how to -Ethernet- Mac address whitelist asus built in firmware

[555wolfman]

Or, you can just put the networking equipment in a secure area and do the non-hackable thing below.

I even tried that.

unplugging all cables from the patchpanel which lead to access points.
in the morning they were magically plugged in again. He was 9 years old at that time and had his own key to the locked basement. Biggest obstacle was the height of the patchpanel: 2.2m / 7-8 ft

when he was 8 we were so naive to use those mechanical timer switches to „unplug“ the APs - LOL

Our story sounds funny - but you can’t imagine how much energy that costs.

And to cut the internet line completely we loose our IP cameras. I could cry.

 

[555wolfman]

It does.

The issue the OP had was that he wanted to block access to the LAN as well as the internet. From what I can make out you're only concerned with internet access. So in theory you should be able to use the white list and scheduling options under Parental Controls > Time Scheduling.

N.B. I've never actually tried to do this myself as I have no need.

Thank you for this hint.
I already found it, but it is not useful for my needs. You can only lock out destination IP adresses and services (ports).
On the wireless end there is a mac address filter but only for wireless and not time based.
I could do it via SSH and iptables - but it should be maintainable by my wife.
So I am stuck on fresh tomato on my central router which has this feature, but the fastest routers using fresh tomato have only dual core and no hardware offloading - so VPN performance is very bad and IPsec is not supported. Daisychaining 3 routers to get best of all worlds isn’t smart, either.

 

[L&LD]

Doesn't seem you're trying hard enough.

A 9 year old with his own keys?

Nothing that a trip to home depot (or to a locksmith) wouldn't fix.

 

[Tech9]

you may be better off building or purchasing a device and use Pfsense

One thing has to be clear though - there is no app for pfSense and no quick setup guide. The GUI has hundreds of options and settings. Buttons in Asuswrt-Merlin do many things behind the scenes. In pfSense almost everything has to be set manually.

 

[sfx2000]

My 11 year son is addicted to internet and has a very high hacker potential.
Network: central Router - and 3 Access Points

This is a game you can't win - manage the device, not the router...

This means device management at a policy level, which is supported on all major platforms (iOS/Android/Win/Mac/ChromeOS) - there are packages out there that can do this fairly easily and it's usually pretty effective at locking down a machine via policy controls.

 

[555wolfman]

Doesn't seem you're trying hard enough.

A 9 year old with his own keys?

Nothing that a trip to home depot (or to a locksmith) wouldn't fix.

Not his key. We changed the lock to prohibit him from some rooms.
sure he searched the whole house for hours and found a key somewhere.
I wear critical keys on my body 7x24, but there is also a wife in my house…

 

[555wolfman]

This is a game you can't win - manage the device, not the router...

This means device management at a policy level, which is supported on all major platforms (iOS/Android/Win/Mac/ChromeOS) - there are packages out there that can do this fairly easily and it's usually pretty effective at locking down a machine via policy controls.

we already lost that policy game. Tried it with amazon - which he hacked.
iOS is better, but once he needs a PIN from parents to so his homework - kids are so smart: screen recording in the background and it takes weeks for us to fins out something is very suspicious.
now they got iPads from the school which are managed by them. Now he has a YouTube client on his school iPad. (Not on his private iPad)
you can’t install apps on the school iPad - unless he uses a separate iTunes user inside the appstore - thank you, school.

There are also hidden youtube clients and browser in some hidden devices like TV or blueray player. That’s why i changed to white listening mac addresses.

You are right, I can’t win this game.

In my spare time i try to spend much time with him, but I also need to work and sleep. I did talk to him and tell him that I understand the fascination of tech but there is also an analog world out there hat is also important. Not easy.

 

[drabisan]

Actually in the past I found Screen Time for Android absolutely good.
When Google launched Family link - I switched to it and it's much better. Kid can't get privileged access and that closes must of nasty stuff some applications allow. It's not unbeatable because it's tedious to blacklist websites, stuff link embedded youtube played on browser on a "normal" site.
I don't know about anything similar for ios. But there may be something similar.

Fight at network level is lost long ago! The final nail in the coffin is DNS over HTTPS.

 

[Sky]

OK, I know this is technically OT, but…he's not going to stop competing with you. It's life. Maybe it's time to try Old School. Change the game so you either control the field, or you walk on the field side-by-side, i.e., equally inept.

Take him fly fishing - no tech allowed (except in your own pocket for emergency contact). Doesn't matter if you don't know how, don't like fishing, don't want to mess with slimy fish, stinks outdoors, whatever. It's about connection. A local fly fishing trip, even if the location is within an hour of home, is good for a solid 3- to 4-hours off tech together. Learning how is another bunch of hours, Buying the right stuff, more hours. Hours is what it's all about. And fly fishing fixes the whole "doing nothing but waiting" thing as it's inherently active and totally challenging. He may complain — vociferously — but privately and with whatever buddies he has, he'll be king, "The Man". No, it won't "fix" the instant issue, but it may very well lead to a closer relationship and cooperation in things tech vs. competition. Eventually his fascination with tech is simply going to outrun your available time and resources to combat the problem; he needs to be "on your side" before that happens so the problem never becomes newsworthy serious.

Just a thought.

@Maverick009's suggestion for pfSense or OPNsense coupled with @Tech9's caveat re: the UI for pfSense and your comment about needing it to be easily maintainable by your wife, it sure sounds like OPNsense would be a very workable solution for the time being. Here are a couple of pseudo-reviews if you're interested: https://www.peerspot.com/products/opnsense-reviews#pricing

Sky


P.S. If I've over-stepped, mea culpa.

 

[Maverick009]

One thing has to be clear though - there is no app for pfSense and no quick setup guide. The GUI has hundreds of options and settings. Buttons in Asuswrt-Merlin do many things behind the scenes. In pfSense almost everything has to be set manually.

I never said somethings may need to be manually done, but really even in router firmware both standard and custom, there is some automation, but what they are looking at, is not clear as day, and may require something with more fine control. Pfsense and Opnsense give that control, but yes some instances require more granular setup. At least here he can put all IP cameras on a separate node from the devices, that his kid has access too. I am sure there is software that can also come close, but seems like the kid is too smart for his own good so to speak lol.

 

[Maverick009]

OK, I know this is technically OT, but…he's not going to stop competing with you. It's life. Maybe it's time to try Old School. Change the game so you either control the field, or you walk on the field side-by-side, i.e., equally inept.

Take him fly fishing - no tech allowed (except in your own pocket for emergency contact). Doesn't matter if you don't know how, don't like fishing, don't want to mess with slimy fish, stinks outdoors, whatever. It's about connection. A local fly fishing trip, even if the location is within an hour of home, is good for a solid 3- to 4-hours off tech together. Learning how is another bunch of hours, Buying the right stuff, more hours. Hours is what it's all about. And fly fishing fixes the whole "doing nothing but waiting" thing as it's inherently active and totally challenging. He may complain — vociferously — but privately and with whatever buddies he has, he'll be king, "The Man". No, it won't "fix" the instant issue, but it may very well lead to a closer relationship and cooperation in things tech vs. competition. Eventually his fascination with tech is simply going to outrun your available time and resources to combat the problem; he needs to be "on your side" before that happens so the problem never becomes newsworthy serious.

Just a thought.

@Maverick009's suggestion for pfSense or OPNsense coupled with @Tech9's caveat re: the UI for pfSense and your comment about needing it to be easily maintainable by your wife, it sure sounds like OPNsense would be a very workable solution for the time being. Here are a couple of pseudo-reviews if you're interested: https://www.peerspot.com/products/opnsense-reviews#pricing

Sky


P.S. If I've over-stepped, mea culpa.

I would whole heartedly agree with this. A sense of updated router hardware using either Pfsense or Opnsense combined with fine control and common sense may be the only way. If your kid defeats this, than the blame goes on the administrator of the network. One more thing I can add, is they can also go a step further and bring business class domain Active Directory (AD) functionality into the picture. That is what I have recently done at home. Was able to get a Window Server 2019 license for like $17 and installed on a custom computer running gaming hardware with Ryzen 2700 CPU (It was my old gaming/multimedia hardware, that I just put to good use) I setup domain controller and have user names. So far as a test of how well it will work, I had connected my youngest Son's (a teen) laptop to the domain. User name is a standard user account. Works very well and I can enable or disable the account on the whim of a dime. I am working on a little further monitoring too, but that is for another time. I did this in part to play and learn further about features with Windows Server and to be a combined NAS/Gaming Server. The domain controller feature was turned on later due to things we were finding on Son's laptop with either talking to people or near attempts to download viruses on the network. AD gave me full control, plus I can administer updates and so on from a central location. I am looking now to add other kids and wife's devices to the domain as well, as it provides for various benefits short and long term. Just another thought for not only control but streamlining processes.

 

[Tech9]

Here are a couple of pseudo-reviews

If you are looking at reviews, pfSense/OPNSense thing is not for you. Not consumer products and above average networking knowledge is required.

 

[Maverick009]

If you are looking at reviews, pfSense/OPNSense thing is not for you. Not consumer products and above average networking knowledge is required.

For the very basics, limited networking knowledge is needed. I agree though for more sophisticated settings, average to above average knowledge is required, but on that note there is a lot of forums and other support widely enough available for Pfsense and Opnsense. It just also takes the time to learn it at at least enough to get setup and go from there. Take it from someone who never used Pfsense and Opnsense before, but saw a review and article about them and began there. Now I can say I only scratched the surface but the capabilities and current settings are enough and I am learning to even further make changes to my network, taking it somewhat from simple to complex enough, but also secure and powerful enough for future changes.

I will never knock anyone down for wanting to give it a try or asking if there is anything further out there. We all had to learn somewhere and if we truly want to do it, we will set our minds to it.

 

[Tech9]

I will never knock anyone down for wanting to give it a try or asking if there is anything further out there.

I agree, but this learning leads to expenses. pfSense/OPNSense needs to run on something. Not everyone has a spere PC with 2x NICs. A proper x86 box is like $350 and up. If you start from the very beginning and follow the guides, it will take some time to get to what is discussed in this thread.

 

[Maverick009]

I agree, but this learning leads to expenses. pfSense/OPNSense needs to run on something. Not everyone has a spere PC with 2x NICs. A proper x86 box is like $350 and up. If you start from the very beginning and follow the guides, it will take some time to get to what is discussed in this thread.

Not exactly true. A couple ways to control cost. Install Pfsense or Opnsense in a virtual machine to test and learn to start or you can buy some fairly decent hardware for cheap around $120-150 on eBay for instance that gives various hardware such as one that included dual 6C/12T Opterons or for the other CPU maker, Intel Xeons.

When I started, I actually had an old Intel Q6600 2.4Ghz Quad Core CPU, Gigabyte G41MT-USB3 motherboard and 4GB DDR3 Dual Channel memory sitting around. I just ended up buying a 2U Rack mount case, power supply, and SSD ($30-40 SATA variant) for it and got an Intel I350-T4 Pcie card and a dual 2.5G Realtek card (cheap and only dual 2.5 chipset card at the time). In total that probably came to around $350 but that is also in the realm of what a new router cost in the mid to highend. Advantages are numerous including near unlimited upgradability.

Again only suggestions. I think we all contribute our opinions and knowledge to give options, etc.

 

[Tech9]

Cheap hardware off eBay is usually a SFF PC with fans, higher power consumption and taking space. Higher electricity bill, noise and more maintenance. There are advantages in this approach and many DIY guys will go for it, but not a solution for everyone. I wouldn't run the firewall on VM.

 

[Maverick009]

Cheap hardware off eBay is usually a SFF PC with fans, higher power consumption and taking space. Higher electricity bill, noise and more maintenance. There are advantages in this approach and many DIY guys will go for it, but not a solution for everyone. I wouldn't run the firewall on VM.

No SFF in all cases. In this case these were rack mount form factor. I will agree power consumption can be a hit or miss depending on setup but you also have more capabilities including even NAS hybrid options. Also if you tweak and setup for ECO or power saving features that power gap is not as big as you think, unless you have heavy ultization but with the more powerful CPU, it should rarely if ever peak, unless you have insane amounts of devices that even task your switch(es). Also Hyper VMs work wonders and are near metal instances so not every VM is bad. Businesses use them actually a lot.

I also agree it may not be for anyone. OK that is all. We are getting off topic slightly lol.