Disable internet to any device

pilotak · November 25, 2017, 11:34pm

I found a beautiful post about disabling internet and I really like the idea being able to control how long the children stay on the internet. So i took it futher, wrote a component that creates a switch based on IP or MAC address. If happens that the device is not connected to the network, it will wait until is and than starts disabling internet.
All the “magic” behind is done by ARP spoofing, this is technically a kind of an attack but is done in your network, which is fine but you should read something about it. I was really suprised how it works that there is no easy defence and is quite easy to set up and since than I do not connect to public Wifi hotspots.

You should follow the arpspoof.markdown in order to install.

Here is an example of config

arpspoof:
  interface: eth0
  scan_interval: 40 # in seconds, optional; how often check for online devices, default is 30 sec

switch:
  - platform: arpspoof
    devices:
      test:
        friendly_name: my name # optional
        address: 192.168.1.105
        icon: 'mdi:laptop' # optional
      test2:
        friendly_name: my other name # optional
        address: 'AB:CD:EF:12:34:56'
        icon: 'mdi:cellphone' # optional

MrIce · March 18, 2018, 11:24pm

pilotak,
Trying this out now. Just one question though, in your arpspoof.markdown file the symlink’s that you reference look like they are all for virtual environments. I actually run homeassistant on Ubuntu 17 (non virtual) and wondered which symlink I should follow? I’ve tried a few of them but they don’t work. Then after I add my switches to homeassistant (and reboot of course) they don’t actually arpspoof. I can still ping the spoofed machine. Where am I going wrong?

mkrice2

pilotak · March 19, 2018, 2:15pm

Hi if your homeasisstant uses same python packages as you (without virtual environment) then you don’t need symlinks. I use them because homeasisstant is in virt.env and doesn’t know about packages i installed locally. Anyway the problem that i found with this spoofing is that when childen turned off wifi on theier mobile and than back on after a while they had an internet connection. Don’t really know why, but when the wifi was on all the time, it worked fine.

Because of that I bought Mikrotik router which allows me the be in control of firewall, so there is where I drop connections to specific MAC address and close all active connections. Mikrotik has a API which i can control through homeassistant , you can find component for that in my repo. I have to say that this method is 100% childproof. The only workaround is to change MAC address of phone/pc.

sparkydave · May 28, 2018, 7:28am

Hi @pilotak this looks pretty awesome, so now I ask the dreaded question… will it work on HassIO? (ie: will the install of scapy be possible?)

pilotak · May 28, 2018, 8:43am

I’m not really sure, i’m not using hass.io since I can’t take control over whole raspberry pi and run other things simultaly

mhell · July 11, 2018, 7:07pm

Has anyone succeeded in installing this to hassio? This would be a really needed functionality with the kids:wink:

cheynespc · September 24, 2018, 10:27pm

im going to devroot debugging hassio into my hassio setup and see if i can recreate this. ill see how i go and report my outcome shortly

anilet · September 24, 2018, 11:44pm

Hello,
I was trying this custom component and I am getting the error
ARP component not initialised!
At the installation stage I could not get the
newgrp homeassistant
command to work as it was asking for a password and I did not have one and the root password didn’t work.

cheynespc · September 25, 2018, 10:42pm

What is your home assistant running on. I’m on hassio and have found this very difficult so far, from what I’ve learnt is that hassio isn’t supported so am trying on my hassbian test rig tonight.

anilet · September 25, 2018, 10:52pm

Mine is on a Ubuntu server with Virtual Env.

cheynespc · September 25, 2018, 11:13pm

right i think i have that as well on an ubuntu server i set this one up fromthis link il have a go with this as well but am pretty sure the hassbian install will work.

ashfaaaa · April 24, 2019, 7:59am

anyone had any luck installing this on HASSIO.

kinghost · May 14, 2019, 3:49am

I install ARP component in hassbian 0.92.2 step by step in arpspoof.markdown
after reboot pi
The log show error :

2019-05-13 06:39:06 ERROR (MainThread) [homeassistant.setup] Setup failed for arpspoof: No setup function defined.
2019-05-13 06:39:17 ERROR (Thread-14) [custom_components.arpspoof.switch] ARP component not initialised!

My file in custom_component is /arpspoof/
init .py
arpspoof.py
manifest.json
switch.py

how to fix it. thanks

pilotak · May 14, 2019, 10:16am

Hi i had to drop the support for that one as it is not reliable see above, but i’m open for anyone to contribute

timseebeck · May 16, 2019, 9:22am

Hi @pilotak
You posted one year ago that you have moved to a Mikrotik router solution. I think I will follow your steps. Since I’m not an IT guy, I’ve been reading a lot the docs at Mikrotik website these past nights. The devices are very flexible, which also means a bit complex to start with. But, hey, life is learning. If you don’t mind, right now I have two questions:

Which router do you use? I was considdering this one My flat is around 110 squared meter and just one floor.
I’ve seen your github. I see the custom component but not the scripts to stop connections. Am I missing something?

Thanks a lot for your guidance!

pilotak · May 16, 2019, 11:35am

That’s exacly why chose Mikrotik due to its flexibility.

I use this one and at my friend’s home there is this one where he is using it for the same purpose. But any Mikrotik will be fine
It’s generic component for running scripts not just for disabling internet.

Here is the guide in Mikrotik

Create separate login credentials for HASS
Create firewall rule: Chain=forward, Src. MAC Address=00:00:00:00:00:00 (select device address), Action=reject, Reject With=icmp admin prohibited after save you will see an id of the rule ie.: 10 (you will use this number in scripts)
Give your device static IP address in DHCP section ie.: 192.168.0.100
Create script with name internet_tom_on this will enable firewall rule you created above (it will block new connections), next line is also important as it closes all connections made before enabling firewall rule

/ip firewall filter enable 10
:foreach i in=[/ip firewall connection find where src-address~"^192.168.0.100:.*\$"] do={ /ip firewall connection remove $i }

Create script with name internet_tom_off

/ip firewall filter disable 10

In HASS config:

script:
internet_tom_on:
    sequence:
      - service: mikrotik.run_script
        data:
          name: internet_tom_on
      - service: input_boolean.turn_on
        data:
          entity_id: input_boolean.internet_tom

  internet_tom_off:
    sequence:
      - service: mikrotik.run_script
        data:
          name: internet_tom_off
      - service: input_boolean.turn_off
        data:
          entity_id: input_boolean.internet_tom

input_boolean:
  internet_tom:

switch:
  - platform: template
    switches:
      internet_tom:
        value_template: "{{ is_state('input_boolean.internet_tom', 'on') }}"
        turn_on:
          service: script.turn_on
          data:
            entity_id: script.internet_tom_on
        turn_off:
          service: script.turn_on
          data:
            entity_id: script.internet_tom_off

timseebeck · May 16, 2019, 11:55am

Thanks a lot! Very useful and detailed explanation! I’m definitely moving to your approach. I’ll come back when I set it up. Thanks again!

Edit: it seems that you and your friend have the same device (you put the same link; anyway, glad to hear that anyone will be ok, thanks)

pilotak · May 16, 2019, 1:04pm

sorry, corrected

timseebeck · May 30, 2019, 6:11pm

And two weeks later… just to let you know that this works beautifully. Thanks a lot!

7even · May 30, 2019, 6:41pm

Does this also work with UniFi?