Does anyone know of a solution that would let me slow down access to certain websites, ideally just for certain devices?
I feel like I wouldn't just default to opening HN and reddit all the time on my phone if I knew it was bandwidth capped to dial-up speeds. But if there was something critical there, I would still have access.
How slow of a connection would you need to emulate to get HN to be painful to use? It's just text. I've never done that most evil hacker thing of View Source, but can't imagine it being shockingly bloated.
HN looks like it would do well back in the 14.4 dial-up days. Hell, it would probably be okay using an I/O port on an arduino at 9600baud
A traffic shaper can do that, but it would most likely be making decisions based on layer 4 (assuming it's not an SSL decrypting proxy) so it would affect any sites which have the IP addresses you specify. As long as HN and Reddit don't share edge servers with things you want unshaped, it should be straightforward.
The "only for certain devices" part would probably mean putting those devices in a VLAN and only shaping that VLAN's uplink.
A router like pfsense should be able to do all of that.
But I am far from a network engineer, so don't quote me...
> but it would most likely be making decisions based on layer 4 (assuming it's not an SSL decrypting proxy) so it would affect any sites which have the IP addresses you specify
Not necessarily...if you're not using ESNI, then the traffic shaper could sniff the server name from the client hello message, then use the TCP sequence numbers to track the individual TCP connection.
Oh nice. I knew about SNI but didn't realize there would be a perfectly persistent trail from that packet onward. If a site being shaped and a site not being shaped shared an edge server (say they both use Cloudflare or something) there's no chance that the TCP connection gets shared for both? Not disagreeing, just thinking out loud naively.
They have moved to from ESNI to ECH. ECH is being rolled out in stages. Maybe the rollout is complete by now. I don't know. ESNI was available worldwide. I used ESNI for years outside the browser with a custom openssl binary. Although both encrypt SNI, ESNI was less complex and is not compatible with the latest versions of ECH.
A linux box running squid between you and the open internet? Tailscale (or whatever) on your mobile devices to force them in, too?
I'm just spitballing. My bona fides are nothing more than memories of reading about the upside-down-ternet and fiddling with primitive QoS features on elderly routers, but I'm sure this is the right post on the right forum to get a real solution.
You'll need something that can do traffic shaping and you'll also have to segment your network somehow. This will cost you roughly $1000 at least in hardware. Unless you really really want to learn about networking, it's likely not worth the effort.
You can have professional level packet filtering by using OpnSense (FOSS) on any not too slow used PC if you are a home or SOHO user, or on new dedicated hardware that costs half of that money or less. If you are ok with consuming more energy by using older hardware, there are many big brand used firewalls converted to OpnSense or PfSense that can be bought almost for peanuts online. Just search for "pfsense" or "opnsense" on Ebay for example.
This is the only European based vendor I'm aware of, aside PCEngines, whose hardware is excellent but not comparable wrt performance for heavy use. I'm sure there are cheaper similar solutions, especially from far east; also some interesting offers from the US and UK although shipping and import fees make them a lot less appealing (for us in the EU).
Pfsense is free (if you already have a server to run it on) and a switch with vlan support (not a managed switch, just a smart switch) can be had in the $100 range. Probably need an AP/SSID per vlan though, assuming the vlan awareness stops at the switch.
Yeah it all depends. They may need to buy access points and a switch and a device to run the shaping. Depending on how many ports they need on the switch, it's really easy to hit $1k if you don't buy the cheapest no name stuff you can find.
No, just not shitty Netgear or home equipment. I have a Fortigate, 2 Cisco APs, and a 48 port Juniper PoE switch. Obviously it depends on how many devices you have and what kind of quality you're looking for.
I'm not sure where you're getting that price from. If you're already running pi-hole on something like a Raspberry Pi you can just use Linux's traffic shaping tools. That's all you really need for a home network.
If the Pi isn't the gateway (which it likely isn't) that's not going to be trivial. Even if it was, fiddling with iptables isn't exactly easy. How are you going to identify devices? MAC? DHCP reservations? Static IPs? That's not a trivial project.
Why would you buy a firewall? If you're already running Linux just use that or use the one in the WiFi router you probably already own. You don't need 2 APs, I don't know where you're getting this from. It's a home network. And why would you need an 8 port switch? You just need 2 ethernet ports on your Linux box to pass the connection through to the Wifi router.
How are you going to identify devices? MAC? DHCP reservations? Static IPs?
Yes.
That's not a trivial project.
I do this stuff all the time, it's not rocket surgery.
Because I value uptime. I don't want my garbage PC that runs PiHole to crash and totally take down the network.
I have many hardwired devices, they may not.
I need two APs as I live in an older house and I get crappy reception in my basement. I also want a guest and IoT network so I chose to use VLANs to segregate, which requires switching and APs that can do that.
Yes, if you do this all the time (I do too) it's not that hard. But it's certainly not a beginner project.
I feel like I wouldn't just default to opening HN and reddit all the time on my phone if I knew it was bandwidth capped to dial-up speeds. But if there was something critical there, I would still have access.