Menu
What's new
By:
Filters Better Search

How to enforce time-based restrictions on kids devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

cmihai

Occasional Visitor
Hi,

I am new to ASUS devices and Merlin firmware (just upgraded to Merlin yesterday) and I am trying to transition the router functionality from another router to Asus/Merlin device (RT-AC86U). With the old router (Gargoyle), I would block kids' devices based on time restrictions. I noticed that with Asus/Merlin, I can tie a device's MAC address to a static IP address and noticed that I can implement time-based restrictions based on MAC address. So far so good, other than the low limit of 64 such static IP assignments - I am assuming this limit is on ASUS, not Merlin

The challenge I am facing is that these days, many devices (such as phones and iPads) can randomize their MAC address, thus getting assigned another IP address and bypassing any time-based restrictions I have in place. One potential avenue in Asus/Merlin world, would be to whitelist MAC addresses, but I found it cumbersome at best (i.e. only works with wireless connections, have to whitelist on both 2.4 and 5 GH even though is was listed as a static IP assignment, the ugly limit of 64 entries, what happens with wired connections?). Maybe I am missing something and that is why I am asking for help. Also time-based restrictions in Asus/Merlin are based on MAC address, not IP - which creates an even bigger headache for me b/c is a device is going to spoof its MAC address, how can I know it beforehand so I can block it?

For comparison purposes, I had a Gargoyle router and over there is was quite easy to implement my requirement: static IP assignment for all devices (in 1 to 200 range), DHCP would only dynamically assign (in 201 to 254 range) [as per above, I can replicate same functionality with Asus/Merlin]. With Gargoyle, I can specify all IPs in 201-254 range are now allowed to access internet [I can't figure if this is doable with Asus/Merlin or if there are alternative ways to accomplish the same thing]. So, if a device uses its own MAC (or a MAC that is recognized based on the static assignment list), it would get assigned a static IP (in 1-200 range) and would follow whatever restrictions are in place (for its IP address which corresponds to a MAC address). However, when a device randomizes it's MAC address, than it would get assigned a dynamic IP (in 201-254 range) and denied internet. The beauty is that whatever device is not recognized by the static assignment would be banned from the internet

Is there a way to accomplish something similar with Merlin?

Thank you
 
I think you could have better posted it in the Asuswrt-Merlin subforum as you're running Merlin now.. You can ask a moderator to move it.

As for the changing MAC addresses, you can disable these function per network, and you don't need this for your home networks, at least on Apple devices (I don't have any experience using Android devices). Using AiProtection > Parental Controls, you can set times or restrict content categories using the device MAC address.

Edit: In addition to my reply, when disabling the randomized MAC addresses you can also use LAN > LAN DHCP > Manual assignments to assign fixed IP addresses based on the fixed MAC addresses.
 
Thanks MvW for feedback, appreciate it.

I googled disabling MAC address change per network and the answer is related to MAC filtering - which is what I was referring to when I mentioned whitelisting MAC addresses (it is a type of MAC filtering, the other type is blacklisting). Let me know if I am missing anything here and it could be implemented in some other way that I am not aware of.
The other things (like time-based restrictions based on MAC address and static IP address) I mentioned (and implemented) as well.

Still, I'm not sure how any of these things (that I implemented already) could help. Here is my scenario: child's iPhone connects with a random MAC (which is standard functionality on iPhone / Android / Windows nowadays) or they install an app that spoofs the device MAC. Since I don't have this new MAC address (it could be anything if spoofed), Asus/Merlin router would assigns a dynamic IP address, which I cannot know beforehand (b/c it is dynamic and not static). As a result, there would be no time-based restrictions in place (b/c I do not know the random/spoofed MAC address)

I am really surprised if there would be no solution to this relatively simple request. I'm quite confident I am not the first to want to implement such rules. And, in addition, it was piece of cake to implement the same requirement in Gargoyle (where I came from).

Thanks
 
Last edited by a moderator:
Be a parent, get the kids phones & devices, turn off random MAC, set a parent password to disallow app install/settings change and warn the kids to not try to change anything.

OK, that is a bit severe. But with mobile devices that can bypass your network a bit of threat and scare might help. It is much harder to filter browsing content these days. Most routers can do DNS filtering but that is easy to thwart and as you know the kids know how to do that. URL/IP based filtering does work but is much harder to do on a home router. One thing is to have a second router for the kids and turn it off at a certain time. but they will then go to cellular.

Better to have a filter that tracks browsing history then use the "stick" method of enforcement.
 
The GUI based time restrictions aren't designed for blocking ranges of IP addresses. How does it work in Gargoyle? Can you provide screenshots or coding examples. It's very likely that the same thing can be scripted in Merlin but we'd need to see exactly what you're trying to achieve before going off in the wrong direction.
 
cmihai said:
I googled disabling MAC address change per network and the answer is related to MAC filtering - which is what I was referring to when I mentioned whitelisting MAC addresses (it is a type of MAC filtering, the other type is blacklisting). Let me know if I am missing anything here and it could be implemented in some other way that I am not aware of.
The other things (like time-based restrictions based on MAC address and static IP address) I mentioned (and implemented) as well.
Click to expand...

In a sense, a lot of what you want done can be accomplished by using a combination of different things

First, private MAC filtering. I can't speak for Android devices but iOS devices generally do not change their private WIFI MAC addresses when connecting to the same network over time ie. a new private MAC address is only generated when a "new" network is encountered or if settings on the iOS device is reset. (see https://support.apple.com/en-us/HT211227 for more info). A check on my device logs confirm this. So you should be able to assign IP addresses to their associated MAC addresses via DHCP but that's administrative overhead I personally would not want bother with ie. you don't need static IPs to do the filtering you want.

You could consider using YazFi guest networks, in combination with some of the other feature scripts available in the Merlin firmware to accomplish the same. "Wayward" Client DNS requests can be forcibly redirected or blocked off.

https://github.com/jackyaz/YazFi
https://support.apple.com/en-gb/HT211949
https://www.snbforums.com/threads/random-mac-address-in-ios-14-may-cause-some-problems.67957/
https://www.snbforums.com/threads/block-all-dns-except.55429/
Reddit article - asus_router_owners_simple_way_to_force_all_dns
https://www.groovypost.com/howto/asus-router-parental-controls-time-scheduling/

Unfortunately, I don't think the usage limitation by time is something that can be currently accomplished but I could be wrong and the various devs contibuting to merlin'ds bulid and addons can confirm. My WIFI networks at home can be disabled based on time criteria though i dont do so but this is a feature of the Ubiquiti APs i use as I do not use the AP functionality on the Asus router for our internet access.

Perhaps some stuff is better accomplished with a combination of these and some parent guidance from you, as someone has already astutely mentioned :p

my 2 cents. feel free to ignore.

Edit: added link references to various articles.
 
Last edited:
ColinTaylor said:
The GUI based time restrictions aren't designed for blocking ranges of IP addresses. How does it work in Gargoyle? Can you provide screenshots or coding examples. It's very likely that the same thing can be scripted in Merlin but we'd need to see exactly what you're trying to achieve before going off in the wrong direction.
Click to expand...
Here is an example, it is GUI-based, no scripting involved

1618951193007.png
 
amortimer said:
In a sense, a lot of what you want done can be accomplished by using a combination of different things

First, private MAC filtering. I can't speak for Android devices but iOS devices generally do not change their private WIFI MAC addresses when connecting to the same network over time ie. a new private MAC address is only generated when a "new" network is encountered or if settings on the iOS device is reset. (see https://support.apple.com/en-us/HT211227 for more info). A check on my device logs confirm this. So you should be able to assign IP addresses to their associated MAC addresses via DHCP but that's administrative overhead I personally would not want bother with ie. you don't need static IPs to do the filtering you want.

You could consider using YazFi guest networks, in combination with some of the other feature scripts available in the Merlin firmware to accomplish the same. "Wayward" Client DNS requests can be forcibly redirected or blocked off.

https://github.com/jackyaz/YazFi
https://support.apple.com/en-gb/HT211949
https://www.snbforums.com/threads/random-mac-address-in-ios-14-may-cause-some-problems.67957/
https://www.snbforums.com/threads/block-all-dns-except.55429/
Reddit article - asus_router_owners_simple_way_to_force_all_dns
https://www.groovypost.com/howto/asus-router-parental-controls-time-scheduling/

Unfortunately, I don't think the usage limitation by time is something that can be currently accomplished but I could be wrong and the various devs contibuting to merlin'ds bulid and addons can confirm. My WIFI networks at home can be disabled based on time criteria though i dont do so but this is a feature of the Ubiquiti APs i use as I do not use the AP functionality on the Asus router for our internet access.

Perhaps some stuff is better accomplished with a combination of these and some parent guidance from you, as someone has already astutely mentioned :p

my 2 cents. feel free to ignore.

Edit: added link references to various articles.
Click to expand...
Thank you so much, I will explore the options presented

Even though, iOS devices do not generally change their WiFi MAC address when connected to the same network, it is a simple setting that can be turned on and off at any time - as per the same article. Similarly with Android devices. Just wanted to point out that we can't assume the device will always connect with the same MAC address to Asus router
 
You must log in or register to reply here.

Similar threads

onthego41
FYI: Merlin update 3004.388.8_2 wiped my MAC
Replies
3
Views
768
Ryansr
Ryansr
Siff
Setting dnsmasq on Asuswrt-Merlin
Replies
8
Views
700
Siff
Siff
H
DHCP server change Pool Starting Address
Replies
4
Views
372
Tech9
Tech9
Q
Does merlin reset router when assigning DHCP manual IP by MAC?
Replies
11
Views
643
DJones
D
L
Setting up 2 mac addresses to same IP in dnsmasq.conf.add
Replies
6
Views
952
Ripshod
Ripshod
Similar threads
Thread starter Title Forum Replies Date
T [Solved]Configure Policy based routing for transparent proxy Asuswrt-Merlin 6
G Will Merlin firmware based on the new 3.0.0.6 version be available?when? Asuswrt-Merlin 3
A Access Restrictions no longer functional after failed 388.5 update Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 605 (members: 17, guests: 588)
Top