How to enforce time-based restrictions on kids devices

[cmihai]

Hi,

I am new to ASUS devices and Merlin firmware (just upgraded to Merlin yesterday) and I am trying to transition the router functionality from another router to Asus/Merlin device (RT-AC86U). With the old router (Gargoyle), I would block kids' devices based on time restrictions. I noticed that with Asus/Merlin, I can tie a device's MAC address to a static IP address and noticed that I can implement time-based restrictions based on MAC address. So far so good, other than the low limit of 64 such static IP assignments - I am assuming this limit is on ASUS, not Merlin

The challenge I am facing is that these days, many devices (such as phones and iPads) can randomize their MAC address, thus getting assigned another IP address and bypassing any time-based restrictions I have in place. One potential avenue in Asus/Merlin world, would be to whitelist MAC addresses, but I found it cumbersome at best (i.e. only works with wireless connections, have to whitelist on both 2.4 and 5 GH even though is was listed as a static IP assignment, the ugly limit of 64 entries, what happens with wired connections?). Maybe I am missing something and that is why I am asking for help. Also time-based restrictions in Asus/Merlin are based on MAC address, not IP - which creates an even bigger headache for me b/c is a device is going to spoof its MAC address, how can I know it beforehand so I can block it?

For comparison purposes, I had a Gargoyle router and over there is was quite easy to implement my requirement: static IP assignment for all devices (in 1 to 200 range), DHCP would only dynamically assign (in 201 to 254 range) [as per above, I can replicate same functionality with Asus/Merlin]. With Gargoyle, I can specify all IPs in 201-254 range are now allowed to access internet [I can't figure if this is doable with Asus/Merlin or if there are alternative ways to accomplish the same thing]. So, if a device uses its own MAC (or a MAC that is recognized based on the static assignment list), it would get assigned a static IP (in 1-200 range) and would follow whatever restrictions are in place (for its IP address which corresponds to a MAC address). However, when a device randomizes it's MAC address, than it would get assigned a dynamic IP (in 201-254 range) and denied internet. The beauty is that whatever device is not recognized by the static assignment would be banned from the internet

Is there a way to accomplish something similar with Merlin?

Thank you

 

[MvW]

I think you could have better posted it in the Asuswrt-Merlin subforum as you're running Merlin now.. You can ask a moderator to move it.

As for the changing MAC addresses, you can disable these function per network, and you don't need this for your home networks, at least on Apple devices (I don't have any experience using Android devices). Using AiProtection > Parental Controls, you can set times or restrict content categories using the device MAC address.

Edit: In addition to my reply, when disabling the randomized MAC addresses you can also use LAN > LAN DHCP > Manual assignments to assign fixed IP addresses based on the fixed MAC addresses.

 

[cmihai]

Thanks MvW for feedback, appreciate it.

I googled disabling MAC address change per network and the answer is related to MAC filtering - which is what I was referring to when I mentioned whitelisting MAC addresses (it is a type of MAC filtering, the other type is blacklisting). Let me know if I am missing anything here and it could be implemented in some other way that I am not aware of.
The other things (like time-based restrictions based on MAC address and static IP address) I mentioned (and implemented) as well.

Still, I'm not sure how any of these things (that I implemented already) could help. Here is my scenario: child's iPhone connects with a random MAC (which is standard functionality on iPhone / Android / Windows nowadays) or they install an app that spoofs the device MAC. Since I don't have this new MAC address (it could be anything if spoofed), Asus/Merlin router would assigns a dynamic IP address, which I cannot know beforehand (b/c it is dynamic and not static). As a result, there would be no time-based restrictions in place (b/c I do not know the random/spoofed MAC address)

I am really surprised if there would be no solution to this relatively simple request. I'm quite confident I am not the first to want to implement such rules. And, in addition, it was piece of cake to implement the same requirement in Gargoyle (where I came from).

Thanks

 

[bbunge]

Be a parent, get the kids phones & devices, turn off random MAC, set a parent password to disallow app install/settings change and warn the kids to not try to change anything.

OK, that is a bit severe. But with mobile devices that can bypass your network a bit of threat and scare might help. It is much harder to filter browsing content these days. Most routers can do DNS filtering but that is easy to thwart and as you know the kids know how to do that. URL/IP based filtering does work but is much harder to do on a home router. One thing is to have a second router for the kids and turn it off at a certain time. but they will then go to cellular.

Better to have a filter that tracks browsing history then use the "stick" method of enforcement.

 

[ColinTaylor]

The GUI based time restrictions aren't designed for blocking ranges of IP addresses. How does it work in Gargoyle? Can you provide screenshots or coding examples. It's very likely that the same thing can be scripted in Merlin but we'd need to see exactly what you're trying to achieve before going off in the wrong direction.

 

[amortimer]

I googled disabling MAC address change per network and the answer is related to MAC filtering - which is what I was referring to when I mentioned whitelisting MAC addresses (it is a type of MAC filtering, the other type is blacklisting). Let me know if I am missing anything here and it could be implemented in some other way that I am not aware of.
The other things (like time-based restrictions based on MAC address and static IP address) I mentioned (and implemented) as well.

In a sense, a lot of what you want done can be accomplished by using a combination of different things

First, private MAC filtering. I can't speak for Android devices but iOS devices generally do not change their private WIFI MAC addresses when connecting to the same network over time ie. a new private MAC address is only generated when a "new" network is encountered or if settings on the iOS device is reset. (see https://support.apple.com/en-us/HT211227 for more info). A check on my device logs confirm this. So you should be able to assign IP addresses to their associated MAC addresses via DHCP but that's administrative overhead I personally would not want bother with ie. you don't need static IPs to do the filtering you want.

You could consider using YazFi guest networks, in combination with some of the other feature scripts available in the Merlin firmware to accomplish the same. "Wayward" Client DNS requests can be forcibly redirected or blocked off.

https://github.com/jackyaz/YazFi
https://support.apple.com/en-gb/HT211949
https://www.snbforums.com/threads/random-mac-address-in-ios-14-may-cause-some-problems.67957/
https://www.snbforums.com/threads/block-all-dns-except.55429/
Reddit article - asus_router_owners_simple_way_to_force_all_dns
https://www.groovypost.com/howto/asus-router-parental-controls-time-scheduling/

Unfortunately, I don't think the usage limitation by time is something that can be currently accomplished but I could be wrong and the various devs contibuting to merlin'ds bulid and addons can confirm. My WIFI networks at home can be disabled based on time criteria though i dont do so but this is a feature of the Ubiquiti APs i use as I do not use the AP functionality on the Asus router for our internet access.

Perhaps some stuff is better accomplished with a combination of these and some parent guidance from you, as someone has already astutely mentioned

my 2 cents. feel free to ignore.

Edit: added link references to various articles.

 

[cmihai]

The GUI based time restrictions aren't designed for blocking ranges of IP addresses. How does it work in Gargoyle? Can you provide screenshots or coding examples. It's very likely that the same thing can be scripted in Merlin but we'd need to see exactly what you're trying to achieve before going off in the wrong direction.

Here is an example, it is GUI-based, no scripting involved

 

[cmihai]

In a sense, a lot of what you want done can be accomplished by using a combination of different things

First, private MAC filtering. I can't speak for Android devices but iOS devices generally do not change their private WIFI MAC addresses when connecting to the same network over time ie. a new private MAC address is only generated when a "new" network is encountered or if settings on the iOS device is reset. (see https://support.apple.com/en-us/HT211227 for more info). A check on my device logs confirm this. So you should be able to assign IP addresses to their associated MAC addresses via DHCP but that's administrative overhead I personally would not want bother with ie. you don't need static IPs to do the filtering you want.

You could consider using YazFi guest networks, in combination with some of the other feature scripts available in the Merlin firmware to accomplish the same. "Wayward" Client DNS requests can be forcibly redirected or blocked off.

https://github.com/jackyaz/YazFi
https://support.apple.com/en-gb/HT211949
https://www.snbforums.com/threads/random-mac-address-in-ios-14-may-cause-some-problems.67957/
https://www.snbforums.com/threads/block-all-dns-except.55429/
Reddit article - asus_router_owners_simple_way_to_force_all_dns
https://www.groovypost.com/howto/asus-router-parental-controls-time-scheduling/

Unfortunately, I don't think the usage limitation by time is something that can be currently accomplished but I could be wrong and the various devs contibuting to merlin'ds bulid and addons can confirm. My WIFI networks at home can be disabled based on time criteria though i dont do so but this is a feature of the Ubiquiti APs i use as I do not use the AP functionality on the Asus router for our internet access.

Perhaps some stuff is better accomplished with a combination of these and some parent guidance from you, as someone has already astutely mentioned

my 2 cents. feel free to ignore.

Edit: added link references to various articles.

Thank you so much, I will explore the options presented

Even though, iOS devices do not generally change their WiFi MAC address when connected to the same network, it is a simple setting that can be turned on and off at any time - as per the same article. Similarly with Android devices. Just wanted to point out that we can't assume the device will always connect with the same MAC address to Asus router

 

[ColinTaylor]

And what rules exactly do you want to create? What days, times, IP ranges?

 

[routerq]

if your kid is smart enoguh to randomize MAC, then you need to go old tech, lock box....