What's new
By:

Kids bypassing Parental Controls (Time Scheduling) via band switching & MAC randomization on AiMesh

Rana Imran

Rana Imran

Occasional Visitor
Hi. I’m looking for some advice on how to secure my Parental Controls. I am currently running an AiMesh setup and relying on Time Scheduling to manage internet access for my kids' Apple and Android devices at night.
  • Main Router: Asus RT-AX82U (Firmware: 3.0.0.4.388_25101)
  • AiMesh Node 1: Asus RT-AX82U (Wired backhaul)
  • AiMesh Node 2: Asus DSL-AC68U
  • General Config: All of my family's devices are normally connected to the 5GHz band. Guest Networks 2 & 3 are active (2.4GHz).
I have Time Scheduling set up under Parental Controls to block the kids' devices at a specific time. However, when the lock time hits, the kids simply switch their Wi-Fi connection over to the 2.4GHz band and bypass the block entirely, regaining full internet access.

I assume this is happening because switching bands triggers iOS's "Private Wi-Fi Address" and Android's "MAC Randomization" features. The router sees a brand-new MAC address, assumes it's a new device, and grants it unrestricted access outside of my Parental Control rules.

I thought about using Wireless MAC Filtering or assigning Manual IPs. However, because both Apple and Android devices can rotate their MAC addresses, a standard "Reject" MAC filter or static IP assignment won't work? They will just generate a new MAC and bypass the filter again.

Has anyone found a bulletproof workaround for this on ASUS firmware? Any advice would be greatly appreciated!

Thanks in advance.
 
Confiscate the kids devices for a period of time as punishment for their enabling or activating the randomize MAC on their devices and bypassing your Internet/WiFi rules. Be the parent and not their friend.

Another workaround is to change all the WiFi passwords and make sure not to give them to the kids. Do not have any open WiFi networks, password protect everything with strong passwords. Change the passwords frequently if the kids are discovering the password(s).

Another possible option. Every non kid WiFi device should have their MAC randomization disabled. Then included all those WiFi devices in the MAC filtering allow list on the non kids WiFi. Hopefully this way the kids devices will be rejected for not being on the allow list. There are still ways around this, and it does add some extra work for you to setup an allow list for all your WiFi devices, but it adds one level of complexity for the kids to overcome.

In the end though you have a kid violating your rules problem not a router problem. Trying to solve that problem using the router to avoid dealing with the kid violating your rules is just a band-aid on the underlying issue.
 
Just change the SSID and Password of the 2.4GHz band and don't give it out to anyone.
 
Rana Imran said:
Hi. I’m looking for some advice on how to secure my Parental Controls. I am currently running an AiMesh setup and relying on Time Scheduling to manage internet access for my kids' Apple and Android devices at night.
  • Main Router: Asus RT-AX82U (Firmware: 3.0.0.4.388_25101)
  • AiMesh Node 1: Asus RT-AX82U (Wired backhaul)
  • AiMesh Node 2: Asus DSL-AC68U
  • General Config: All of my family's devices are normally connected to the 5GHz band. Guest Networks 2 & 3 are active (2.4GHz).
I have Time Scheduling set up under Parental Controls to block the kids' devices at a specific time. However, when the lock time hits, the kids simply switch their Wi-Fi connection over to the 2.4GHz band and bypass the block entirely, regaining full internet access.

I assume this is happening because switching bands triggers iOS's "Private Wi-Fi Address" and Android's "MAC Randomization" features. The router sees a brand-new MAC address, assumes it's a new device, and grants it unrestricted access outside of my Parental Control rules.

I thought about using Wireless MAC Filtering or assigning Manual IPs. However, because both Apple and Android devices can rotate their MAC addresses, a standard "Reject" MAC filter or static IP assignment won't work? They will just generate a new MAC and bypass the filter again.

Has anyone found a bulletproof workaround for this on ASUS firmware? Any advice would be greatly appreciated!

Thanks in advance.
Click to expand...
So I had the same issue but ended up making 2 blocks one for the NIC MAC and one for the Wireless MAC. I was not aware of a MAC Randomization other than a spoof. Dang.
 
Rana Imran said:
kids' Apple and Android devices
Click to expand...

The only effective way to do parental control is on the devices.

Use parental controls to manage your child's iPhone or iPad - Apple Support (CA)

With Screen Time, there are a number of settings and parental controls that you can use to help keep your child's device usage safe, private, and age appropriate.
support.apple.com support.apple.com

Family Link from Google - Family Safety & Parental Control Tools

Family Link provides tools that respect families’ individual choices with technology, helping them create healthy, positive digital habits. With easy‑to‑use tools, you can understand how your child is spending time on their device, share location, manage privacy settings, and find the right…
families.google families.google

This method works on both Wi-Fi connections and mobile operator data plans.
 
Besides any parenting advice you might (wanted or unwantedly) be given, and besides Tech9's rock solid method, router side I guess you can do the folowing:

Adults Wifi => Secret password, no need for allow list or mac randomization disabled if only adults can access it (just for the sake of extra layer you could add reject list to childs macs)
Kids Wifi => Mac randomization disabled on kids devices, fixed ip & mac allow list enabled on router and (this way childs can only connect with their real mac, no internet for them if they try to cheat with mac or reconnect)

The only drawback here is for "real" guests, I guess the best option would be to create one with reject list and include your childs mac's (even in this case they might trick it enabling random mac to go to guest's one, but its quite more advanced technique than just switching ssids)
You can always check logs to see if they are doing this bypass.

Good luck!
 
Last edited:
If the kids are small - parental controls on devices, parents purchase the devices anyway and give them to the kids. If the kids are grown up - talk to them as adults and educate, this will build trust and they'll come back with other questions. There is no reliable way to achieve what the OP wants on the router side. Whatever the router does it applies to local network only and going around it is few clicks away.
 
Thanks everyone for the input.

Seems like router-only controls aren’t fully reliable due to MAC randomization, so combining router settings with device-side controls makes more sense. I’ll also look into separating SSIDs and tightening access control.

Appreciate the insights, this helped clarify the limitations and possible approach.
 
Children being “oppressed” by parents can avail themselves of the same bypass techniques being made available to citizens oppressed by restrictive or censoring governments.
 
dave14305 said:
Children being “oppressed” by parents can avail themselves of the same bypass techniques being made available to citizens oppressed by restrictive or censoring governments.
Click to expand...
I understand the point you're making. My focus here is just on the technical side of managing network access within my own setup, not on restricting anyone unfairly.

Appreciate the perspective though, I’m just focusing on finding workable technical solutions through the router and device settings.
 
I was wondering about MAC Whitelist vs Blacklist... But anyways my wife asked me once about this sort of filtering in the past, as we have one son. I told her nah, or something to that effect.....

The more time you spend with them, the better, (or the longer they can't do such activities that you don't want).

I think I caught our son looking at inappropriate content (for his age) once. I was curious to what he was looking at and he was frantically trying to close it (unsuccessfully) before handing it to me. I said "oh, at least you know you shouldn't be looking at that," and handed it back. (No, I did not close it). That was the last time I think I ever caught him surfing something like that...

YMMV...
 
Rana Imran said:
My focus here is just on the technical side of managing network access within my own setup, not on restricting anyone unfairly.
Click to expand...
I didn't mean to imply unfairness, which is why I put oppressed in quotes. Technology wants individuals to be free on the internet, and children directly benefited from this revolution. As you've seen and other have pointed out, options are limited if you cannot lock down the childrens' devices locally. Too easy to randomize the MAC, install Cloudflare WARP/1.1.1.1, etc.

Going to a 100% MAC allowlist approach is cumbersome.

All that remains is the sanctimonious parenting advice. 👎
 
You must log in or register to reply here.

Similar threads

P
Anyone successfully using Parental Controls - Time Scheduling on an ASUS router right now?
Replies
0
Views
2K
pcb
P
A
Need help with parental controls on RT-AX58U V2: Trying to use OpenDNS but open to other ideas
Replies
1
Views
2K
jacklul
jacklul
U
Block the Kids
Replies
6
Views
2K
sfx2000
sfx2000
G
RT-AC68U new interface for parental controls time scheduling
Replies
4
Views
4K
Josh Schneider
Josh Schneider
J
Compiling a extreamly basic Asus firmware stripped of every single add-on made
Replies
4
Views
2K
Hawk
Hawk

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 4,043 (members: 23, guests: 4,020)
Back
Top