MAC address filtering - Wired + Wifi?

[JohnB_123]

Is there a home-based router that someone can recommend that only allows approved MAC addresses to access the network -- including wired clients? Ideally pairs this with a time/scheduling capability. I essentially want what's in ASUS' WRT router firmware & mobile app, but without the 16 device limitation AND the ability to default to block all non-approved MAC address clients. Netgear Armor is very close but I believe it is only for wifi clients, correct?

There's a very crafty teenager in my house that has figured out to IP spoof, use VPN clients, etc to evade time restrictions. After blocking ports, using router controls, using restrictive DNS, pulling the cable, etc -- I've resorted to pulling the PC from his room until I can figure out a method to truly restrict access after a certain hour.

 

[L&LD]

Mac address blocking is an obsolete method to control access to a network.

 

[JohnB_123]

OK, here's my problem: controlling access to the internet by time for specific clients (wifi and wired).

How do you suggest doing that?

Today, Asus does this by associating MAC addresses with users. It has a 16 device limitation and can't handle putting limits on a) spoofed MAC addresses and b) VPN clients.

Netgear's Armor utility does it by associating MAC addresses with users, as well - but it seems to be limited to Wifi only.

Circle (Disney branded, on Netgear's routers as well) also associates MAC address to clients.

 

[L&LD]

Are you running Microsoft 365 (previously Office 365) Home? If so, add the teenager's laptop as a Family account and put in the limitations you seek.

The router won't do what you're asking (it can't know who to allow and who to block).

https://www.windowscentral.com/watch-microsoft-365-consumers-deep-dive-see-whats-new

 

[JohnB_123]

Can’t rely on Microsoft screen time controls- easily skirted with local accounts, PlayStation clients, etc.

 

[L&LD]

Playstation clients, granted. But local accounts are very hard to enable if implemented properly.

 

[JohnB_123]

Playstation clients, granted. But local accounts are very hard to enable if implemented properly.

it’s less of a technical challenge than a functional one- This is a teenager who owns his gaming PC. He saved his money for several years, hand selected components, built the PC and is set up as a local administrator on the machine. What (I gather) you are talking about doing is making him a child account without any local administrative access on the machine. As soon as we do that, he will move to a different device to consume content after hours. Trying to choke this off at the device level rather than at the operating system level.

 

[L&LD]

Then this needs to be done at the parenting level, I believe.

There is nothing 'tech' that will help here, save for commercial installation of network infrastructure equipment.

 

[ColinTaylor]

Once you extend your blocking requirements to include wired Ethernet connections things become much more complicated. Consequently your choices become more limited.

You'd be looking at business class products from the likes of Cisco, Netgear, etc. that can do port or MAC based ACL's. If you then say that you can't trust security based on MAC address (because of spoofing) you'd need to move to an enterprise type setup based on 802.1x and Radius servers.

 

[JohnB_123]

It seems like a very simple request… Block everything unless it has been authorized. Netgear Armor/BitDefender already does this when new WiFi clients join the network - just need to add wired clients to the mix.

 

[L&LD]

Simple requests are usually the hardest to implement correctly in consumer gear.

 

[ColinTaylor]

It seems like a very simple request… Block everything unless it has been authorized. Netgear Armor/BitDefender already does this when new WiFi clients join the network - just need to add wired clients to the mix.

Yes it sounds simple, but as is often the case it isn't.

The thing with WiFi connections is that there's already in place a system for authenticating clients and allowing or denying access - WPA2. With Ethernet there's no such mechanism, you just plug in the cable and you are connected to the LAN. That's where port based ACL's or 802.1x come in. But these are typically not found in home router's.

 

[JohnB_123]

Yes it sounds simple, but as is often the case it isn't.

The thing with WiFi connections is that there's already in place a system for authenticating clients and allowing or denying access - WPA2. With Ethernet there's no such mechanism, you just plug in the cable and you are connected to the LAN. That's where port based ACL's or 802.1x come in. But these are typically not found in home router's.

Well, WPA2 passwords aren't discrete - they are 1:1 per SSID. Client access is managed for wifi clients via MAC address on most consumer routers. Why not simply extend this to wired clients....!

 

[L&LD]

Because that is not how Ethernet works.

 

[JohnB_123]

Because that is not how Ethernet works.

Ethernet doesn't use ACLs?

 

[L&LD]

Didn't say that.

 

[JohnB_123]

Didn't say that.

Oh... isn't this what is fundamentally being used to manage/restrict device-level access by most routers?

Talking about this interface... If Asus raised the device limit from 16 + added a default block option, I'd be set :

 

[Paliv]

For a different option the Gryphon router has this functionality. You can block new devices by default and it watches for MAC address spoofing. However you lose a lot of the finer control over the router because it is security/parental control focused and they don’t give a lot of options to tweak. It’s also expensive.

Edit: it also blocks VPNs.

 

[JohnB_123]

For a different option the Gryphon router has this functionality. You can block new devices by default and it watches for MAC address spoofing. However you lose a lot of the finer control over the router because it is security/parental control focused and they don’t give a lot of options to tweak. It’s also expensive.

Edit: it also blocks VPNs.

Thank you - great feedback.

Does Netgear Armor or Disney Circle provide similar functionality? I’m reading that Circle covers wired clients, as well. Just need to have a default “off until approved”....

 

[distilled]

If a teen is sufficiently motivated and capable, and it sounds like this one is both - you are fighting a losing battle. If he saved up enough money to buy a gaming PC, he may be able to save up the $50/month it costs to get an uncapped, unmetered cellular hotspot, and cut your router entirely out of the equation.

Unless you can get him to sign an IUP, you are fighting this war with the wrong weapon.