Comments

70 comments

  • Avatar
    king_family

    I should clarify:  I'm not using two routers.  I'm using a single Netgear 4500.  It lets me set wifi enable/disable timers per band.  So the N band runs 24/7, the G does not.  Unless he gets into the admin on the router or hard-resets the thing, there's no way around it (except for LAN which I mentioned, but that would require him to run to the router, plug stuff in, etc and so forth).  I've not bothered to see if i can disable the ethernet ports and force a wifi connection.

  • Avatar
    king_family

    OK one more post ... this one is a bit of fun "what if" for me.  So bear with me.

    If the goal is to lock kids only out between x-y .... while leaving the adults functional then with a WNDR4500 you have the following options:

    1.  Head into advanced --> Advanced Setup --> wireless settings.  From here turn off the 2.4GHz frequency by schedule.  Leave the 5Ghz freq running 24/7.

    2.  Head into Advanced --> Setup --> wireless.  From here you can give each frequency a unique SSID and password.  Now only hand out the 2.4GHz band.

    3.  Head into Advanced --> Security --> Access Control.  Here you can enable access control then set to "block all new devices form connecting" then whitelist the MAC of the devices you want to permit.  Doing this will prevent him from switching from wifi to hardwire (because it will change the mac address) to bypass your internet access.

    That should really do it.  Only way around it would be to hard-reset the router at that point (or if he guessed your admin password).  OK one other way:  if he physically unplugged your router and plugged directly into the cable modem/whatever it is you get service from.  At that point he'd knock the whole house offline so it should be pretty obvious.


  • Avatar
    mattwilson9090

    @guerrid I agree, maintaining any sort of control of your network is difficult if you can't also control physical access to the device *and* where it plugs into. Aside from being able to lock things away a business can also fire employees who attempt or succeed at circumventing security or make unauthorized changes to the network infrastructure. You don't really have that option with a family.

    Getting a new router from AT&T or another source won't really make much of a difference since each router generally has the same default password for the entire run of a model, and sometimes for all models that they make. You probably don't have much of an option there. Some 3rd party firmware for parties allows you to control a little of how the reset button behaviours, but you usually can't control or disable it entirely. One option would be to open up the router itself, and with a pair of wire cutters cut one of the leads to the button if you can, or in some other way physically disable or destroy it. If it's an AT&T router they might not like that though, and if it's one that you bought on your own, if for some reason you can't get into the management interface you won't be able to reset it if you need to also.

    Depending on how your house is wired you could also try moving the modem and router or routers into your bedroom or some other place where kids aren't likely to be or to be messing about with them, but that's not really a solution, just a way to make it harder for them to do things you don't want them doing.

    @king_family

    There isn't such a thing as an "N" or "G" band, at least when it comes to WiFi. The letters actually refer to the WiFi spec, in this case 802.11g and 802.11n. There is also a, b, and now most recently ac. B & G operate on multiple channels in the 2.4 GHz range, while N can operate in both the 2.4 GHz and 5 GHz ranges. I can't remember since it's so uncommon now, but I think A operates at 5 GHZ, and I think ac operates in both 2.4 GHz and 5 GHz but I have worked with it yet. Most 802.11n routers allow you to control the 2.4 GHz and 5 GHz bands separately, with for instance different SSID's, encryptions methods, passphrases, etc. You can even turn them on and off independently of each other. I generally configure them the same so that a device can use whichever works best for it, but there are advantages to keeping them separate, such as with what you're doing.

    I do like that you're able to set separate timers for each radio. I'm not sure I've ever seen that before, but even if I had I probably wouldn't have take note of it since I rarely need that kind of capability.

    You might be able to disable the Ethernet ports, but just like everything else, if someone is able to use the reset button they'll be resetting that at the same time as they are resetting everything else.

     

    I wouldn't even bother trying to control access with the MAC address since it's trivial to spoof that on just about any modern device. I don't use MAC addresses for security of any sort, but I do use them with DHCP to assign addresses just to make it easier for me to recognize devices on the network if they are using a consistent address. It's not perfect since spoofing is possible, it's mainly for my convenience and ease of use.

    There is another way around it, though it would require spending money or in some other way acquiring another router. That router could then be connected to the existing router, or between the ISP's "modem" and your router. A clever person could "obscure" it so that it wouldn't casually be noticed, but if for any reason you're looking closely at things or tracing wiring it would be pretty easy to find.

  • Avatar
    dmcgrane

    It sounds like there is a gap in the market for a family-friendly router which comes with lock and key. Multiple SSIDs with scheduling on each. Factory reset option accessible by key only. I think I'd buy it in the morning if it existed. Doesn't sound that hard to create, does it?

  • Avatar
    rotblitz

    There are routers that support this feature.  I have one of those, AVM branded.

    And this is certainly nothing for the OpenDNS forum, but for forums of router suppliers.

  • Avatar
    guerrid

    This thread applies to OpenDNS if router manufacturers read this thread because they are looking for requirements for a new router they might be building that they might decide should include OpenDNS and other features people who use OpenDNS might be looking for that OpenDNS can't fulfill.  I've noticed that very bright people can often be overly focused (which could also be called narrow minded) such that they sometimes miss the forest for the trees.

  • Avatar
    guerrid
    • Yes, you are absolutely right there.  Companies certainly do seem to have a way of ignoring their customers' needs.  I do try to keep my idealism through it all.  There's no reason to think that someday companies won't actually listen to and, (if you really want to hear some idealism) pay their customers and others for good ideas.  I call it Microroyalties.  I actually have a company started (Microroyalties, LLC) to try to help that happen!
  • Avatar
    dmcgrane
    I don't know what it's like in the US but I know here in Dublin, Ireland if I rolled up to a parent's meeting at any school with a router preconfigured with two SSIDs, one for adults and one for children, with preset time blocks that could be changed, I'd sell hundreds of them. Complete with key that hides factory reset button.
  • Avatar
    mattwilson9090

    I'm not sure what the "this" is that isn't working with your router, but that's a router issue, it has nothing to do with OpenDNS.

     

    If that's a feature you wanted you probably should have made sure it was supported before you bought the router. You might still be able to return it and find a router that suits your needs.

  • Avatar
    kungfugrip101
    Matt you are correct. "This" is a router issue... but it's relevant to the topic. No can do on the return so I'll be trying a few of the suggestions above.
  • Avatar
    kungfugrip101

    @king_family

    This solution worked like a charm!! Thanks for pointing it out. I hadn't seen the setting in advanced until you pointed it out! As an added bonus the adults are getting better throughput on 5ghz.

    Adults 1 - Kids 0

  • Avatar
    munkii

    "Adults 1 - Kids 0"

    Until they realise they can tether their phone to their iPad and away they go. I want a steel box to lock the kids in not the router :-)

  • Avatar
    guerrid

    One more tidbit that my son and I discovered today.  If he already has a connection established, the "block services" feature will not break an established connection.  It will only be blocked when he/she tries to re-establish the connection.  So you may have to make sure the kids turn off their computer each night, or you could unplug the router at the appointed time so the old connections are broken.  Router companies: here's another bug for you to fix!

    Most importantly, however, is that we now have enough control that he seems to be resigned to the fact that these controls are here to stay and they are for his own benefit, until he is mature enough to establish priorities for himself without my help.  I'm glad we finally got this all figured out, and he seems to be onboard with it and hopefully will no longer waste time trying to figure out ways to get around it.  He might have realized that his time could be better spent doing his homework, and we'll all be much happier.

  • Avatar
    guerrid

    By the way, his HP tablet on T-Mobile runs out of data at 250 MB, so tethering only lasts so long, unless he gets a job to pay for more data, which would be fine with me.  He did admit to tethering to my tablet the other night, however.  So I had to change my pin on it.  I am impressed that he actually told me he did it though.  He may be crafty, but at least he's honest.  That's pretty OK in my book.

  • Avatar
    guerrid

    What about day-of-week customization? https://support.opendns.com/entries/21809639-Add-a-day-based-filtering-feature- implies that this is already possible.  Not so, as far as I can tell on the R6100 nor in NetGear LPC.  I swore it used to be there until I did a firmware upgrade and now it's not.  Am I imagining things?  Is there another NetGear router that has this feature?  Could we please have the comments reopened for the above idea bank thread, so people can continue to vote for it and comment?  It is really a separate issue from this thread, is it not?

  • Avatar
    guerrid

    One more thing.  I called AT&T and they promptly (overnight, next day) sent me a new U-Verse router with a different default access code so I was able to write that down privately and then obliterate it so my son couldn't read it off of the router.  Returning the old router was a snap.  Didn't even have to do any of the packing.  Just took it to a UPS Store as instructed and they did all the work at no charge.  Just handed them the router and power cable and they did the rest.  Nice teamwork, UPS!

    It would be nice if NetGear would do something similar, rather then making the default code "admin" that can be returned by doing a factory reset on the router.  I have impressed upon my son that consequences will be severe if he does that, but others may not be so lucky, especially if they are asleep or away from the home for an extended period.  At this age, a normally honest kid can easily be overcome by temptation, I'm afraid.

  • Avatar
    mattwilson9090

    Regarding the customized default passwords on routers, AT&T is a services company that has an ongoing relationship with it's users. Their entire process is designed around tracking customized and personalized information for a customer, and since those customers are paying them on a regular basis, the additional cost and overhead of the customization is covered by those ongoing service fees.

    Netgear is in the business of making and selling hardware to multiple markets in a retail manner. In other words, once it leaves their factory they often have nothing further to do with a unit, and when they do, most of it is generic tech support issues. Tracking a customized admin password for it would be expensive, something they could not recoup their costs on without raising the costs, and in most cases is simply not needed and would never be referenced by them or any of their customers.

    And since their is no ongoing relationship with a customer, as soon as a device changes hands without that password also being provided (especially if the sticker had been obliterated) they are going to incur support costs to talk with a customer and get them the information. Considering the price of these devices, any time they handle even a single support call, they've lost their entire profit on that device and go into the red. Unless they raise the price or somehow can charge subscription fees they have every incentive in the world to keep things standardized and the same, and to keep their support costs as low as possible.

  • Avatar
    guerrid

    Very good point.  NetGear probably needs to establish a relationship with AT&T like Arris has, or perhaps Arris should license NetGear's Live Parental Controls technology.

  • Avatar
    mattwilson9090

    You're more than welcome to suggest it to Netgear or AT&T yourself, but generally when it comes to a service that provides another vendors hardware to it's customers, it's the service that initiates the process, not the hardware vendor (other than their usual marketing processes). That being said, suggesting what either company should do won't have much weight discussing it in another company's support forums. You'll have to search out their forums, email, or phone numbers and do the suggesting there. They really are not reading OpenDNS support forums to get ideas for their own products or offerings.

  • Avatar
    king_family
    At this point the bigger pain point is that opendns still doesn't support filtering at IPV6, meaning if you don't block it at your router they can bypass all DNS filtering practically on accident.
  • Avatar
    mattwilson9090

    You should start a new thread to discuss IPv6 so that it get's more attention. You should also consider opening a support ticket specifically talking about IPv6 (and only IPv6). I did that recently and had a good exchange with the support people. The long and the short of it is that it's planned, but no ETA, but that they want more feedback. Basically that means the more they hear from customers, especially in formal support tickets that get tracked by category (hence why it should mention only IPv6) the more attention it will get, perhaps to the point of even prioritizing more resources towards it.

     

    Until then your only option is to disable all IPv6 on your router so that no traffic goes to the internet via IPv6. Plus, if any devices have IPv6 domain servers configured for them they should be removed to make sure that no requests go out for AAAA look-ups even if the DNS lookup itself can only go out via IPv4.

  • Avatar
    king_family

    I've actually done both of your suggestions already about 1-years ago.  I actually filter outbound port 53 so they are basically forced to use the DNS supplied by the router which then blocks IPv6.  That way only IPv4 addresses will ever be resolved and there's no easy way around it (can't statically add DNS servers).  

    Maybe it's time to open another thread and ask for an update (I want to say I had a tech call open about a year ago initially trying to figure out why filter was being ignored ... the root cause was IPv6 based DNS:  opendns was IPv6 DNS serves ... but their own products don't work with it).

  • Avatar
    mattwilson9090

    DNS servers, whether IPv4 or IPv6, can host both A and AAAA records, so a DNS lookup can easily return an IPv6 address, and (depending on settings) often will since IPv6 is generally the default over IPv4. OpenDNS can and does return AAAA if they are on the authoritative DNS server for the domain since that's how recursive DNS is supposed to work.

    I'm not sure what you mean by blocks IPv6 but unless you have IPv6 explicitly disabled on your router you have the potential for leakage. I very deliberately have IPv6 configured to the internet, and am well aware that an increasing portion of my traffic is not being filtered by OpenDNS, but that's one of the reasons I don't roll-out internet based IPv6 to my clients yet.

    Yes, it is time to open another thread, that's why I mentioned my support ticket. Basically OpenDNS is asking for feedback and input from users regarding IPv6, and the only way that happens is with a separate thread for IPv6 or a support ticket solely asking for IPv6.

  • Avatar
    guerrid

    Yes, for some time, we were aware that the OpenDNS Live Parental Controls had this limitation but it also works this way for the schedule on the router that blocks all ports for both UDP and TCP.  I believe that level of blocking does not involve DNS, yet the existing connections are allowed to remain after the appointed scheduled block time.  I appreciate your letting us discuss a broad range of features and functionality under the topic of Internet Parental Controls, even if some of the features aren't directly related to OpenDNS.  It is kind of you to let us have this discussion in what I consider more neutral territory where we can talk about a variety of routers and their available features.

    If/when someone does start a discussion about IPV6, I hope they will add the link here for easy reference.  I found an IPv6 setting for the R6100 under "advanced setup" called "Internet Connection Type".  I have it set to "disabled".  I wonder if that means IPv6 is disabled.  The manual is not very clear.  It does not explain what the "disabled" option gets you.

  • Avatar
    mattwilson9090

    Why not just start a new thread about IPv6 yourself? You don't have to wait on someone else.

    You'd have to go to the Netgear support forums to find out if that options disables IPv6 on the router or not.

  • Avatar
    guerrid

    Got it.  It is nice that there are people like you in the absence of the staff members!  Thank you for sharing your excellent knowledge and for your devotion to this forum.  You don't need a staff avatar to be important.  Let me ask you something: if there were a way for you to get paid for such good help that you provide, would that interest you?  I have often thought that if volunteers do such good work for free, might there not be even more people willing to contribute if they were paid?  This is the idea behind my Microroyalties/Crowdsorcery patent that I have pending.  I would like to start a for-profit version of Wikipedia.  Do you think it would work?

  • Avatar
    rotblitz

    Thanks, but this sounds pretty time consuming, and I don't have much more resources yet.

  • Avatar
    guerrid

    Of course I would love to leverage any resources you have, but I was really just asking your opinion as a forum user and contributor.  Wouldn't it be nice if all of your hard volunteer work could translate easily into a paying job where you could earn extra income without doing any more than you are already doing?  Wouldn't router companies benefit by being able to tap into a larger number of highly qualified support people for less cost than bringing them on as employees?  I realize this is way, way off topic, but just curious because I've been thinking about this idea for many, many years.  And I, like you, don't have a lot of resources or time either.  Maybe someone can suggest where the best place to take this thread would be.

  • Avatar
    dmcgrane

    I've thought about how one could make money from this as I see there is definitely a need for better "family" solutions than currently exist. The danger with charging people for advice or a service to help protect their kids is that when it goes wrong, as it will at some stage, they may want compensation. Whereas with advice freely given, there is no comeback. 

    My idea was to take the open-source router code and extend it to do scheduling of SSID availability exactly as a family would want it: school nights, once-off exceptions. Different SSIDs for parents and children, with different scheduling. I don't understand why this doesn't exist. Yet, from monitoring this thread, it doesn't seem to.

  • Avatar
    guerrid

    How many other customers in all industries know better what they need than the manufacturers?  But the manufacturers still don't have a good way of listening.  I think there is an ego that still exists at almost all manufacturers that they have to be smarter than their customers to feel as though they can justify why they get paid the big bucks and customers should pay them, rather than the reverse.  I've heard it called NIH (Not Invented Here) syndrome.  I believe it is a huge and pervasive problem, and I think a lot of it stems from exactly what you just said: product liability.  Another is an arcane intellectual property system of laws and customs.  I just noticed that the judge in the Apple-Samsung case is now on Twitter.  Maybe I can send him this idea!

Please sign in to leave a comment.