How can I turn off internet for roommates that haven't paid the bill this month?

56

11

I have several roommates who split my internet bill with me each month. On occasion they forget to pay me, and I have to pester them for the money.

If after 3 days of pestering they still haven't paid, I create a firewall rule in my unix based router that blocks traffic to their mac address. This proves to be very effective at getting delinquent roommates to pony up the cash.

How could I automate the adding / removing of a mac address to a firewall rule on the 3rd of every month? I'd like a simple way to unblock them for the rest of the month once they pay.

I'm currently using pfsense. While there is a captive portal module, it doesn't support regulating access per user / per month.

How could I automate blocking/unblocking roommate internet access?

spuder

Posted 2014-01-02T02:25:28.360

Reputation: 8 755

14What you're doing right now sounds like the most efficient way about it -- I can't imagine a captive portal solution being anything more than complete overkill. If anything, you could make a simple shell script to automate the rule adds themselves. – NReilingh – 2014-01-02T02:42:08.790

8MAC address are very, very, easy to change and should not be used to form any measure of security. Windows requires one registry edit. Linux requires one command. With one command in Linux he could even copy your MAC address. Seems to me that a better solution would be automate a password change once a month. Restrict access based on your knowledge rather than his lack of there of. – Mark Lopez – 2014-01-02T08:22:18.257

@MarkLopez, you brought up very good point. On my opinion it highly depends on users' education. If roommates are geeks like you - than more serious protection actions must be taken. If roommates are average Windows/Facebook/YouTube users I would be complete happy with MAC address based security. It is highly possible that when you say "MAC address" for them it is same thing as I can build a GUI in Visual Basic and track an IP Address

– VL-80 – 2014-01-02T14:51:47.067

3@Nikolay you're right, MAC address changing might be a more advance topic. However, I just wanted to stress that for reference by our posterity - MAC filtering is unreliable. Additionally, MAC filtering in most cases is not the best solution. I want to displace the numerous tutorials online that say MAC filtering is a good security practice. – Mark Lopez – 2014-01-02T20:39:00.667

For just regulating roommates, mac address spoofing is a very low risk. – spuder – 2014-01-02T21:44:53.237

Keep it on the down low that you're using MAC addresses, again, they're easily spoofed if one knows what their doing. – MDT Guy – 2014-01-03T18:17:30.023

Most of my roommates are not technologically savvy. If they did change their mac, I'd figure it out pretty quickly because I'd notice that they aren't paying, but are still using the internet. – spuder – 2014-01-03T18:19:53.423

Yeah, it really sounds like a captive portal would be overkill... – MDT Guy – 2014-01-03T18:32:52.670

Based on your EDIT. What should happen if they pay you late - on 5-th day, etc ? Should "block day" be moved on 5-th of the next month or it should stay 3-rd? – VL-80 – 2014-01-03T20:53:10.557

The block day won't move. The bill is due on the same day every month. – spuder – 2014-01-03T21:02:30.283

6Bear in mind, everyone, this is a ROOMMATE situation. Instead of trying to block their addresses by MAC, @spuder, I would recommend that you ALLOW only your MAC addresses, and exclude all others. If you have 4 devices then you only allow those. All other MAC addresses (even spoofed) would be excluded. Remember this ONLY an apartment, right? Then, when your sly roomies try to MAC addy spoof... and it doesn't work... you smile. Remember kids: Sometimes it pays to "invert" your thinking... – leo of borg – 2014-01-06T22:08:18.050

And: You can then ask the more responsible roomies 'who pay on time' for their MAC addresses, made a 'preferred pool'... etc. This also cuts unwanted guests from MAC spoofing you as well. – leo of borg – 2014-01-06T22:08:18.050

11

I'm surprised nobody has mentioned the Upside-Down-Ternet yet. Way more fun then just blocking.

– SQB – 2014-01-13T09:53:43.073

I can't help but imagine Dwight writing this question. ;) How is rent paid, and are any of your room mates not using the internet? I find it's better to handle all monthly bills as a lump sump when it comes to paying for things together rather than chasing everyone for electricity, internet, rent, etc. Even better if it can just be set up as a bank standing order. – Ryan Williams – 2014-01-14T14:36:53.107

1It is student housing. The utilities are included in the rent and are paid individually at the front desk of the apartment complex. The internet is google fiber which is in my name. It is the only bill that is split. – spuder – 2014-01-14T15:25:19.593

Cisco Meraki products offer billing systems built right in. You could make them sign up for a plan that worries about making sure they pay you on its own. https://kb.meraki.com/knowledge_base/billing-splash-page-and-sign-in-prompts

– PsychoData – 2014-01-14T17:23:06.117

2Can anyone pair this down to...just websites your kids shouldn't visit before they have their homework done :-D – leeand00 – 2014-01-14T20:04:42.627

Can you negotiate an agreement with the complex to have them also handle the internet payments? Even if it's just paying it to you? – Ryan Williams – 2014-01-15T13:49:56.613

No they won't go for that because they have 500 tenants to keep track off. – spuder – 2014-01-15T17:11:45.860

2

Looks like lifehacker found this question http://lifehacker.com/how-can-i-shut-off-internet-service-for-my-deadbeat-roo-1523049434

– spuder – 2014-02-15T19:03:16.780

Wow. I was wondering why so suddenly I got 5 up votes from old question... – VL-80 – 2014-04-04T23:21:37.623

Answers

33

  1. Make a bash script which adds restrictive iptables rule.
  2. Put this script in monthly cron.
  3. Inside the bash script make a condition - if file ~/do_not_block_friends exists and its modification time is within of month period (stat -c %y filename) - do not run the script.
  4. Once they pay you do touch ~/do_not_block_friends.

Script will run and see that do_not_block_friends was modified, so it will not run iptables command.

If they did not pay you - script will block them.

Once they have paid you run another prepared script to unlock them.

This is general plan without much details, but I do not think it will be hard to figure out rest of it.

Edit:

Here is more simple way of writing such script:

#!/bin/bash

count=`find ~ -maxdepth 1 -type f -name do_not_block_friends -mtime -31 | wc -l`

if [ "$count" -eq 1 ]; then

# Friends have paid. Do nothing;

else

# Friends have not paid. Run iptables command;

fi

We use find command with following options:

  • maxdepth 1 - Do not search recursive
  • type f - Search for file
  • name - Search for this name
  • mtime -31 - Find file which was modified less than 31 days ago

wc -l will count amount of rows generated by the command. It will be 0 if friends have not paid (nothing found) and it will be 1 if friends did pay and we did touch control file.

This script does not calculate amount of days in the month and defaults to 31, I think it is fine since we are not building commercial billing system, but I believe even that can be calculated in bash.

VL-80

Posted 2014-01-02T02:25:28.360

Reputation: 3 867

Cron job is definitely the way to go! – Rob – 2014-01-15T13:46:15.607

14

It might be more than you're looking for, but have you considered looking into setting up wireless credentials using 802.1x authentication against RADIUS as a backend?

RADIUS can be set up to check whatever validator you desire (something you'll probably have to script and store in a database or something) to see if your roomies have paid their rent. When they authenticate and have paid, the RADIUS authenticates them. Otherwise, it doesn't. The positive aspect to this is that you're not relying on filtering on MAC addresses. That way if you have tech savvy roomies, they won't easily be able to bypass the controls you've put in place.

cloaked1

Posted 2014-01-02T02:25:28.360

Reputation: 303

best solution for real life. and would easily be adaptable to new/more roommates or other people like adding your significant other so it wouldnt block them – PsychoData – 2014-01-14T17:25:38.563

sounds simple enough, better than mac filtering and simpler than a portal – MDT Guy – 2014-01-14T18:09:55.030

1

Check whether your bank account or another transaction solution you may use (PayPal?) provides any way of automatic payment notification, like:

  • per-transaction e-mail notification
  • daily transaction summary e-mail
  • some decent API

If any such method is available, all that's left is writing some simple script that would monitor for payments. You may just parse the e-mails from bank seeking for the monthly payments from your friends. You would need a configuration file storing each friend's account number or ID, sum to pay (might also be a global constant) and MAC address.

The script would then adjust firewall entries according to the monthly payment status.

Afterwards, inform your friends of available payment options and - while configuring your firewall - remember to provide your friends with access to the payment mechanism so that they can still pay when missed the 3-day grace period :)

Michał Sacharewicz

Posted 2014-01-02T02:25:28.360

Reputation: 1 944

yea, but then he'll have to pay processing fees, since hes in college thats no good – iamkrillin – 2014-01-14T18:11:51.227