Solved

Scheduled Port Blocking on Home WiFi Network

Posted on 2009-04-07
8
673 Views
Last Modified: 2013-11-12
With a couple kids at home I would like some control over their time online, specifically at night. I have a home network with a Netgear WPN824 and a D-Link DI-624 hardwired from the FR114P firewall/router at opposite ends of the house. I bought a Netgear WNR2000 to add upstairs near the kids' rooms and have tried to use the 'port blocking' per a schedule that would limit their access at night.

For the previous 'grown ups' routers, I have given them the same hidden SSID, channel and WEP key so the kids will only see the WNR2000 in their wireless network.

After much trial and tribulation I discovered that the port blocking could only take place when using the WAN port on the WNR instead of daisy-chaining the LAN ports as I had done with the other devices. This would call for a seperate subnet for the kids, but that actually had a couple advantages: They can't browse the 'main' network ( although I could give the explicit access to shares using an IP address, i.e. \\192.168.0.8\Music ). Secondly, I could specify OpenDNS on the kids' router to have more control over content.

So, it looks like this:

FR114P
LAN: 192.168.0.1
DHCP for the 192.168.0 network ( Range .10 - .30 )

Netgear WPN824
192.168.0.200
and
D-Link DI-624
192.168.0.201
both share the hidden SSID, chanel 6 and WEP keys

I connect from a LAN port on the WPN824 to the WAN port on the WNR2000.

Netgear WNR2000
WAN 192.168.0.202
Gateway 192.168.0.1 ( FR114P )
LAN 192.168.1.1
DHCP for the 192.168.1 network ( Range .10 - .30 )
Channel 11

So now I have two seperate networks - The kids can connect to the WNR2000 out to the Internet, per schedule in theory, but not browse the contents of the 192.168.0.x network.

I say 'in theory' because I have still had issues and a couple questions:

1. When I make changes to the WNR2000 block services and scheduling, should I give the unit a hard reset? Somethines it doesn't appear to 'take' the new settings right away.

2. If I am logged onto the WNR2000 and change the settings to block ALL ports at ALL times, shouldn't that immediately kick me off the Internet? It doesn't.

3. Is there a basic tool I can use to test the path through the WNR2000 when it is getting out to the Internet during the times it is explicitly told to block all ports?

I hope this is clear and that someone with experience could give some guidence in this configuration

Thanks,

~K
0
Comment
Question by:kf59
  • 3
  • 3
  • 2
8 Comments
 
LVL 3

Accepted Solution

by:
ato26 earned 300 total points
ID: 24109140
1.) You shouldn't have to.  Do you have the latest firmware?
2.) Theoretically, yes.  Again, latest firmware?
3.) NMAP should be able to do this and much more but there is a learning curve

It sounds a little bit like what you're trying to do exceeds what your hardware realistically supports.  The best way to accomplish this and avoid a serious headache may be to just setup a proxy server with an old junk computer.  I REALLY like Astaro (http://www.astaro.com/our_products/product_overview/landing_pages/free_home_edition) but I can't remember if the home version's content filtering does time schedules although I'm pretty sure it does.  This would also give you the option of gateway antivirus.  If you're more linux savvy you could use Squid (the April issue of Linux Pro Magazine has a nice article on this).  Also, with a proxy you have more control over where they're going and what they're doing.

Personally, when my girls are old enough to start using the web I'm probably going to buy an Astaro or Cisco ASA and PHYSICALLY lock it up.  With my wife and I both being into IT and remembering how I hacked around my dad's security features to get on the internet in the mid-late 90's despite him knowing what he was doing as well, I'm not taking any chances ;)

Good luck!

Allen

Allen
0
 

Author Comment

by:kf59
ID: 24113347
The firmware is up to date - The first suggestion from Netgear / India.

I will download and test the Astaro solution soon.

Strange - When I try to access the Internet from one of the supposedly limited .1.x connections it fails. I go into the router and run the 'test' button - It reports success and then I can get onto the web fine from then on.

and yet the time limits do nothing...
0
 
LVL 8

Assisted Solution

by:MrMintanet
MrMintanet earned 200 total points
ID: 24113362
One thing I would have to ask before you get too into this.  Do you have any neighbors with open networks?  If so, doing this would almost be a waste of time.  .02 cents there.
0
 
LVL 3

Expert Comment

by:ato26
ID: 24114575
You could kinda fix the unsecured wireless problem with group policy.  It's not 100% but if your kids know how to get around that then I'd just be proud and call it a day (Start > Run > GPEdit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies.)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 8

Assisted Solution

by:MrMintanet
MrMintanet earned 200 total points
ID: 24120175
Here's a 100% guarnteed solution:
http://www.amazon.com/Power-Center-Day-Night-Timer-Outlets/dp/B000256ENU/ref=pd_sim_hi_15

;)  Just turn the WiFi off completely.
0
 

Author Comment

by:kf59
ID: 24139363
There are no open networks in my neighborhood and I like the low-tech timer solution. I did download Astaro and get the home key. While it might be overkill, I think I will consider putting it in the loop if just for the additional security - Problem is, the free version only supports 10 IP addresses and I have at least 5 desktops, 4 laptops and assorted routers and such. I'm told that I can aply for a 25-user beta license if I want to, but I think I'm going to try to concentrate on the router solution again.

Netgear Level 2 technicians got back to me with the following suggestion:

Instead of 'daisy-chaining' my networks like this:

FR114P LAN - WAN WPN824 LAN - WAN WNR2000

( Apparently this 'triple NAT" was only ARPing back fragments of pages and such I would guess )

I should segment it as such:

FR114P LAN - LAN WPN824
LAN
|
WAN WNR2000

Their suggestion was a seperate range for the router and the two access points, but I am trying to leave the FR114P firewall and the two WiFi routers, WPN824 and DI-624, on 192.168.0.x and create the new 192.168.1.x just on the WNR2000. Early testing looks promising.

The downside is the physical location of the modem and forewall ( The basement ). Although the WNR2000 is N class and more powerful than the other routers, it appears I will need to run some more CAT5e up to the second floor for coverage.

More to follow...
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24139385
I would highly recomend getting a new router.  The new Wireless-N routers from Linksys all come with this standard, and it is a very easy to use interface.

0
 

Author Closing Comment

by:kf59
ID: 31567528
The responses were helpful, but none solved the issue like the Netgear engineer did, hence the split points.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now