How to block certain traffic for all users

[threeoten]

Hi, our rural nonprofit has a limited bandwidth satellite connection (150gb/month) and often we keep running out and I am suspecting that it has to do with automatic updates, spotify, etc. I've tried policing everyone and turning off their auto updates, but it is only so effective. I'm now wondering if there is a way that I can just block, for example, apple's software update servers or spotify? I've tried using the "block traffic" feature and parental control features in the router setup, but nothing seems to actually work.

We have a Netgear WNDR4500 router currently but would seriously consider getting new gear if need be.

Thanks for any advice.

 

[Ketchup]

If these are Windows 10 Computer, some good suggestions here:

https://www.google.com/amp/s/www.groovypost.com/howto/manage-windows-10-data-usage/amp/

The best one to start with being the metered connection setting IMO.

 

[JackMDS]

In general this process of protection has to be done by using Central Pro Server system (costly).

Otherwise the individual Clients can be configured (like Ketchup mentioned above).

That said, Individual configuration might be vulnerable to changes done by users that do not want to cooperate.

 

[threeoten]

Our problem is that we have so many people here and also a lot of people who come and go as visitors too, it turns into a big project just to keep tabs on everyone's usage. It seems like it be such a simple thing, to block access across the network to specific sites, but I guess not?

 

[Lordhumungus]

What about setting up something like a Raspberry Pi with PiHole? It's intended use is ad-blocking (which may help save you some bandwidth anyway), but I suppose there'd be nothing stopping you from blacklisting certain items you don't want people to have access to.

You could potentially even review the logs of some particular IPs on the network you suspect of overdoing it and using that as a guide for what you want to stop access to.

You might even be able to do it temporarily as a way to flush out the problem users ("hey, why doesn't my youtube work???" #karatechoptothedome).

Not sure if this would be practical for your uses and might be overly aggressive as it blocks entire domains, but maybe worth a shot for ~$50 invested?

 

[Ketchup]

In a way, you are talking about 2 different things: controlling bandwidth for your organization, and controlling bandwidth of everyone who walks in. I am setting up a network for a church, witch a 4g connection that may have a lower data cap than yours, and I told them flat out not to give the congregation access to their wifi until they get a better connection (and yes, I have already foumd and given them the details on what they would need to do for that). The reason I am telling you this is because I believe you need to do the same. As the IT guy, you can have some control over people within your organization. For people coming in from the outside, you basically have nill. I personally would not be offering Internet to outsiders untill an unlimited solution becomes available.

 

[threeoten]

It's an educational nonprofit farm and community so people live here full time. Problem is that no one has cell service here and people are often here for several days. also I think some of the people who live here might be culprits too.

 

[threeoten]

If blocking certain sites isn't doable, Is there any way to monitor how much bandwidth each device is using so I can more easily track the usage?

 

[Lordhumungus]

You could try the Gargoyle firmware on a router that supports it. I've never used it myself, but heard the name kicked around in discussions I've had with folks.

 

[HutchinsonJC]

A lot of the higher tiered consumer routers will show pie graphs of data usage per machine per day/month, etc, and some will even show you, as best as it's able, the exact website or type of traffic that data is being used on. Most of these routers will also allow you to setup various QoS settings where certain types of traffic get priority or QoS settings where certain machines are limited to a maximum bandwidth usage.

Your largest bandwidth consumption is almost certainly going to be video. You could make some attempt at forcing people to watch youtube at 360p by lowering everyone's bandwidth to ~300kb/s from a higher quality router. I mean, they could try and force 720p from their device, but it'd be a terrible experience watching buffer animations. So they basically would have to leave the quality on auto or put it on 360p/240p.

The other big one I suspect, is probably FB. There's options where you can turn off the automatic loading of videos both in the phone app and the website, but then you're relying on every individual to turn that auto loading functionality off themselves. The autoload is meant so that as you scroll through a feed, you can watch the video as you scroll down, and then when you click the video you get the audio. The auto load of these videos is turned on by default, so basically anyone using FB and scrolling their feed has videos constantly loading in the background. As you scroll down the feed, the next video that'll be coming up is pre-buffering/downloading... then as you pass that video in the feed, it stops and the next one starts.

 

[HutchinsonJC]

How many people are typically using this network at a time? How many of them are employees that you have more control over in telling them how they can/cannot use the network resources?

And is it an open wi-fi? Anyone can drive by or sit outside and connect to it? I don't know where your building is in relation to how trafficked the roadway there is or if people walk up/down the sidewalk outside of your building, regularly, etc. If it's an open wi-fi, it might be a good idea to put a password on it and rotate out that password every couple of months or something to try to minimize access for those that should no longer have access.

 

[ch33zw1z]

First, no guest access should be available until you get off the metered connection.

Second, look into something like a Sonicwall to management per IP bandwidth

 

[Genx87]

Any UTM device should be able to block sites, apps, and even packet shape.