Solved

Restrict Internet connection on Router

Posted on 2004-04-07
18
1,226 Views
Last Modified: 2012-05-04
Hello,

I have a Linksys Wireless-G broadband wireless router (WRT54GS) and have a workgroup LAN setup at home. Three PC's are XP Pro and one is Windows 2000. The three XP Pro workstations are my kid's computers.

This router has a parental controls feature built into it and I can prevent my kids from surfing "problem sites." But, this router will not block Kazaa or P2P filesharing sites so really, the parental controls feature is useless.

From an administrative standpoint and at the router level, how can I block P2P filesharing programs and at the same time allow them to access the LAN and browse the internet? Also, I would like to have some sort of KILL command I can submit from my workstation to theirs. Is there such a program? It would be nice if I could Jam their PC from or something when I see the Internet traffic pegging out.

Thanks,

J:\
0
Comment
Question by:jhieb
  • 9
  • 6
  • 2
  • +1
18 Comments
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10775802
You could edit the Host file of the individual computers and make the Kazaa sites look to your localhost for resolution..

Here is a sample host file that you can copy and rename host

http://www.mvps.org/winhelp2002/hosts.txt

It includes the Kazaa urls...  and many of the ad servers out there..  which will makes life easier on you..

Note.. the host file has no extension and is located here:

c:\%system folder%\system32\drivers\etc
0
 
LVL 1

Author Comment

by:jhieb
ID: 10775834
That won't work. My kids are too smart for that. They know that if they really want to they can reformat the machine, get an ip address, and be on there way. The administration needs to be controlled at the router level somehow. I need to find out how to do this at the router level. Linksys technical support is no help. As a last resort, I would like to blast them with some type of network command that would freak their machine out so it would need a reboot.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10775976
Reformat the machine..??  Extreme solution, but it sure would do it..  :)

Been working these low-end routers for quite a while and just do not think that there is a way to prevent access to these sites..  hmmm.. Let me pull down the pdf and take a look..  If we were working with a higher-end model, we could restrict them, but just do not know about that particular router..

Back in  a bit..

FE
0
 
LVL 1

Author Comment

by:jhieb
ID: 10776009

I also subscribed to the new Linksys Parental Controls feature. I can block offensive sites but that really is trivial. It has an option to block "high bandwidth" applications but really, it is a lame feature. Kazaa is pretty smart. I've read that even if I blocked certain ports it is smart enough to jump to an available port and even use the Internet Port, port 80, to transfer files.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10776136
Yes, that is correct..   Once a session is established, it is hard to prevent..  but if we can use Ipsec, or something of that nature, we might be able to prevent this..  To bad you are not running an ISA server on your LAN..  
0
 
LVL 1

Author Comment

by:jhieb
ID: 10776195

I have a spare machine but it's not powerful to run any high end app. The spare machine is a P166 with 64MB ram. I've thought about attaching the cablemodem to that, adding a second nic to my workstation, and share the internet through my pc. If I did this I could probably use Linux as a firewall and lock down the traffic but I don't know anything about Linux and I am just as ignorant about firewalls.

0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 250 total points
ID: 10776249
After skimming the guide, I find no way to actually prevent your children from browsing these sites with the router itself, unless you want to turn on the Time Restrictions feature and log their browsing, making them aware that you are doing so...  But this still will not allow you to restrict them with this hardware..  more like a trust - threat relationship..  

And another thing to keep in mind, if they are that smart, they can always hard reset the router to bring it back to its default settings, which will nullify any config you place on it...

If if were me, I would focus on the individual systems..  Create user accounts (non-admin) and restrict those accounts with Group Policy (gpedit.msc)..  Put in that host file and deny access via NTFS permissions..  and then LOCK UP the OS media (Installation CD's) so they do would have to purchase a new OS for a reinstall...  I don't know about your kids, but I doubt if mine would be willing to spend the money on a new OS..  

Or, put in an ISA server and use the proxy functions to stop this traffic...  But that is a rather expensive solution, and you could upgrade the router if that is the case..  

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10776322
Again, if your kids are that smart, they could easily get around a linux firewall from the inside interface...  I have set these up to use as routers, and they have nice features, but if you just use another CAT5 wire, your kids could bypass it in a heartbeat..  And with the use of a Linux Password Hack utility, they could gain access to it quite fast...    And again, resetting it to the default setup is quite easy too...

I guess this all comes down to the reason to use Domains, and having the servers and DMZ's located in a secure, locked room..    If you had a server running your LAN, and prevented Local Profiles from being loaded, we could easily lock down your LAN...  Lol, eh..?

BTW:  I have used the methods I mentioned directly above for some of my friends home Lans where they were concerned about their Kids surfing habits..  Whenever I stop by, I ck and make sure that everything is kocher, and I have yet to find a problem...  :)  KNock on wood...!!

FE
0
 
LVL 1

Author Comment

by:jhieb
ID: 10776346
Yes, that is what I am doing. The Parental Controls featuer is purchased through Linksys. The Mac Address (or some ID) of the router is monitored by Linksys. So, even if the kids rebooted the router it would only work if it were validated through Linksys. This part I like.

I've also turned on logging and set the access level according to their age. This works for the most part. Regular internet browsing is logged but p2p is not. What a feature, eh?

One of my sons, he's 16, is somewhat of a computer genius in the making. He knows PC's pretty well and when he really wants to, he just disconnects the cable and plugs it directly into his laptop, Ha! So, one of my next steps is to lock up the cable modem and router. It's unfortunate that he just won't stay out because I asked him not to but he's a teen and likes to test his boundaries. Also, I don't want to discourage his curiosity. But, I want to preven all the junk from being downloaded into my house.

One of the problems with XP Pro or Home is that if I downgrade their access in any way they are (many times) unable to load games. The only way to allow this problem from happening is to give them Admin access to their machines.

I am going to talk to them again and make a deal. I'll not block the p2p access just as long as my admin account doesn't get removed. That way, I can spot check their PC accross the network. As a last resort, though, I can boot their pc's with KNOPPIX and browse through them as much as I want. I just don't want to have to do this. My first want is to trust them but their teenagers. So, my second hope is that I can figure out some way to manage the network from my pc and from the router level.

If all fails, I would still like some hack or app I can run from my pc that will jam theirs until a reboot.

One thing I like about the router is that I can limit their mac address since they are using wireless nics. I can restrict them this way but if they connect directly to the lan then their is no way to restrict their mac address.

If you can think of anything else please let me know. It looks like you are the top expert on this board so I value your opinion and suggestions.

Thanks,

J:\
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:jhieb
ID: 10776370
Ha, you are definitely right about that. I might have to install a domain. My spare workstation is pretty week so I can only get NT 4.0 on it. Do you think NT 4.0 could do what I need, allow XP machines on the network, etc? It is so user unfriendly but I could give it a try.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10776815
Kids are the greatest..   Gotta love their curiousity and that willingness to push the limit..  And the challenge to stop them in their tracks...   I love it..  :)

You can use NT4 for this, but administration is a nightmare when considering the advantages of W2K or W2K3...   The Active Directory and the Group Policy security features of W2K make it a real necessity as far as I am concerned..  

You can also Lockdown your systems with Local Group Policy...  (did I mention that above..  :)

Although this is for W2K systems, it applies to XP as well..

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting

http://support.microsoft.com/?kbid=293655

0
 
LVL 1

Assisted Solution

by:doushanes
doushanes earned 100 total points
ID: 10778395
If you have an old pc laying around, you can go to http://mikrotik.com and download a demo version of their
router software. Put two NIC cards in and load the demo. It has limited features but more features than a low-end router and won't cost you anything. in their firewall they have a feature where you can mangle all p2p traffic and block it. It has gui for easy management. If you deside to go with a full version, its only $45. They have great documentation so following the examples is pretty easy.
Might be something to look at.

doushanes
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10778804
Works like a proxy server, eh..???  I will have to ck that out..  

FE
0
 
LVL 1

Author Comment

by:jhieb
ID: 10778850
Thanks to both of you. Hopefully, the points split well. I will give the mikrotik solution a try and also put in W2K managed network. BTW, if you know of a kill PC command or app I can run from my pc I would sure love to know what that would be ;-)

Thanks,

John
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10780180
I know of no utility that can lock a remote workstation if the user has the password to unlock it...  you could use your Services window (Start > Run > services.msc) and remotely connect to their computer, then disable services to stop their network stack...  This is tricky, as you must remember what you disabled, so you can reenable it..  And once you disable it, you will not be able to remotely enable it...  Depending on just how clever your kids are, they could figure this out too...  :)

Let me think on this, and if I come up with a way to do it, I will certainly come on back with my suggestion..

And thanks..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10782881
Ok..  here is an idea..  You can use a free utility from Systernals to remotely execute commands on your network...  I have used this in my domain, and I believe it will work in a workgroup also..

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

The idea is to use the command to release the IP address of the remote computer...  If you have a policy setup on your client machines that forbids the user (your children) from accessing the Command Shell, and the Network Connection Properties, you can stop all surfing remotely..  Again, I am sure that your kids may figure out a way around this, and you will need to reset the IP address locally, but what the heck..  

And for preventing a reinstall of  the OS, you may want to enter your BIOS and setup the boot order to not boot from the Cdrom drive or Floppy..  only the IDE..  Then password protect the BIOS..  This will stop them from reinstalling the OS from CDrom or a boot floppy..   (Of course, the way around this is to jump the motherboard cmos battery and reset the bios, but it may take them a while to figure this out..  :)

Again, if I can think of anything else, I will keep the suggestions coming..
0
 
LVL 1

Expert Comment

by:doushanes
ID: 10784384
I am glad to here that you are going to give Mikrotik a try. I work for a Wireless ISP and we use these exclusively as our routers. I also have one at home for my personal use. These routers are great. I would also recommend signing up to the mailing list. There are a bunch of helpful people if you run into any configuration problems. I am one of them.
http://bruno.pmi.lv/mailman/listinfo/routeros/
doushanes
0
 

Expert Comment

by:petteyg359
ID: 11244759
You could have the router to block all addresses under the protocol "ed2k://", and block anything that comes through with "Gcache" in the header. That would at least block anything off of Edonkey and anything that uses Gnutella (Gnucleus, Shareaza, and many others)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Need WiFi in the Boonies... 11 256
Internet Download Manager to Torrent? 3 111
vpn connection isssue 3 73
What's the problem with my DSL? 4 29
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now