Internet Blocked by Default

[petrob]

Hi Merlin,

I have to control the time my teenage kid spends on the Internet otherwise he busts my quota limit every month (I don't have unlimited nor wish to have it). At first the Parental Controls worked fine but now he uses some sort of MAC Address spoofing software or plug-in with Chrome that tricks the router into thinking it’s a different computer. So my kid enjoyed 24/7 access to Internet for a while... until I found out. I just can’t keep up adding new MAC addresses every time to the router. He just reboots and gets a new one. (By the way, if anybody knows the name of the software or extension that does that in Chrome, please let me know.)

I used to have a Linksys EA6500v2 which listed multiple instances of his computer. I thought this was due to a known bug in the EA6500 firmware so I tried IP Address reservations. Didn’t work! I wanted better Wi-Fi coverage and better USB 3.0 speed so I switched to an Asus RT-AC68P router. Same issue with MAC Address spoofing.

What's the solution? Disconnect the culprit from the network? That’s what I did. Drastic, but it works! My kid is banned from Internet for the rest of the month. But I’d like a more elegant, permanent solution.

The RT-AC68P (or RT-AC68U) firmware is set by default to give access to Internet to any new MAC address that connects to the network, unless the same MAC Address is added to the Parental Control list in which case Internet is now blocked by default. What if the router’s firmware is reprogrammed to think the other way around? Block Internet to every MAC Address hooked up to the router by default, unless we list that MAC Address in the Parental Controls. That would render my kid's Chrome trick useless, right?

I need your help on this one, Merlin. Is this something you can do easily? That would be just one bit to change from 0 to 1, correct? What can be done regarding this?

Thanks for the help, Merlin!

petrob

 

[RMerlin]

Changing the MAC address requires administrator access. Put a password on the computer's administrator account, and create a limited user account for him to use.

You could also try enabling the Wireless Whitelist access, and enter his real MAC there (as well as those of all your other devices). Any spoofed MAC would be rejected from wifi access.

 

[CaptainSTX]

The best solution with a tech smart teenager who is addicted to the Internet is to only allow him/her to connect to a second router which is double NATed behind your primary router. You only tell the teenager the WiFi password for the second router and change the passwords on your primary router. You then have the full flexibility to connect to what you want when you want while the double NATed router is restricted.

Depending on the options of your secondary router's firmware you can turn of the radios for certain periods of the day (DD-WRT is very flexible ). You can also totally block Internet access. For this approach to work you need to control physical access to the secondary router so your teenager can't do a factory reset. You also may need to prevent access to your primary router and modem so your teenager can't reset it or install a rogue AP.

In the case of my teenager I ended up having to install both my cable modem and router in a box with a lamp timer to turn them both off at midnight until 6 AM. This was after I caught him dragging his computer down the hall at 4 AM to plug directly into the modem.

If your teenager is still soaking up to much of your bandwidth then set the second router to only support B/G clients on WiFi.

 

[petrob]

Some facts I forgot to mention:

1) That's his own computer (desktop). So he's got administrator rights.
2) He's not on Wi-Fi. He's wired.
3) I can't turn off the router at night. I got my Ooma phone hooked up to it.

The router is out of reach but he's resourceful to say the least. He may find a way to get access to the router and go for that reset button. A firmware that blocks Internet by default would still work in that case so to me it's still the best solution. Do you think it's at least feasible, Merlin? I'm willing to beta test it. It's a good challenge! Think about it!

Regards,

petrob

 

[Corey10e]

Petrob,

I have asked for this as well. Did you find or try any solution above? I am moving to a new residence that isnt wired so the problem may go away once I have them on wireless, but if there is a plugin for Chrome then we are in the same boat.

Corey

 

[petrob]

@ Corey:

The only trick that works for me right now is to remove the power cable from the cable modem during the night. That cuts off Internet for everybody until I reconnect in the morning but at least my kid can't do anything about it.

But if you want total "radio silence" for a while, enter your kid's computer BIOS, turn off the LAN jack, protect further BIOS entry with your own password, save and exit then watch your kid go cold turkey for a few days. He may be smart, but he sure didn't think of that one! (To be sure, lock your own computer BIOS to prevent retaliation.)

I suppose Merlin doesn't have teenage kids so he doesn't know what it's like to go though this nonsense. Someday, soon I hope, he'll realize and do something about it. Cause I can't fix firmware myself.

petrob

 

[CaptainSTX]

The best but by means smart teenager proof approach IMHO is as I stated above is a double NATed router for your teenagers use only. I had to fight this battle with an Internet addicted teenager so I know how tough it can be. Threats only go so far.

I know Tomato allows you to set access restrictions by day and time of day for all Internet access including hardwired Ethernet connections. You can also put the router on a lamp timer to power it off when you want to block Internet access.

You just have to be sure that the teenager can't do a factory reset on the router you have set the restrictions up on nor can they connect to the primary router using WiFi or an Ethernet cable.

Worst comes to worse you can glue your Ethernet cables into LAN ports and epoxy over unused ports.

 

[petrob]

@ CaptainSTX:

You're right. The double router trick worked for a while until my kid got access to the routers and rewired the whole thing to his satisfaction.

The only 100% sure way is to have a firmware that shuts off Internet by default to any new MAC address, not the other way around like all the routers on the market today which can be easily fooled by the MAC address spoofing trick.

I went to ASUS forums to ask for a custom firmware for the RT-AC68P to no avail so far. Maybe if you guys in the same situation go there and ask for the same, they'll think twice about it and get it done.

Cheers,

petrob

 

[System Error Message]

RADIUS is also an implementation that can be used easily regardless of mac address. You assign control over the user which you can use a scheduler for traffic/access and QoS bandwidth limits.

one interesting bit discussed in other threads is hijacking and caching network traffic which if you use merlin firmware can be done and setting a high minimum TTL time for DNS requests, running your own network services such as NTP, web proxy cache and such.

You can also lock your router in a cage to prevent physical access as what a number of places do to prevent people from just stealing or messing with their gear.

 

[RMerlin]

Or you can promise that there will be consequences if he messes up with the routers despite your specific orders. Taking away a kid's game controller for instance is a sure way to take away his console gaming privileges...

 

[giopas]

Indeed RMerlin.

I really like such discussion from a technical point of view.

However I am unsure that the right approach would be the prohibitionist instead of the educational one (i.e. explaining why it is not good to be online 24/24).

Maybe it's because my kid is still an infant and he does not know how to surf on the net, yet.

 

[petrob]

Finally, I installed Tomato by Shibby (sorry RMerlin!). Tomato can block any MAC (or IP) address not listed as trusted or known. Problem solved!

Wish every firmware had that functionality.

 

[Calisro]

funny but if he can change his mac address, he can also clone one of yours which has access. Meaning if you disable his access, he can just become you.

IMHO the 2nd router is the best solution. or setup a vlan with tomato with his own virtual wifi on a secluded vlan that you can manage (emulating a 2nd router). Even if he is wired. You can still put his port on the vlan or 2nd router.

Hell, while you are at it, lock his bios with a password NOW and tell him if he messes with either router that you're locking his network card and usb ports up via the bios.

 

[petrob]

The kid is knowledgeable, but not that much! He's got a Chrome plugin that does it all for him. He's got no idea what a MAC address is. I wish I new what that plugin was! From what I could find out, it's something that works with TamperMonkey. Funny thing is, although this plugin makes up a completely random MAC address, it seems to always use static IP 192.168.1.2, which is my computer's address, and caused my computer to be cut off the network. That's why I need a firmware that works with IP and MAC addresses, not just IP.

The second router is a good idea if your kids don't have access to the router and mess with the cables. My kid can (long story), so Tomato makes it simpler with only one (excellent RT-AC68P) router.

And yes, I already locked his BIOS with my password so if he doesn't behave correctly I disable his LAN port completely. I did it before and he has no clue what's been going on.

 

[kvic]

Tomato can block any MAC (or IP) address not listed as trusted or known.

Could you elaborate a bit this wonderful feature on Tomato for the audience? Curious if the same can be done on Asuswrt-merlin.

 

[petrob]

I don't want to hijack this thread so that it becomes a Tomato how-to guide. This is an asuswrt-merlin thread after all. Let's just say that asuswrt or asuswrt-merlin can only block access to a certain amount (I believe it's 8 or 12 entries) of known MAC addresses. Since my kid has a program that generates a new random address each and every time I run out of slots rapidly.

Tomato has the extra capability to think the other way around, to block all computers except those entered in a "trusted" list of known MAC addresses. I haven't tested if there's a limitation in the amount of entries in Tomato but there doesn't seem to be one. Google for Tomato Access Restriction and check a few screenshots for yourselves.

 

[My_dogs_White]

I would have taken his desktop and smashed it on the driveway! No way my boy would get away with this... Sounds like a dose of respect is what was really needed here! Just my opinion...

 

[L&LD]

I would have taken his desktop and smashed it on the driveway! No way my boy would get away with this... Sounds like a dose of respect is what was really needed here! Just my opinion...

While your reply will sound harsh to most (younger) here, that is exactly what my father did with my electronics back when I was a teen.

Wish more parents were like this today too.

 

[My_dogs_White]

While your reply will sound harsh to most (younger) here, that is exactly what my father did with my electronics back when I was a teen.

Wish more parents were like this today too.

LOL, I don't know if I would actually smash it. I can say for matter a fact I would not set up my network in a manor to prevent my child from accessing the internet. My kid respects what I say. When he doesn't there are consequences. I don't have to outsmart my kid. He respects our rules and understands we set rules for a reason.

 

[Calisro]

The kid is knowledgeable, but not that much!.

Wait.... just wait..... When he's locked out he'll figure it out. You forget these kids are buried with tech these days. Cloning a mac address is a single command on linux and android. A bit harder on windows.