If you want to stop them from spoofing then you are going to need some authentication process. Maybe a separate VLAN and change all non used ports to this VLAN so they cannot plug into an additional port to bypass. It won't stop them from unplugging a working machine as that is still physical access.
Blocking Wired devices?
- Thread starter Monty Banton
- Start date
takitezsdc
Occasional Visitor
Ok so i need help with this....my two teenagers keep circumventing all my parental controls in merlins firmware, I have a asus RT-AC68P and i set up DNS filtering and time constraints and they ( my teenagers) simply spoof there mac address and change there IP and they can access whatever they want. I have a 40 port switch in my server room and a few access points in my home / business..........I have a " control4 " system in my home so that's why i have the switch.......but is there anyway to prevent this? it is a major pain in the butt to constantly adding new devices to the block list when they can just change it at a wim........HELP?
System Error Message
Part of the Furniture
perhaps its time you use hotspot/radius.
Well; I know how this would be handled in my home, with my children. If they cannot be trusted to not circumvent protections, the pins in the RJ45 jacks of THEIR devices would be carefully broken out of the socket. The wireless passwords would be changed, never to be handed out again. Problem solved.
When did access to MY internet end up being a right, because they match half of your DNA?
How do you trust them at all, doing anything, if they can't follow your rules? Father of 6 boys, age 26 down to 4. Not ever was this, or would this, be a issue longer than 5 minutes.
takitezsdc
Occasional Visitor
Freddi, so give me some parenting advice...I am a single father and my boys are good kids,,,,, they just dont always listen or do as told all the time. I have yelled......taken away there internet for periods or time ect..... so what do you do to get the to listen better ? They are too old to spank.....then again I feel like punching one of them in the face from time to time........but I not really into violence and being a single father , there mother would certainly pull some bs saying I was beating them if i did........so enlighten me?
I feel for you, I really do. I was a single parent of three, for a period time, while two were in there early teens. It aint easy to be the mean dad. I also don't believe in corporal punishment, and it wouldn't work if i did.
Long and short, do what you did, and pull the internet. Maybe a couple of days, if that doesn't work, a couple of weeks, and if that doesn't work, pull it permanently. It's not a constitutional right, as much as they would like you to believe. When they tell you that they need it for school, have them stay after school, or go to the library. If they are going to undermine you, and your rules......make sure that they physically can't connect. All the way to pulling the DSL / Cable modem completely out. (Lock it in your trunk for God sakes) or in extreme cases, doing exactly as i mentioned above, and grab a pliers and pull the wires right out of the RJ45 port on THEIR device.
Long and short....If they are going to circumvent your wishes on internet access, how can you trust them not to be pirating music, searching the web for synthetic drugs, writing letters to the whitehouse, or looking at kid porn? if you don't nip this in the bud, it MAY fall back on you, because that connection is YOURS.
I don't want to harp on you, or make you feel bad. I don't want to be a alarmist either. BUT, this is the big world. You need to get your kids to trust you, and listen to you. If you can't then you need to protect yourself.
Good luck, bud. Parenting is a pain, and more so in the internet age. Be tough. if it means they just plain NEVER have internet....so be it.
(My 2c....thats all.)
sfx2000
Part of the Furniture
Parental controls on networks is a touchy subject - and you'll find some very diverse (and sometimes quite vocal) opinions.
There are tools like Circle that can help, and OpenDNS has DNS based controls - put those together with what Asus brings in, you can have a layered approach that work for both Wireless and Wired. Then whether Mac, Windows, or ChromeOS (or Android/iOS for mobile/tablets) there are options there to lock the machines down through various mechanisms...
No single silver bullet, but like for network security - a layered approach is best...
Being a single parent is hard work, no doubt, and this might be one fight that might not need to be done - trust and respect goes both ways, and losing one or both can bring on other problems.
I hope for the best - just keep in mind that kids are very resourceful, and might find ways to get around pretty much any controls one might put in place - I knew of one situation where the kids pooled resources, and picked up a wireless 4G hotspot - which was a bit of a suprise
I hope for the best - just keep in mind that kids are very resourceful, and might find ways to get around pretty much any controls one might put in place - I knew of one situation where the kids pooled resources, and picked up a wireless 4G hotspot - which was a bit of a suprise
I personally prefer that over them doing bad things on the account with MY name on it.
Connecting internet cables into my router? Wow! If it is your router, lock it up in an enclosure with good ventilation. Or you can devise something to make it impossible to plug in the cable to your router.
CaptainSTX
Part of the Furniture
In the old days to prevent someone from plugging a phone into a jack in a public area people glued an RJ 11 plug into exposed jacks.
Sent from my iPhone using Tapatalk
takitezsdc
Occasional Visitor
HELP please? The problem is this....ok so you all know that merlin / asus router has DNS settings and for example I have OPENDNS as my dns provider. You set the DNS in router in the WAN section to point the router by putting in Opendns DNS numbers in WAN>Internet connection>Wan DNS Setting>DNS 1 and DNS 2.
So then in AIProtection >Parental Controls>DNS filtering you turn it on and i put the Global filtering to ROUTER.
So if the above is correct and in Merlins info on Global Filtering it says it forces DNS settings to all devices. SO if that is true...WHY and HOW can my kids use a VPN to circumvent this ? I mean it still coming from my network......so why does it bypass the DNS settings and allow them to use another dns? So why is it letting them bybass my dns settings ?
Also why cant we set the router up to NOT keep handing out different ip address ? I mean.....if i set up my DHCP range from 50- to 75.......then i would have 25 DHCP addresses to auto hand out .......and if i am using 24 of them for devices on my network that would leave 1. SO why cant there be a way to hand out X number of ip address on our network and BLOCK all the rest of the IP addresses? Or BIND the device to the IP that was given out......so they can not change the IP?
I must be missing something, because my idea above would solve all the parental issues it seems that people are having with kids and unwanted users . Then if u handed " Billy" a ip of 192.168.1.67 for his iphone......he could not change the IP because all the IPs would be blocked or used by other devices.......and then we are left with the DNS issues which stump me, because i dont understand if i have my router set to force all devices to use my DNS settings.....WHY its allowing VPN connections to use whatever dns they want is beyond my tech knowledge..........sigh any help?
So then in AIProtection >Parental Controls>DNS filtering you turn it on and i put the Global filtering to ROUTER.
So if the above is correct and in Merlins info on Global Filtering it says it forces DNS settings to all devices. SO if that is true...WHY and HOW can my kids use a VPN to circumvent this ? I mean it still coming from my network......so why does it bypass the DNS settings and allow them to use another dns? So why is it letting them bybass my dns settings ?
Also why cant we set the router up to NOT keep handing out different ip address ? I mean.....if i set up my DHCP range from 50- to 75.......then i would have 25 DHCP addresses to auto hand out .......and if i am using 24 of them for devices on my network that would leave 1. SO why cant there be a way to hand out X number of ip address on our network and BLOCK all the rest of the IP addresses? Or BIND the device to the IP that was given out......so they can not change the IP?
I must be missing something, because my idea above would solve all the parental issues it seems that people are having with kids and unwanted users . Then if u handed " Billy" a ip of 192.168.1.67 for his iphone......he could not change the IP because all the IPs would be blocked or used by other devices.......and then we are left with the DNS issues which stump me, because i dont understand if i have my router set to force all devices to use my DNS settings.....WHY its allowing VPN connections to use whatever dns they want is beyond my tech knowledge..........sigh any help?
ColinTaylor
Part of the Furniture
The reason why Parental Controls don't work with software VPN clients is because ALL the traffic (including DNS requests) are being sent through an encrypted tunnel to the VPN provider. That's why it's call a Virtual Private Network, the DNS requests never go to the router.
Regarding IP addresses; DHCP gives out addresses from its pool when requested to. It is not a security service. It does not enforce anything. Clients can choose to use DHCP or ignore it completely. If you want to restrict which clients connect to your network you need to use a device that supports Access Control Lists (ACL) or some other method of network security.
takitezsdc
Occasional Visitor
Colin....its not a double post.....i just re-posted it on my OWN thread. AND you give me no answers to my questions or solutions. SO please step off Mr NOT moderator.
and thats funny you say that DNS request never go to the router? Well let me see.....my router is the GATEWAY to the internet......so EVERYTHING goes through my router. SO there has to be a way to block it. I am so sick and tired of people posting on threads with NO solutions. I know there is a way.....because my office does it.....schools do it........so instead of telling me a bunch of nonsense.........how about just telling me how its done ? or excalty what i need to get or do to fix my problem.
Sorry if i am coming across as a complete butt......but i have spend the last month JUST trying to get someone at OPENDNS or Dyn to help me and they are useless.....and for some reason in this day and age......companies think they dont have to give PHONE support anymore. I am beginning to think people have forgotten how to talk and only communicate through emails and text chat...........sad very sad.
RMerlin
Asuswrt-Merlin dev
Colin is actually correct. The local tunnel (tunnel being the key word here to understand how it works) endpoint is on their computer, which means everything is put into a packet by their computer, encrypted, and sent to the port used by the VPN provider (typically port 1194 if it's OpenVPN). The router cannot know that within that encrypted packet there is a DNS request, since that traffic is sent to port 1194, not to port 53 - the router can only react on which port is being used at the remote end.
Companies typically block VPN services, that's how they prevent employees from bypassing their firewall rules. That means only allowing specific ports such as 80 (web), 443 (https), etc...
Your only solution there is to block VPN access to these computers - and even then it will be easy to work around, as some providers also offer services on port 80, specifically to bypass firewall rules. The only way to block it at that point is with an entrreprise-grade product with deep packet inspection - not something you'll find in a home usage product.
ColinTaylor
Part of the Furniture
I answered both your questions. It's not my fault if you don't understand the answer.
Yes you are.
takitezsdc
Occasional Visitor
Thanks for replying Merlin.......I understand what your saying, but how do I block the VPNs? Is there a script or something that will block the ability for users on my network to not be able to use VPNs?
And there is my other problem......how do i prevent users from changing there IPs / mac address. So say I block ip 192.168.1.65, I am finding that the user just changes there IP and circumvents the block. I have tried to bind the IP i assign to the device but that doesn't seem to work. ALL i want to do is give out all my IPs to the devices that are on my network....such as computers......phones.......mycontrol4 system......printers ect..and then BLOCK all other IPs. So no other IPs can come on to my network unless they physically ask me and i unblock that IP.
RMerlin
Asuswrt-Merlin dev
You need to find out what server or port their VPN tunnel uses, and block it on the Network Service Firewall.
You cannot. That's something controlled at the client's end, not at the router's end. Anyone can spoof his MAC address as long they have administrator access to their own computer, same with the IP. Even if you were to only allow a subset of specific IPs, nothing could stop them from reusing someone else's IP. Unplug the printer, and use the printer's IP, for instance.
A DHCP server's job is simply to issue IPs, it does not enforce anything, clients are always free to flat out ignore it.
To go beyond that you'd need, once again, business-class products, with Ethernet-level authentication. Something so advanced that, personally, I've never even encountered such a setup with any of my own customers.
Given the info provided in both threads, my recommendation would be to consider solutions like Untangle with captive portal, content filtering, and firewall. Captive portal could force users to authenticate. The content filtering is similar to what you might see at a large company where certain categories of websites are blocked.
I utilize OpenVPN over port 443 to connect to my company while onsite at customers with restricted networks. It manages to get around almost every corporate network except those with good content filtering that block me accessing my own company's domain and other proxies. It doesn't matter which port or protocol I am trying to utilize if I'm forced to authenticate and can only get to domains/IPs on a white list.
I utilize OpenVPN over port 443 to connect to my company while onsite at customers with restricted networks. It manages to get around almost every corporate network except those with good content filtering that block me accessing my own company's domain and other proxies. It doesn't matter which port or protocol I am trying to utilize if I'm forced to authenticate and can only get to domains/IPs on a white list.
Similar threads
Similar threads
Similar threads
-
-
Time Scheduling blocking internet access on newest firmware
- Started by BrimoXD99
- Replies: 9
-
-
-
-
Blocking GoogleDNS & others via Diversion, Firewall-NSF &/or static routing
- Started by Dux
- Replies: 11
-
-
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!