What's new

MAC address filtering - Wired + Wifi?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

He’s ridiculously smart. Windows controls are useless - previously we had him set with a child account on his machine, so he ran Linux from a thumb drive on his machine.

Great kid, just sees a wall and finds a way around, over or under it....
 
Thank you - great feedback.

Does Netgear Armor or Disney Circle provide similar functionality? I’m reading that Circle covers wired clients, as well. Just need to have a default “off until approved”....
I'm not sure about Netgear, I currently have a Gryphon, but my kids are too young to need the parental controls. I know the Disney circle has to stay connected, and some kids just unplug them as needed. The nice thing about the Gryphon is the fact that it is the router. However, I would agree with some of the other comments that technology may not be able to be the solution in this case, I honestly was always a step ahead of my parents technologically and thankfully didn't find myself getting into too much mischief (because I could have). But, I understand tech can be a helpful deterrent.
 
I would suggest researching the Gryphon. But, I would give the caveat that it is designed to be simple to use for parents and non-techs, so you do give up a lot of power user functionality that Netgear and ASUS have. I miss a lot about ASUS and Merlin's firmware. But I wanted to try something different, and they put a lot of work into making it secure. Also the Gryphon is a beast of a performer in terms of WiFi.
 
Believe me when I say I recognize this is a parenting issue as much as a tech issue. This is a kid who will sheepishly admit the next morning that he didn't follow the rules, without even my prompting or knowledge that he skirted the restrictions. It's become a bit of a game for him (and if I'm honest, me as well).

We had his PC in the common area prior to COVID lockdown, and that was honestly the best deterrent. Balancing giving kids some autonomy with over-parenting -- easier said than done.
 
Believe me when I say I recognize this is a parenting issue as much as a tech issue. This is a kid who will sheepishly admit the next morning that he didn't follow the rules, without even my prompting or knowledge that he skirted the restrictions. It's become a bit of a game for him (and if I'm honest, me as well).

We had his PC in the common area prior to COVID lockdown, and that was honestly the best deterrent. Balancing giving kids some autonomy with over-parenting -- easier said than done.
Sounds like you're doing a pretty good job. Good luck to you. I'm a bit of a way down the road from teenager. I have a toddler and infant. I am very nervous about teen years.
 
Note that Circle, the last time I looked at it, does its own MAC spoofing so client flows will go through it. A crafty nerd can easily bypass that type of control using static ARP entries.

Why do some vendors limit the ACLs to maybe 16 entries? My best guess is this is a memory or hardware limitation.

If you want to be fancier than him....build a pfSense/OPNsense/SophosXG box and use the guest portal to block him. No Internet without a login. Expire the logins on a regular basis. Change the passwords on a regular basis. If they know how to change their IP address, they will figure out how to change their MAC address as well. As others have stated already, consumer gear was never meant to have the level of flexibility to control all flows you are after.

Continue to abuse, just cut from the Internet. Finds a work around there, cut the power to the room. I get the parenting struggle here...I was one of those kids....and I have apologized to my parents many times now that I have my own kids. Luckily my kids are still too young to abuse technology.....for now.
 
Great kid, just sees a wall and finds a way around, over or under it....

Well sure, and creative rebellion leads to ingenuity and invention.

If it ever becomes a serious discipline issue rather than an exercise in competitive bonding, you might look into a contemporary RAT. Use a commercial crypter or MSFVenom and a recent copy of something like NanoCore and infect his computer when he isn't around. Now you can see everything he does, as long as he uses the OS you infected. Having unfettered physical access to the machine is a huge win, and you could even go as far as some simple commercial hardware devices like Bashbunny or Screencrab.

My thought is that if you can't block him, you can blackmail him. You just need to find dirt.

(Edited to add that this is more of a joke than a real suggestion - hopefully nobody is literally eavesdropping on their kids)
 
Last edited:
Note that Circle, the last time I looked at it, does its own MAC spoofing so client flows will go through it. A crafty nerd can easily bypass that type of control using static ARP entries.

I was thinking I'd switch to a Netgear product which has Circle embedded - but here again, nerd can spoof MAC of another approved device I s'pose?

Why do some vendors limit the ACLs to maybe 16 entries? My best guess is this is a memory or hardware limitation.

This is with Asus controls and it's completely ridiculous - worse, it's 16 TOTAL, not per managed person. And the same error message is flagged when trying to manage the VPN MAC address regardless of being below the threshold. Nerd ended up just getting multiple ProtonVPN accounts with dummy email addresses so he got new MAC addresses each time.

If you want to be fancier than him....build a pfSense/OPNsense/SophosXG box and use the guest portal to block him. No Internet without a login. Expire the logins on a regular basis. Change the passwords on a regular basis. If they know how to change their IP address, they will figure out how to change their MAC address as well.

I like this option. Is there a raspberry pi distro for any of these? I'll look into it and consider shimming in-between the clients and router as the default gateway.

Continue to abuse, just cut from the Internet.

That's exactly what we're doing! But he needs internet for school now so it's more complicated. Likely will have do a dedicated dumbed down Chromebook for schoolwork.


Finds a work around there, cut the power to the room.
Getting medieval on this, Pulp Fiction-style.

I get the parenting struggle here...I was one of those kids....and I have apologized to my parents many times now that I have my own kids. Luckily my kids are still too young to abuse technology.....for now.

The struggle is real. The only controls that I've found that work very well are Apple's screen time - helps that iPhones and iPads aren't as hackable as Android and PC. Of course, he found a work around on that too, but thankfully Apple patched it in iOS13....
 
Last edited:
Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top