped pornhub.com into Safari, smugly confident that, the moment I hit enter, I’d see This site can’t be reached.
Instead, I saw This is an adult website and a prompt to confirm I’m 18.
Brow: furrowed.
I guessed this had something to do with Apple’s privacy features, and sure enough, some Googling revealed that it can be due to two things. The first is Private Relay. When this is enabled, the Apple device will thread its traffic across two of Apple’s special DNS servers, effectively ignoring the router’s DNS settings. The second is Safari’s privacy features, mainly the option to hide your IP address and the advanced tracking and fingerprinting protection (ATFP) feature. I still need to read about how these work.
Well, crap. I can disable both of these features, of course, and I did. But that feels like a flimsy defense against the expanding mind of a smart kid. I find it ironic that Apple’s efforts to keep us safe online make it very difficult for us to keep our kids safe online.
In any event, I’d need something more robust for this plan to work.
Phase 2: Ubiquiti Unifi and copious floundering
I started hunting for guidance on disallowing Private Relay at the network level.
The official guidance from Apple is to return either a "no error no answer" response or an NXDOMAIN response to prevent DNS resolution for mask.icloud.com and mask-h2.icloud.com.
Apparently another option is to force the use of your configured DNS servers by capturing and redirecting DNS requests on port 53.
In either case, my old Google Wifi pucks don’t allow that advanced level of configuration.
Well then, I thought, maybe this is an excuse to upgrade our aging network hardware to something more modern and prosumer! The Ubiquiti Unifi line sprung to mind, as one of the smarter geeks I’ve worked with is a big proponent of that stuff. I went down the research rabbit hole on and off for weeks.
At one point I had $800 worth of Unifi hardware in my shopping cart and almost pulled the trigger. But I hesitated. First, I’d read a few too many complaints that Unifi stuff is great when it works, but it can be a royal PITA to debug when it doesn’t. I didn’t love that risk. It’d be fun to learn more about network hardware admin, but I want to do that on my terms and timeline.
Second, despite lots of searching, I still hadn’t found any clear explanation of how to disable Private Relay on a Unifi gateway. I found some people saying it should be a feature request. I found others saying you can totally do it with JSON network rules. I found others saying yeah but JSON network rules are confusing and poorly documented. Sigh.
My gut was telling me that I’d spend nearly a grand on this stuff and end up with a set of new and more complicated obstacles. And so my search continued. I read all the home-router roundups. I asked my nerdier friends for their recommendations. I read about Piehole, pfSense, and opnSense. Nothing felt quite right.
I was getting fed up with this side quest.
Firewalla for the win
Along the way, I’d seen Firewalla mentioned. I glanced at their products once or twice, but $300-400 just for a firewall/router device seemed overkill. As my search went on, however, Firewalla stayed on the short list of options I hadn’t ruled out, so I decided to take a closer look.
I found one Redditor who said they moved from Ubiquiti to Firewalla specifically to be able to redirect DNS, forcing devices to use your preferred servers. Hey, that’s what I’m trying to do!
Another highly voted Reddit comment concluded:
The day I got [the Firewalla], I essentially replicated my entire pfSense setup in 30 minutes. The app is just so super easy and well designed. I love the early access “Users” feature that lets me attach rules to a collection of devices belonging to a single user. It’s a brilliant way to keep my kids a little safer online. … I feel about my Firewalla like I did about my first TiVo in 2004. It’s really rare for a product to impress me so thoroughly, but it’s just superb in my opinion.
Wow, that’s cool, and it was in stark contrast to all the comments I’d read about other devices and their steep learning curves.
What sealed the deal was when I then Googled firewalla private relay. Boom. The top hit was official, easy-to-grok docs on how to block private relay with a Firewalla. No caveats, maybes, or gotchas.
For the first time, one device began to emerge from the fray. It still felt expensive, but I wagered the time it’d save me with its intuitive UX and thorough docs would be well worth the cost.
I’ll share my first impressions in a separate post. So far they’re very good!