New router with ability to lock down users (teenager)

Damien360

Hi folks

I have an asshole teenager in the house and when he throws a tantrum the wifi gets switched off which effects us all.

So, the wife wants an app to lock down the network for specific people. That brings me to netgear genie app.

We use Virgin media with the technicolor modem. XB1/PS4 also and a phone connection. So I want to avoid double Nat.

I am looking at the R7000 or similar. I need some future proofing and I am wondering if there is a need to go to another model higher in the food chain.

Is this possible with my setup and taking into account future upgrades to compal router from VM and IPv6.

Pro Hoc Vice

Damien360 wrote: »

Hi folks

I have an asshole teenager in the house and when he throws a tantrum the wifi gets switched off which effects us all.

So, the wife wants an app to lock down the network for specific people. That brings me to netgear genie app.

We use Virgin media with the technicolor modem. XB1/PS4 also and a phone connection. So I want to avoid double Nat.

I am looking at the R7000 or similar. I need some future proofing and I am wondering if there is a need to go to another model higher in the food chain.

Is this possible with my setup and taking into account future upgrades to compal router from VM and IPv6.

Any router should be able to lock down to set mac addresses, easy to do.

Damien360

Pro Hoc Vice wrote: »

Any router should be able to lock down to set mac addresses, easy to do.

The wife specifically wants an app she can use to just lock it down with a button press. That's why I am looking at netgear.

CSSE09

If it was me I'd just get a router that can support multiple ssids (guest network). Give the teen the password for the guest network only, need to disable access would just be a simple login and disable.

Cuddlesworth

Damien360 wrote: »

The wife specifically wants an app she can use to just lock it down with a button press. That's why I am looking at netgear.

Its a very odd series of circumstances but having looked at it, the netgear would work. I can see a number of ways to get around it though, depending on how smart the kid is.

Alanstrainor

Cuddlesworth wrote: »

Its a very odd series of circumstances but having looked at it, the netgear would work. I can see a number of ways to get around it though, depending on how smart the kid is.

These kind of situations always bring out the problem solver in people (especially teenagers!). He could see himself learning a decent bit of networking in the process. Not a bad thing!

Damien360

Cuddlesworth wrote: »

Its a very odd series of circumstances but having looked at it, the netgear would work. I can see a number of ways to get around it though, depending on how smart the kid is.

He is no fool but it would give us a little more control for now on Internet time. It's a pain in the ass gathering up all the wireless devices and causes confrontation. It's easier to just block it.

Damien360

Alanstrainor wrote: »

These kind of situations always bring out the problem solver in people (especially teenagers!). He could see himself learning a decent bit of networking in the process. Not a bad thing!

He would consult YouTube. Kids way of looking things up as text is just a pain

Tinder Surprise

Asus routers would give you some options.

I have an Asus AC66U which you can do up a roster of which devices are allowed on the internet and when.

also there is an app available which would give you access to all the router functionality, and also a simple slide switch that can be set for immediately preventing a certain device from having internet access.

Damien360

Tinder Surprise wrote: »

Asus routers would give you some options.

I have an Asus AC66U which you can do up a roster of which devices are allowed on the internet and when.

also there is an app available which would give you access to all the router functionality, and also a simple slide switch that can be set for immediately preventing a certain device from having internet access.

Looks to be very similar to the netgear one. Not a huge price difference either. I'll take a closer look at that one also.

Damien360

A quick update.

The R7000 arrived and works (almost)

I set VM DHCP off, Firewall Off (would'nt work otherwise), had to leave all the settings for IP passthrough and uPnP page enabled, wireless off. Placed the netgear IP in DMZ.

I set the netgear WAN to 192.168.0.2. All devices connect via 192.168.1.xx LAN range by DHCP. Internet is possible on all devices, wireless on 5GHz and 2.4GHz is like a rocket (much better than VM). The web app on android and iOS works lovely and will block any device and everyone else can continue on as normal.

But, he has figured a simple workaround in about 20 mins. He is twelve. He goes to fixed IP for the device and off he goes again. The device does not appear to block via mac address but by assigned IP. We can block again after that but it is a bit odd.

There is an option to operate in Vlan/bridge mode and I wonder should I also set this. PSN is showing NAT 3 but I appear to have multiplayer. XBOX live is showing OPEN NAT so that appears sorted. Any ideas ?

Cuddlesworth

Damien360 wrote: »

A quick update.

The R7000 arrived and works (almost)

I set VM DHCP off, Firewall Off (would'nt work otherwise), had to leave all the settings for IP passthrough and uPnP page enabled, wireless off. Placed the netgear IP in DMZ.

I set the netgear WAN to 192.168.0.2. All devices connect via 192.168.1.xx LAN range by DHCP. Internet is possible on all devices, wireless on 5GHz and 2.4GHz is like a rocket (much better than VM). The web app on android and iOS works lovely and will block any device and everyone else can continue on as normal.

But, he has figured a simple workaround in about 20 mins. He is twelve. He goes to fixed IP for the device and off he goes again. The device does not appear to block via mac address but by assigned IP. We can block again after that but it is a bit odd.

There is an option to operate in Vlan/bridge mode and I wonder should I also set this. PSN is showing NAT 3 but I appear to have multiplayer. XBOX live is showing OPEN NAT so that appears sorted. Any ideas ?

The race begins. You can blacklist everything and then white-list certain things.

http://kb.netgear.com/app/answers/detail/a_id/24830/~/configuring-access-control-on-nighthawk-wi-fi-router

If the VM device has a bridge mode, then you should turn it on so the netgear can pick up a public IP by DHCP on its WAN port. But you don't want it on the netgear itself.

Damien360

Cuddlesworth wrote: »

The race begins. You can blacklist everything and then white-list certain things.

http://kb.netgear.com/app/answers/detail/a_id/24830/~/configuring-access-control-on-nighthawk-wi-fi-router

If the VM device has a bridge mode, then you should turn it on so the netgear can pick up a public IP by DHCP on its WAN port. But you don't want it on the netgear itself.

I am using access control but it is simpler than that. I can see all the devices, with very nice graphical display and their IP addresses on my laptop and phones. But the MAC address does not appear to be used.

The VM device does not have a true bridge mode. We also use their telephone service (rarely used oddly enough - mainly for the house alarm) so the modem would need to remain active.

Cuddlesworth

Damien360 wrote: »

I am using access control but it is simpler than that. I can see all the devices, with very nice graphical display and their IP addresses on my laptop and phones. But the MAC address does not appear to be used.

The VM device does not have a true bridge mode. We also use their telephone service (rarely used oddly enough - mainly for the house alarm) so the modem would need to remain active.

Would need to see it in person, but if I read it correctly, the method I posed is a whitelist. In other words, it blocks all IP addresses and then grants access to only specific devices. What your doing is adding things to a blocked list, rather than granting access. But to be honest, all he has to do is figure out a working address thats offline. Then if you MAC block, he can spoof working MAC addresses.

Speedwell

If this can be made to work, it would be an ideal solution to the common problem of roommates and housemates who don't pay their share of the communications bill. Then you only have to work on the problem of "social hacking", lol.

my3cents

I found one way to do this was to use two routers or one router and an access point.

You just lock the main router down to allowed devices only and then anyone can connect to the access point or second router (set a good admin password so your not locked out) then just make whatever change is necessary on the second device to disable access from its web interface when necessary.

I have a system that has bandwidth control so instead of blocking a device which is obvious to the user I throttle them back to very low speeds and make a fuss that the internet is playing up again - my own form of social engineering

Cuddlesworth

Speedwell wrote: »

If this can be made to work, it would be an ideal solution to the common problem of roommates and housemates who don't pay their share of the communications bill. Then you only have to work on the problem of "social hacking", lol.

https://www.gargoyle-router.com/

Does what you would like.

my3cents wrote: »

I found one way to do this was to use two routers or one router and an access point.

You just lock the main router down to allowed devices only and then anyone can connect to the access point or second router (set a good admin password so your not locked out) then just make whatever change is necessary on the second device to disable access from its web interface when necessary.

I have a system that has bandwidth control so instead of blocking a device which is obvious to the user I throttle them back to very low speeds and make a fuss that the internet is playing up again - my own form of social engineering

In most systems, you can bypass the way the hardware does restrictions because networks are fundamentally open systems. The only way around the issue is doing something like 802.1x authentication.

Damien360

Cuddlesworth wrote: »

Would need to see it in person, but if I read it correctly, the method I posed is a whitelist. In other words, it blocks all IP addresses and then grants access to only specific devices. What your doing is adding things to a blocked list, rather than granting access. But to be honest, all he has to do is figure out a working address thats offline. Then if you MAC block, he can spoof working MAC addresses.

Thanks for your help. I went through the R7000 manual and there is no whitelist.

this is what I see, straight from the manual. It looks lovely, easy to understand, very functional but lacks brains. It all appears to be IP block based.

my3cents

Damien360 wrote: »

Thanks for your help. I went through the R7000 manual and there is no whitelist.

this is what I see, straight from the manual. It looks lovely, easy to understand, very functional but lacks brains. It all appears to be IP block based.

...

I would guess that the device uses the MAC address, just using the IP would be pointless as renewing the DHCP IP address could get around that.

However what they might have done is create a DHCP reservation for that MAC address and then blocked the IP which would be easy to do but easy to get around.

All you can do is try it. Obviously looks like changing the MAC address or cloning one that is allowed would probably get around that but if you are warned of new connections then just block them as they appear. Check you aren't blocking your own cloned MAC address and locking yourself out

Cuddlesworth

Damien360 wrote: »

Thanks for your help. I went through the R7000 manual and there is no whitelist.

this is what I see, straight from the manual. It looks lovely, easy to understand, very functional but lacks brains. It all appears to be IP block based.

The App is, the web interface isn't.

You can enable whitelisting in the webinterface, which I linked to before. I don't know how well that interacts with the App itself, you would have to test that.

You can also MAC filter in the web interface.

This is all very pointless when you have no control over your son though. He can physically reset the box when if he figures that out, he could enable wifi back on the vodafone box and swap to that. There are tons of ways he can get around it. Since he already figured out that the block is IP based and he figured out what IP addressing was, I'd say this method of punishment is lacking any real teeth.