Learn how to a build a cloud-first strategyRegister Now


Scheduled Port Blocking on Home WiFi Network

Posted on 2009-04-07
Medium Priority
Last Modified: 2013-11-12
With a couple kids at home I would like some control over their time online, specifically at night. I have a home network with a Netgear WPN824 and a D-Link DI-624 hardwired from the FR114P firewall/router at opposite ends of the house. I bought a Netgear WNR2000 to add upstairs near the kids' rooms and have tried to use the 'port blocking' per a schedule that would limit their access at night.

For the previous 'grown ups' routers, I have given them the same hidden SSID, channel and WEP key so the kids will only see the WNR2000 in their wireless network.

After much trial and tribulation I discovered that the port blocking could only take place when using the WAN port on the WNR instead of daisy-chaining the LAN ports as I had done with the other devices. This would call for a seperate subnet for the kids, but that actually had a couple advantages: They can't browse the 'main' network ( although I could give the explicit access to shares using an IP address, i.e. \\\Music ). Secondly, I could specify OpenDNS on the kids' router to have more control over content.

So, it looks like this:

DHCP for the 192.168.0 network ( Range .10 - .30 )

Netgear WPN824
D-Link DI-624
both share the hidden SSID, chanel 6 and WEP keys

I connect from a LAN port on the WPN824 to the WAN port on the WNR2000.

Netgear WNR2000
Gateway ( FR114P )
DHCP for the 192.168.1 network ( Range .10 - .30 )
Channel 11

So now I have two seperate networks - The kids can connect to the WNR2000 out to the Internet, per schedule in theory, but not browse the contents of the 192.168.0.x network.

I say 'in theory' because I have still had issues and a couple questions:

1. When I make changes to the WNR2000 block services and scheduling, should I give the unit a hard reset? Somethines it doesn't appear to 'take' the new settings right away.

2. If I am logged onto the WNR2000 and change the settings to block ALL ports at ALL times, shouldn't that immediately kick me off the Internet? It doesn't.

3. Is there a basic tool I can use to test the path through the WNR2000 when it is getting out to the Internet during the times it is explicitly told to block all ports?

I hope this is clear and that someone with experience could give some guidence in this configuration


Question by:kf59
  • 3
  • 3
  • 2

Accepted Solution

ato26 earned 900 total points
ID: 24109140
1.) You shouldn't have to.  Do you have the latest firmware?
2.) Theoretically, yes.  Again, latest firmware?
3.) NMAP should be able to do this and much more but there is a learning curve

It sounds a little bit like what you're trying to do exceeds what your hardware realistically supports.  The best way to accomplish this and avoid a serious headache may be to just setup a proxy server with an old junk computer.  I REALLY like Astaro (http://www.astaro.com/our_products/product_overview/landing_pages/free_home_edition) but I can't remember if the home version's content filtering does time schedules although I'm pretty sure it does.  This would also give you the option of gateway antivirus.  If you're more linux savvy you could use Squid (the April issue of Linux Pro Magazine has a nice article on this).  Also, with a proxy you have more control over where they're going and what they're doing.

Personally, when my girls are old enough to start using the web I'm probably going to buy an Astaro or Cisco ASA and PHYSICALLY lock it up.  With my wife and I both being into IT and remembering how I hacked around my dad's security features to get on the internet in the mid-late 90's despite him knowing what he was doing as well, I'm not taking any chances ;)

Good luck!



Author Comment

ID: 24113347
The firmware is up to date - The first suggestion from Netgear / India.

I will download and test the Astaro solution soon.

Strange - When I try to access the Internet from one of the supposedly limited .1.x connections it fails. I go into the router and run the 'test' button - It reports success and then I can get onto the web fine from then on.

and yet the time limits do nothing...

Assisted Solution

MrMintanet earned 600 total points
ID: 24113362
One thing I would have to ask before you get too into this.  Do you have any neighbors with open networks?  If so, doing this would almost be a waste of time.  .02 cents there.
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.


Expert Comment

ID: 24114575
You could kinda fix the unsecured wireless problem with group policy.  It's not 100% but if your kids know how to get around that then I'd just be proud and call it a day (Start > Run > GPEdit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies.)

Assisted Solution

MrMintanet earned 600 total points
ID: 24120175
Here's a 100% guarnteed solution:

;)  Just turn the WiFi off completely.

Author Comment

ID: 24139363
There are no open networks in my neighborhood and I like the low-tech timer solution. I did download Astaro and get the home key. While it might be overkill, I think I will consider putting it in the loop if just for the additional security - Problem is, the free version only supports 10 IP addresses and I have at least 5 desktops, 4 laptops and assorted routers and such. I'm told that I can aply for a 25-user beta license if I want to, but I think I'm going to try to concentrate on the router solution again.

Netgear Level 2 technicians got back to me with the following suggestion:

Instead of 'daisy-chaining' my networks like this:


( Apparently this 'triple NAT" was only ARPing back fragments of pages and such I would guess )

I should segment it as such:


Their suggestion was a seperate range for the router and the two access points, but I am trying to leave the FR114P firewall and the two WiFi routers, WPN824 and DI-624, on 192.168.0.x and create the new 192.168.1.x just on the WNR2000. Early testing looks promising.

The downside is the physical location of the modem and forewall ( The basement ). Although the WNR2000 is N class and more powerful than the other routers, it appears I will need to run some more CAT5e up to the second floor for coverage.

More to follow...

Expert Comment

ID: 24139385
I would highly recomend getting a new router.  The new Wireless-N routers from Linksys all come with this standard, and it is a very easy to use interface.


Author Closing Comment

ID: 31567528
The responses were helpful, but none solved the issue like the Netgear engineer did, hence the split points.

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question