What's new

[SOLVED] Please help with firewall rules for errant daughters devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

apcr.com

Occasional Visitor
SOLVED

My teenage daughter has begun a habit of getting online in the wee hours of the morning and not sleeping. The situation is complicated, as she has a mental illness. Not sleeping is bad for her health and we need to lock her access down so shes not doing this.

Her devices are assigned IPs between 160 and 170 (on prefix 192.168.1.~)

What I would like to do is block this IP range between midnight and 7am from accessing LAN and WAN.

Im using Merlin 380.68_4 on a Netgear R7000

Thanks to anyone who can help me make this work.

J

[edit] The issue with this matter - and the reason I posted was because the parental controls that come with Merlin firmware - which are very good - were missing from asuswrt merlin on netgear r7000

so if anyone comes to this thread with missing parental controls on Merlin on an R7000, the fix - kindly provided by ColinTaylor is:

Code:
"Enable BWDPI" under "Tools - Other Settings" and then reboot

if you have no parental controls r7000 this should put them back into the menu.
 
Last edited:
Wired or wireless access?

Is shutting off the router an option?
 
When it's time for bed simply take her devices away until morning. Router control is in the parents hand. Make rules and stick to them.
 
When it's time for bed simply take her devices away until morning. Router control is in the parents hand. Make rules and stick to them.

Excellent!

I was wondering how many posts it would take for a criticism of parenting rather than an actual solution to the question! Two replies was the magic number!

To address the actual question... Have you played around with the parental controls in the AiProtection tab? There is an option there to do time based filtering of specific devices (Parental Controls / Time Scheduling).

I've not used it but it appears to do what you're looking for.

Good luck!
 
Excellent!

I was wondering how many posts it would take for a criticism of parenting rather than an actual solution to the question! Two replies was the magic number!

Indeed. A favorite response (kinda...) of mine was that they were grandparents of a child who'd lost their parents through drugs or poor care and that the child would literaly go crazy if they assumed the caretakers had taken any action against them, by physically assaulting them. (In that case, IIRC, setting a schedule for traffic-shaping rules that would impersonate a poor/laggy connection was the best answer.)


Yeah, there are "easier" answers, but I think that sticking to the topic is important, especially with touchy subjects like parenting. We are a networking forum... not a parenting forum...
 
Wired or wireless access?

Is shutting off the router an option?

Wireless only.

Its a household of 5 people, and I am very likely to become persona non grata if the others dont have internet access, so, probably not.
 
To address the actual question... Have you played around with the parental controls in the AiProtection tab? There is an option there to do time based filtering of specific devices (Parental Controls / Time Scheduling).

I dont think I have that tab. Where is it located?
 
I dont think I have that tab. Where is it located?
When you have logged into your router, look on the left side of the screen. You'll see the first set of tabs/buttons is marked General. and the set below is headed Advanced Settings. Third one down under the General heading is AIProtection. Select it and you'll then see Parental Controls in the middle of the page which then displays.
 
Last edited:
When you have logged into your router, look on the left side of the screen. You'll see the first set of tabs/buttons is marked General. and the set below is headed Advanced Settings. Third one down under the General heading is AIProtection. Select it and you'll then see Parental Controls in the middle of the page which then displays.

Thanks for your reply.

I dont see it

(screenshot)

http://prntscr.com/h7oilt
 
My teenage daughter has begun a habit of getting online in the wee hours of the morning and not sleeping. The situation is complicated, as she has a mental illness. Not sleeping is bad for her health and we need to lock her access down so shes not doing this.

Her devices are assigned IPs between 160 and 170 (on prefix 192.168.1.~)

What I would like to do is block this IP range between midnight and 7am from accessing LAN and WAN.

Im using Merlin 380.68_4 on a Netgear R7000

Thanks to anyone who can help me make this work.

J

Maybe buy an ASUS router? I'm a lousy parent, too. I've done exactly what is being suggested for years on my RT-AC68 and Merlin FW. My kids' devices (all on wifi, and selected by MAC address) are all restricted, generally from 10PM to 5AM on school nights, 11PM on non-school nights as a treat. Of course their phones still can use the cellular network, so this is a leaky solution. (On my AT&T service I can disable their cellular data but only by the month, not overnight.)
 
Last edited:
Thanks for your reply.

I dont see it
Those controls are likely not included in a non-Asus router. It would be against the terms of use if they were.
People running that firmware (XVortex) usually get short shrift on this forum as it is not made, supported or endorsed by Merlin. That said, I think we have sympathy for your situation.

If you head over to the "official" XVortex thread you will see the solution to your problem. All further enquiries would be best asked there.

http://www.linksysinfo.org/index.ph...in-on-netgear-r7000.71108/page-48#post-292085
 
It looks like you might get there with the web ui, the 'firewall' icon in the list on the left of your screenshot. Be aware that under the hood the firewall is driven by 'iptables' and it is possible to write a custom script to add and remove iptables rules, which could be run on a schedule. That would give ultimate flexibility and precision, but has a stiff learning curve.

I don't have an N7000 but I am on the same release, though as Colin just noted there may be significant differences. Hopefully what I write here will get you started, no guarantees it will work or matches your firmware .

In the firewall page go to the Network Services Filter tab. Try adding a test rule for a device you are going to test with (not the one you are configuring the router with..). Figure out the IP address of that device and confirm you can get to, say, snbforums.com.

In the top half, select:
* Filter table type: black list
* Well-known application: www (you may want 'user defined' later)
* Tick the day it is today, untick the rest (while testing, you can add days later)
* Tick the time you want (say 'now' to 'now+2h')

In the bottom half, there should be a Network Services Filter Table.
Type in source IP: 192.168.1.<yourdevice>, destination IP: 0.0.0.0, protocol: TCP. Destination port: 80. Leave the other columns blank.
Press the '+' at the right hand side to add the new rule, which will make use of the time settings and the IP settings.

Now hit 'apply' and wait while the router sorts itself out.
Then test if your device can surf the web. You may want to clear your browser cache and restart your browser.

If this works, then you've reached the beginning. Add another rule that looks the same except destination port: 443 (this is what secure - https - sites use).


If all that worked, try widening the port range.
First delete the rules you have.
Set Well-known application: user-defined
Fill out a rule in the table, source IP: <test device> dest IP: 0.0.0.0. This time leave the Destination Port blank. I expect this will block traffic on all ports but it may not.
Add the rule (+) and Apply, then test.

If it isn't working you might have to enter a port range, 1-65535, and Apply, then retest.

Once you can block your test device you can copy the rule for the target devices, one 'block all ports' rule for each IP address. You may need two rules per address, one with protcol: TCP and one with protocol: UDP; it depends on what your child is doing. Finally, widen the time range to your requirements.

One thing I don't know if each rule you add to the table can have a different time or if the same time settings are applied to all the rules in the table. The latter seems more likely.
 
If you can run the FreshJR Qos script you can emulate a laggy connection for any device by simply classifying them as the lowest priority group and then setting this group to have low bandwidths via the script. All can be scheduled to flip between bandwidths and classification groups
 
Don't know if your firmware has this but on my Asus router I use :

Network Map > Clients [click Icon not list] > Client Status , choose device > set Mac and IP Binding > then set Time Scheduling .


map1.png


map2.png
 
What I would like to do is block this IP range between midnight and 7am from accessing LAN and WAN.

A few months ago I tried to use Parental Control on an Asus RT-AC66U running Merlin 378.56_2.

Stupidly, I did it in a hurry without much testing.

When the device I had blocked tried to access the Internet "out of hours", it displayed a message which made it very clear why Internet access did not work.

This meant I was unable to feign ignorance and explain that "the Internet must be down". This was very inconvenient and I would have preferred a much more discrete message.

I have never used XVortex and don't know if it too will display this sort of message, or if such a message would be a problem for you

(Please let's not have a discussion about technical solutions versus making rules. I had my reasons.)
 
Those controls are likely not included in a non-Asus router. It would be against the terms of use if they were.

I figured it out.

No idea why its like this, but I found the path (http://192.168.~.~/ParentalControl.asp) online and pasted it into the address bar. When I do this, the page comes up. Its not in the menu though(?) - I wondered if it might be a browser or cache issue but it does the same thing on other - vanilla - browsers too.
 
(Please let's not have a discussion about technical solutions versus making rules. I had my reasons.)

I have had a lot of these sort of discussions online over the years (my oldest kids are teens now) and its pretty much always the case - as others have pointed out here - that there are a lot of people on networking forums who see posts about family matters as an invitation pontificate their parental wisdoms.

Its definitely a thing.

This is not so much a concern for me as I plan on just telling her whats happening. She messed up and this is the consequence. End of story.
 
Don't know if your firmware has this but on my Asus router I use :

Network Map > Clients [click Icon not list] > Client Status , choose device > set Mac and IP Binding > then set Time Scheduling .

Thanks so much for taking the time to do this. Very helpful.
 
In the top half, select:
* Filter table type: black list
* Well-known application: www (you may want 'user defined' later)
* Tick the day it is today, untick the rest (while testing, you can add days later)
* Tick the time you want (say 'now' to 'now+2h')

If this works, then you've reached the beginning. Add another rule that looks the same except destination port: 443 (this is what secure - https - sites use).


If all that worked, try widening the port range.
First delete the rules you have.
Set Well-known application: user-defined
Fill out a rule in the table, source IP: <test device> dest IP: 0.0.0.0. This time leave the Destination Port blank. I expect this will block traffic on all ports but it may not.
Add the rule (+) and Apply, then test.

Thankyou so much for this. Very helpful :)
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top