Kids bypassing access restrictions

Discussion in 'Tomato Firmware' started by RonV, Jun 20, 2013.

  1. RonV

    RonV Network Guru Member

    I think my kids may be bypassing my access restrictions by putting in other mac addresses and IP addresses that aren't in my static dhcp configuration. Is there a way in Tomato to only "grant" access to the internet vs. restrict that is easy to setup. I want to make sure that only devices that get DHCP addresses as defined in the static DHCP hosts can get internet access.

  2. Planiwa

    Planiwa Network Guru Member

    I manage networks houses with university students and academics. Here is what I do:

    1. DHCP .90-.99 (I use short leases, but I suggest Ron use long leases: 10080 minutes), for persistent visibility.

    2. Static for everyone who is "registered". (I use .100-.109 ... .240-.249 for up to 10 devices for up to 25 people. .250-.253 is for admin) Do not check "Ignore DHCP requests from unknown devices"

    3. BW-Limiter: .90-.99 gets extremely low data rates and connections. Just enough to authenticate, but not enough to do anything useful.

    This way, when someone new moves in, I can see them in "Device List", and give them a Static registration.

    It also means that if someone has a new device, I can see it (for several days), and register it, without having to ask them for the MAC address.

    In Ron's case, he can easily see when an unregistered device shows up. It will have an IP address of .90-.99

    That may or may not solve the problem. Learning to read the Syslog is always a useful skill.
  3. jerrm

    jerrm Network Guru Member

    If they are smart enough to change macs, they are probably smart enough to assign their own IPs and avoid DHCP completely.

    Best you can really do without some form of authenticated proxy is force them to a specific iprange using a VLAN. Assuming wireless, give them their own virtual SSID and dedicated subnet.

    If they need to be on the same subnet (or have access to a wired port), use the most restrictive netmask possible, assign static IPs consecutively, and block anything outside the assigned range. For instance, if you need to support 10 devices, use a netmask, statically assign IPs .1 to .10 and add something like "iptables -I FORWARD -m iprange --src-range -j DROP" to the firewall script. You can enable the wireless filter to allow only known MACs, but that won't help if they have wired access. Even with all that, they could still spoof valid MACs and/or IPs.
  4. PetervdM

    PetervdM Network Guru Member

    what kind of access restrictions?
    if it is content, consider using an opendns profile in combination with dnscrypt-proxy, and blocking all 53/udp and 53/tcp.
    if it is time, you could consider a timing device, connected to an extra switch if it is wired access.
    these are global measures, they affect them as much as yourself.
    beside i am afraid that if they are smart enough to circumvent your current access restrictions, they or their friends may be also smart enough to hack the new ones. or your neighbours.....
  5. RonV

    RonV Network Guru Member

    Thanks for the suggestions. Yes they are smart enough to bypass my DHCP assignment and have allocated addresses in my DHCP block statically to get around access restrictions I have a night for their PC's and mobile devices. Once I found them doing this I went to MAC addresses to enforce the restrictions for after hours access and then I noticed strange MAC's showing up.

    I like the idea of the bandwidth limiter for the rage of IP's outside of the DHCP assigned to collect the info but If they already know my addressing scheme they can easily work around this. The good thing is that phones don't have the ability to change mac's so I am covered there and I have now taken away on the PC their ability to change MAC via policy.

    I think this will be a ongoing battle as they talk to friends at school.
  6. Planiwa

    Planiwa Network Guru Member

    I would be interested in knowing how someone can "bypass my DHCP assignment and have allocated addresses in my DHCP", without logging into the router.

    What evidence do you have?
    Have you seen this in the Syslog?

    From the original message "I think my kids may be bypassing ..." it was not clear wherther this was a mere suspicion, or sure knowledge based on evidence.

    Any response or solution should take into account any actual data, no? Perhaps I'm missing something? :)
  7. WRD - EasyTomato

    WRD - EasyTomato Networkin' Nut Member

    If you've got an RT-N16, you can give EasyTomato a try.

    In EasyTomato we have an "unassigned group". Any new device on the network is automatically placed in this group, so the kids can change their MAC address or IP address all day, but they will still stay in the unassigned devices group as they're an "unknown" MAC address.

    Put the access rules in the unknown group, leave their computers in it, then put your own computers in another group with no access rules.

    If they spoofed their MAC address to match your computer's they could get around it, but they would need to know your MAC and that could cause a lot of other network issues.

    [​IMG] [​IMG]
  8. xorglub

    xorglub Addicted to LI Member

    ARP binding (in the static dhcp page) should solve some of that.
  9. Planiwa

    Planiwa Network Guru Member

    Right. If.

    At this point we don't know. For all we know . . .

    a) this is all nothing but a suspicion, or
    b) kids are using neighbour's net, or
    c) kids know router's password, or
    d) kids are spoofing dad's MAC address -- really, easy to find out, with default configuration, or

    ? ? ?

    We haven't been told:

    1. what they are *not* supposed to be doing,

    2. what they have been observed to be doing (informal observations)

    3. how they are doing that -- (technical data -- from Syslog, etc.).

    I acknowledge that some folks just want to *fix* it, whatever it may be.

    But others first want to find out what *it* is.
    So, putting all intruders into a "crawl" tar-pit for a week works for me.
    And so does looking at the Syslog, etc., to see what is actually happening.

    "Ignore DHCP requests from unknown devices" "works", but it pollutes the Syslog.
    A tarpit doesn't fill up your Syslog with redundant bulk, and affords monitoring what they are trying to do, when, and how.
  10. Elfew

    Elfew Network Guru Member

    "Ignore DHCP requests from unknown devices" is the answer... just set static IP adress in device list for known devices and check this option...

    if they change the MAC/IP they wont connect anymore... :)))
  11. jerrm

    jerrm Network Guru Member

    Don't count on not changing the smartphone MACs, they sound clever enough to do it. Pretty simple actually after a quick google search.

    Play hardball and if they continue trying to circumvent things cut them off completely - they will come around.

    Again, for wireless, the easiest way to force them into a specific address range is with a virtual ssid and vlan. Make sure the "main" ssid password is kept secret.
  12. kthaddock

    kthaddock Network Guru Member

    well all is very useless if they can do "arp -a" then they can by pass all of that.
  13. jerrm

    jerrm Network Guru Member

    They will if they manually assign their own IPs.
  14. jerrm

    jerrm Network Guru Member

    He never said they weren't logging in. It's literally child's play to manually assign IPs and bypass all DHCP based controls.
  15. Planiwa

    Planiwa Network Guru Member

    True. I suppose that's what Ron was saying in his 2nd message. Your suggestion of a virtual guest vlan will probably do the trick.
  16. Monk E. Boy

    Monk E. Boy Network Guru Member

    How about something simple, like iptables rules that DROP all traffic from IP addresses you don't have assigned? That will take care of non-DHCP addresses, since everything outside the DHCP scope gets dropped by the router.

    At that point they'd be down to manually assigning addresses in the DHCP pool, or trying to pick up another address by changing their MAC address. The trick there is to make sure all your (unrestricted) devices are always on the network, so if they attempt to use one of those IP addresses it'll cause a conflict and block both devices from working.

    Worst case you could move to a VLAN build, create one wireless network for them, one wireless network for you, and then literally turn off their wireless network at a certain time. Choose a long cryptographically strong password as your network's WPA2/AES passkey and let them try and brute force that... for several years.
  17. RonV

    RonV Network Guru Member

    Thanks again for the replies. I know they have bypass the DHCP server. Their browsing items are showing up in the web log under alternate addresses. Once they know the wireless passcode they can manually assign IP addresses. Again it's a technical battle and a parents responsibility to explain why these policies are in place and the penalties are incurred if they circumvent the policy's need to handed out. I stated this thread for suggestions that may help and I really appreciate this community providing the feedback.
  18. Monk E. Boy

    Monk E. Boy Network Guru Member

    The hurdles you face are similar to hurdles other of us face.

    I'm in a school environment and kids think they're anonymous and can do anything, only to end up expelled - sometimes even facing fines and criminal charges depending on the severity of their acts.

    Its best to explain the what and why of things, but sometimes kids are just going to be kids and the foot has to come down. Good luck in any case.
  19. WRD - EasyTomato

    WRD - EasyTomato Networkin' Nut Member

    Tomato's access restrictions can be given mac address and can be told to apply rules to all BUT spesific macs. This means if they change their MAC address to anything OTHER than yours, the rule will still apply. This is what we do in ET with the unassigned group.

    Sure, if they figure out arp -r then they can spoof to a known, unblocked mac. This is all good for practice for their computer networking skills :)
  20. RonV

    RonV Network Guru Member


  21. francisuk20

    francisuk20 Networkin' Nut Member

    You could setup another AP/Router and connect that WAN port into one of the LAN ports Also make sure they have a diffrent ip ranges from the main one, Make an static IP from the main router and setup example say if your kids router was, make an block/access restriction from that IP.

    So therefore if they change the LAN mac or new IPs on the kids router it wont make a diffrents, The only diffrents i can see is if they know the main routers password they can stil access that from the WAN port so would be ALL the traffic from AP/Router and not diffrent IPs.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice