Router White List

[GKusnick]

All kinds of technical solutions are possible, but I have to agree with Fuzzy that at bottom this is not really a technical problem. It seems to me that by treating it as one you're basically telling the kid that you expect him to try to break the rules and challenging him to outwit you. None of my business perhaps, but this may not be the most effective way to change his rule-breaking behavior.

[reggie14]

The geek in me thinks this is an interesting technical problem, but GKusnick and Fuzzy have a point here. Rather than going to extremes to block traffic, you could just monitor Internet traffic pretty well. There are ways to do that with DD-WRT too.

[toricred]

I fully agree that it's not really a technical problem, but I'm trying to come up with a technical solution that will slow him down for a relatively short period. I'll turn it on and off on a very regular basis so I want it simple. Also that will limit his desire to break it if it's not in effect all that often. Finally it will also limit his exposure to my solution if it's not in place most of the time.

I'm not at all opposed to buying a router that can handle DDWRT. In fact I'm looking into that right now. It may also simplify a few other things on my network so it is totally worth it. (This is the only way my wife will let me spend more money to make the network simpler to manage.)

[WeidnerJ]

Maybe physically take the CD-Rom out? That is probably the way that he is resetting the administrator password. There are linux tools that can boot from a CD rom. BIOs passwords are great, as long as he can't get to the motherboard to reset the BIOs. Some computers even come with a place to put a small lock on the case to keep others out. And if the hard drive is using full hard drive encryption, then even a linux reset CD won't work, it won't be able to read the hard drive. Set the BIOs to not allow the CD-ROM or USB drives so he can't boot a live CD of any type.

I see the challange here. Battle of wits!

If you don't do anything above, you can use another PC using sharing of the Internet, secure that PC and then run that one to a DD-WRT router. A low end PC with 2 NICs would work. As long as he doesn't have physical access to it to break into it, then he can only access it and since it is secured, can't do anything more than you give him rights too on the router using the white list solution.

1st rule of IT security is physical security. Any device can be broken into if you have access to it. And sometimes simple is the best solution. Just have a way to secure the router, and unplug the network cable as needed. Without a phycal connection, no Internet. Router could be encased in a cheap lockable cabinet since they don't produce much heat.

[david1234]

I'm not sure if it's any easier... but if you don't mind static IPs, you could go ahead and assign IP address to everything in your dhcp by mac address.

Then, modify the firewall to deny all outbound traffic. Then, allow outbound for the specific IP's that you want.

He would have to spoof the mac addresses of one of the other systems on your network to get outbound access.

[brainbone]

Quote:

Originally Posted by toricred

I'm not at all opposed to buying a router that can handle DDWRT. In fact I'm looking into that right now.

If you do plan on using VLANs with DDWRT, be aware that some router hardware will not support VLAN functionality -- even with DDWRT. The WRT150N is one example. I'm not sure if the lack of a "VLANs don't work" note in the supported devices list is enough to trust that VLANs work for a given device or not.

Looking trough the thread, I couldn't find if you said you were trying to secure/control wired or wireless access?

[MrD]

20lb hammer

He'll end up using your neighbor's wireless network. Which puts you at the risk of Johhny law.

[toricred]

His machine doesn't actually have wireless. Because of the network layout in our house I can't take his room out of the loop on the wired network.

[brainbone]

Quote:

Originally Posted by toricred

Because of the network layout in our house I can't take his room out of the loop on the wired network.

Could you expand on this?

[toricred]

We get a lot of cold weather here and the house is on a slab with no attic. The layout has one hall down one side with the living room/Kitchen at one end and all the bedrooms side by side going down the hall. The master bedroom is the opposite end of the house from the Living Room/Kitchen.

My server room is a Mud room off the kitchen. I run the network cable from there into the bedroom next to it (my youngest son's room) I have a Gigabit switch in that room then from that room to the next room (the troublemaker's room) with another Gigabit switch and then on to the master bedroom. The biggest problem with this has been that each of the kids can make a mistake and mess up the switch in their room and the rest of the circuit is gone so everybody after that is out of luck. Running the cables through the walls would be nearly impossible so I run them along the baseboards with small holes through the walls when going between rooms. I've thought about wireless for at least the Master bedroom, but when I tried it with my HD200 it didn't work well enough.

[brainbone]

Yikes.

In that configuration, mac address filtering may be the only way, but its very easy to circumvent.

One option may be to change your wiring over to flat CAT5e, allowing a (3 line?) home-run bundle to service each PC directly from the mud-room, not taking up much more space than your single cable. Provided you place the switch in a secure location (a ventilated lock box in the mud room) you should be able to control access now by simply unplugging the cable to his room -- and hoping he doesn't resort to tapping the bundle running through his room.

Another option, while certainly not providing the bandwidth of gigabit: Powerline Networking.

[toricred]

I've looked into the powerline option and unfortunately the Master Bedroom and the was an addition later on so it's on its own circuit. My understanding is that it won't work if the circuit is different.

So are you suggesting three lines of the flat cable to the first room, then two to the second room and only one to the master bedroom or are there three lines in that cable?

[brainbone]

Quote:

Originally Posted by toricred

I've looked into the powerline option and unfortunately the Master Bedroom and the was an addition later on so it's on its own circuit. My understanding is that it won't work if the circuit is different.

There is a jumper/bridge (sorry, been awhile since I last installed one, can't remember the exact name) that can be used to increase the bandwidth available between legs/phase, assuming the other circuit is on a different leg in the breaker box. If its just on a different breaker, but still on the same leg, it should just work (at least, as well as Powerline Networking works).

Quote:

Originally Posted by toricred

So are you suggesting three lines of the flat cable to the first room, then two to the second room and only one to the master bedroom?

Yes, with no splices in any of the lines.

[toricred]

OK, The power is all from one breaker box so there should be a decent chance. Is there an easy way to determine what is on the same leg?

[brainbone]

Quote:

Originally Posted by toricred

Is there an easy way to determine what is on the same leg?

Generally, if the breakers are right next to each other (up and down), they are on different legs. Every other breaker (up and down) is on the same leg. Breakers that are opposite of each other (left-right) are usually on the same leg. If you have any breakers that look like two stuck together, taking up the space of two breakers, that would be feeding 240v (one wire from each leg).

Make sure you get any powerline networking adapters from a place you can easily return them. They can be very finicky. I have some Netgear HDX101 that wont carry HD even if plugged into the same outlet.

[toricred]

I'm actually testing my HD200 in the bedroom with wireless N again. Before I was having major problems with 1080i content. I've done some significant upgrades around the house lately and it seems to be working just about perfectly right now. I'm going to try this out for a couple of days and see if it would work well enough.

My problem with purchasing from a place that is easy to return is that the nearest place to buy this kind of stuff is about 90 miles away. I'm in that neighborhood every year or so. I think I'm going to check into DDWRT as a solution. Fortunately the kid's been pretty reasonable the last couple of days so I have some time to come up with the right fix.

[toricred]

Wireless is almost good enough, but not quite. I've decided to run a homerun from the mud room to the master bedroom and then drop the boys' rooms from my room. We've decided that when one of the boys goes off the internet then they both have to.

[stevech]

Quote:

Originally Posted by toricred

Blocking isn't going to help. The problem is my son who's already figured out how to change his MAC address to avoid blocking. I really need something that will allow only MAC addresses I specify.

Maybe time for establishing boundaries and discipline?

[brainbone]

Quote:

Originally Posted by toricred

Wireless is almost good enough, but not quite.

If you do end up with a DDWRT compatible wireless N router, you can usually increase the transmission strength above what the router would have had as a factory default. This helps greatly in transmission of HD content, reducing retransmission errors -- especially if you use two (or more) DDWRT routers to create a wireless bridge (one for an access point, and one (or more) for clients).

Quote:

Originally Posted by toricred

I've decided to run a homerun from the mud room to the master bedroom and then drop the boys' rooms from my room. We've decided that when one of the boys goes off the internet then they both have to.

Good plan.

[toricred]

Well I finished the rerouting of the cables and now the kid complains that this also cuts off his HD200. There's just no way to win this battle simply. I guess I'll be going the DDWRT route. For those of you who use it can you recommend a router that also does Gigabit and maybe even has simultaneous dual band for 802.11n?