1. Thank you for the MAC Address Whitelist Idea, I will be trying that idea. I kept looking for a way to enter a "DEFAULT" parental filter on Asus routers which would make SO MUCH SENSE but no .... There are obviously MS-Windows tools that let you change a MAC address to anything you want, and my son has been doing this - A LOT. So whitelisting MAC addresses should work until he gets a tool that can piggyback on other whitelisted MAC addresses.
2. Palo Alto Schools have open Internet and there is a school right next door to us. On Chromebooks, the only solution was to remove the radio cards and give my kids Ethernet USB dongles. Also, XFinity is there giving you 1 hour of free time every month or in some cases, more often if you manage to spoof Xfinity. On older laptops you can add a BIOS password and turn off the radio.
3. With a 1-router solution, I log into the router and disable ALL internet (WAN: off) at 10pm, to get kids to go to bed and lights out. If they aren't done with homework they will have to wake up early and do it then. The router is off from 10:00 pm until ~ 10:20 (by that time they are taking showers). Overnight, *all* chromebooks at our house are blocked because some of them have guest accounts, so kids will wake up and try to watch YouTube overnight ...
4. When we had 2 routers, it was a good thing. Why do you want 2 routers? Because you end up making exceptions in the router setup (or, my wife did) all the time. You want to edit the exception into the child router. Half the time we made an exception we would screw it up and end up disabling ALL access controls. When it's time to block the network for bedtime, you want an UNCHANGING schedule on the main router (main router blocks the sub-router daily on a never-changing schedule). That way, no matter how screwed up the child router is, it still gets blocked every night by the parent router, every single night.
6. How can you secure a router? I ended up getting out my soldering iron and a pair of pliers, and I physically removed the reset switch from the kids router. Then, no matter what, they could never reset the firmware. However, if I ever lost the firmware password, I would been in trouble, we use $29 Asus RT-N12D1 cheapo routers as the firmware is practically the same on all Asus routers. So be careful with the password (store it in a safe place and don't change it or give it out, ever, because giving it out makes it necessary to change it and there's probably a 1% chance of losing it every time you change it.) Also, you might want to think twice about upgrading firmware if you no longer have a reset switch.
7. I work for Google and can verify that YouTube IP addresses are the same as Google Docs IP addresses. Yes, the addresses your kids use to do your homework - also come with YouTube TV. I apologize for my dastardly employer about this. There is a Browser VPN tool called "HotSpot Shield" which kids can use to proxy via every single Google IP Range (there are hundreds). I got out wireshark and was blocking /256 ranges using the routing tables (route these ranges to 127.0.0.1 - loopback address), but I ran out of routing-table space. Since HotSpotShield bypasses your router URL filters, using encrypted tunnels (https), the only way to put policy filters (URL filters) on your kids is to NOT allow them to use ANY google properties, including search, including docs, gmail, calendar, YouTube, etc. Block port 443 (https) to accomplish this. Also, they will have to use an open search engine, maybe dogpile.com (I just did a check and it got some reasonable hits for "haymarket riots" on port 80).
I wish I new what that plugin was! From what I could find out, it's something that works with TamperMonkey. Funny thing is, although this plugin makes up a completely random MAC address, it seems to always use static IP 192.168.1.2, which is my computer's address, and caused my computer to be cut off the network. That's why I need a firmware that works with IP and MAC addresses, not just IP.
