parental control vs. iphone private MAC

[jweston]

Hello.

I'm sure others having similar issue with parental control vs. iPhone that use "private MAC",... although I'm not finding any good solutions? The problem is that the default private MAC setting makes it really hard to consistently identify the child devices = inconsistent application of parental controls. Thanks in advance for any ideas you might have.

Situation:

• ASUS router with Merlin and YazFi installed. YazFi allows assigning special DNS servers for each Guest Network. Also creates separate subnets for each Guest Network.
• Guest Network 1 = IOT devices. Super secret password.
• Guest Network 2 = my son's school iPad. YazFi redirects DNS to AdGuard Home local DNS server that blocks all "time-wasters".
• Main Wifi SSID = everything else. Default DNS is AdGuard Family.

Problem: I need to make sure the school IPAD only is able to attach to Guest Network 2 so that I can restrict sites.

• I can put a MAC DENY list on the Main Wifi SSID to prevent the IPAD from connecting there. However, I believe that he can get around this by deleting the WIFI connection in iOS and reconnecting,... the IPAD generates a new MAC address and gets around the DENY list.
• I could turn off "Private MAC" but he could just switch it off.
• His iphone is connected to the Main Wifi SSID,... Apple functionality let's you share network credentials between devices,... so able to connect the iPad to the unrestricted Main Wifi SSID.
• I've previously tried to point the iPad to the special DNS using DNS DIRECTOR, but has a similar problem caused by "private MAC" changing the iPad MAC.
• Apple ScreenTime parental controls work pretty good for his iPhone but not possible for the school iPad because school controls it.

The only solution I can think of is to set up an ALLOW list on the main SSID. Kind of a pain, because our iPhones all have the private MAC setting turned on.

Any other ideas?

 

[Tech9]

Your only option is parental controls on the device itself. Both Android and iOS offer options. Anything else on your router side is avoidable with few clicks. You are wasting your time.

 

[bbunge]

You are correct. Kids can and do figure out workarounds. I managed a network at a church some years ago and caught a block on a Sunday morning of the associate pastor's PC trying to access a restricted web site. Funny but the pastor was preaching at the time. It was his daughter who claimed a headache to go to his office and use the computer. When asked how she was able to try to bypass the block she said the kids at her christian school did it all the time at school.

Bottom line: just be a parent!

 

[Tech9]

The school iPad is perhaps restricted already, for own iOS devices information here:

Use parental controls to manage your child's iPhone or iPad - Apple Support

With Screen Time, there are a number of settings and parental controls that you can use to help keep your child's device usage safe, private, and age appropriate.

support.apple.com

 

[Tech9]

Kind of a pain, because our iPhones all have the private MAC setting turned on.

You guys never realized "Private Wi-Fi address" is actually per SSID and not global setting? It can be turned OFF for you home network and remain default ON for other networks. You're playing hide and seek.

 

[jweston]

Appreciate everyone's feedback. Matches what I was understanding, but gives me more confidence that there isn't a good way.

I'm going with the original plan of forcing the school-governed iPad to it's own "iPad SSID"/DNS by effectively denying access to the other "main" SSID via a whitelist. (Note: The iPad is governed by his school and has a separate Apple ID. The iPad has the school's VPN and Device Management setup. Parents aren't able to utilize ScreenTime. The school VPN restricts certain websites, but still allows sites like YouTube.)

BTW. Just found this "how-can-a-wifi-router-recognize-mac-address-change-of-a-connected-device" posting that seems to address the same situation. Recommendation was whitelist all allowed devices. I'm hoping by splitting into separate Wifi SSIDs (main, IOT, iPad) that I don't have to whitelist very many devices on the main SSID. Of course, now that I look harder,... Asus/Merlin/YazFi requires a whitelist per SSID per band = duplicate whitelists for the main SSID for each band. That stinks. I'm about to upgrade from Asus RT AC66U to RT BE92U,... cross fingers it has other options.

Thank you!

 

[degrub]

Suggest go with the BE96U. Browse the forum , as there have been plenty of issues reported with the BE92U to see if the config situation applies to your setup.

 

[Tech9]

I'm about to upgrade from Asus RT AC66U to RT BE92U,... cross fingers it has other options.

Think twice before upgrading to ASUS BE-class routers in general (due to unresolved Trend Micro engine issues), RT-BE92U in particular (due to above average reported issues) and make sure the add-ons you intend to use work in 3006 base firmware (you may have to give up on YazFi). Search, all the information you need is available on SNB Forums. Good luck!

 

[jweston]

Thanks for the router advice.

I had an RT 86U that died and am using an older RT 66U router in the meantime.

$200 for the RT BE 92U was kind of expensive for my needs but rationalized it gives the new band. I reviewed the feedback,… seemed like ASUS had a firmware problem last year that had been resolved? I will review again and double check the YazFi compatibility. Didn’t think about that.

 

[Tech9]

seemed like ASUS had a firmware problem last year

Correct, last year ended 3 weeks ago. The concerning fact is multiple hardware revisions. Not clear why, but users report V4 variant already. We don't know where the issues originate from, but seems like overall user experience is lower. Your start model for tri-band Wi-Fi 7 is perhaps above mentioned RT-BE96U. Note ASUS now has different series devices with different features, Smart Home Master and Guest Network Pro. The former doesn't have user configurable VLAN options. Also note some of the custom scripts are now in so called Orphaned Script Revival section in AMTM, they have no specific maintainer. There are many changes compared to what you had on RT-AC86U. There will be reading and learning involved in this upgrade.

 

[jweston]

Great! Not.

Thanks for the additional insights.

I haven’t opened up the BE 92U yet. Hate to return it but maybe this RT 66U is good enough for now. It is definitely working hard.

 

[Tech9]

If you have "open box" return options - definitely try it. See what is available in stock Asuswrt 3006 first. This firmware base comes with new features, some have similar functionality to custom scripts used in 3004 firmware. Make sure the device works as advertised before flashing 3rd party firmware on it and installing custom scripts. Check each one of the scripts you intend to install for 3006 compatibility.

The majority of complaints are around stability and connectivity issues. They come from ASUS/Broadcom support upstream, 3rd party firmware is unlikely to resolve. If you need QoS - Adaptive QoS is broken. Other features using Trend Micro engine may be affected, use case dependent. Parental Controls use the same engine for app based traffic recognition. You may want to test it and see if it does what you need.