Scheduled Port Blocking on Home WiFi Network

With a couple kids at home I would like some control over their time online, specifically at night. I have a home network with a Netgear WPN824 and a D-Link DI-624 hardwired from the FR114P firewall/router at opposite ends of the house. I bought a Netgear WNR2000 to add upstairs near the kids' rooms and have tried to use the 'port blocking' per a schedule that would limit their access at night.

For the previous 'grown ups' routers, I have given them the same hidden SSID, channel and WEP key so the kids will only see the WNR2000 in their wireless network.

After much trial and tribulation I discovered that the port blocking could only take place when using the WAN port on the WNR instead of daisy-chaining the LAN ports as I had done with the other devices. This would call for a seperate subnet for the kids, but that actually had a couple advantages: They can't browse the 'main' network ( although I could give the explicit access to shares using an IP address, i.e. \\\Music ). Secondly, I could specify OpenDNS on the kids' router to have more control over content.

So, it looks like this:

DHCP for the 192.168.0 network ( Range .10 - .30 )

Netgear WPN824
D-Link DI-624
both share the hidden SSID, chanel 6 and WEP keys

I connect from a LAN port on the WPN824 to the WAN port on the WNR2000.

Netgear WNR2000
Gateway ( FR114P )
DHCP for the 192.168.1 network ( Range .10 - .30 )
Channel 11

So now I have two seperate networks - The kids can connect to the WNR2000 out to the Internet, per schedule in theory, but not browse the contents of the 192.168.0.x network.

I say 'in theory' because I have still had issues and a couple questions:

1. When I make changes to the WNR2000 block services and scheduling, should I give the unit a hard reset? Somethines it doesn't appear to 'take' the new settings right away.

2. If I am logged onto the WNR2000 and change the settings to block ALL ports at ALL times, shouldn't that immediately kick me off the Internet? It doesn't.

3. Is there a basic tool I can use to test the path through the WNR2000 when it is getting out to the Internet during the times it is explicitly told to block all ports?

I hope this is clear and that someone with experience could give some guidence in this configuration


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1.) You shouldn't have to.  Do you have the latest firmware?
2.) Theoretically, yes.  Again, latest firmware?
3.) NMAP should be able to do this and much more but there is a learning curve

It sounds a little bit like what you're trying to do exceeds what your hardware realistically supports.  The best way to accomplish this and avoid a serious headache may be to just setup a proxy server with an old junk computer.  I REALLY like Astaro ( but I can't remember if the home version's content filtering does time schedules although I'm pretty sure it does.  This would also give you the option of gateway antivirus.  If you're more linux savvy you could use Squid (the April issue of Linux Pro Magazine has a nice article on this).  Also, with a proxy you have more control over where they're going and what they're doing.

Personally, when my girls are old enough to start using the web I'm probably going to buy an Astaro or Cisco ASA and PHYSICALLY lock it up.  With my wife and I both being into IT and remembering how I hacked around my dad's security features to get on the internet in the mid-late 90's despite him knowing what he was doing as well, I'm not taking any chances ;)

Good luck!



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kf59Author Commented:
The firmware is up to date - The first suggestion from Netgear / India.

I will download and test the Astaro solution soon.

Strange - When I try to access the Internet from one of the supposedly limited .1.x connections it fails. I go into the router and run the 'test' button - It reports success and then I can get onto the web fine from then on.

and yet the time limits do nothing...
One thing I would have to ask before you get too into this.  Do you have any neighbors with open networks?  If so, doing this would almost be a waste of time.  .02 cents there.
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

You could kinda fix the unsecured wireless problem with group policy.  It's not 100% but if your kids know how to get around that then I'd just be proud and call it a day (Start > Run > GPEdit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies.)
Here's a 100% guarnteed solution:

;)  Just turn the WiFi off completely.
kf59Author Commented:
There are no open networks in my neighborhood and I like the low-tech timer solution. I did download Astaro and get the home key. While it might be overkill, I think I will consider putting it in the loop if just for the additional security - Problem is, the free version only supports 10 IP addresses and I have at least 5 desktops, 4 laptops and assorted routers and such. I'm told that I can aply for a 25-user beta license if I want to, but I think I'm going to try to concentrate on the router solution again.

Netgear Level 2 technicians got back to me with the following suggestion:

Instead of 'daisy-chaining' my networks like this:


( Apparently this 'triple NAT" was only ARPing back fragments of pages and such I would guess )

I should segment it as such:


Their suggestion was a seperate range for the router and the two access points, but I am trying to leave the FR114P firewall and the two WiFi routers, WPN824 and DI-624, on 192.168.0.x and create the new 192.168.1.x just on the WNR2000. Early testing looks promising.

The downside is the physical location of the modem and forewall ( The basement ). Although the WNR2000 is N class and more powerful than the other routers, it appears I will need to run some more CAT5e up to the second floor for coverage.

More to follow...
I would highly recomend getting a new router.  The new Wireless-N routers from Linksys all come with this standard, and it is a very easy to use interface.

kf59Author Commented:
The responses were helpful, but none solved the issue like the Netgear engineer did, hence the split points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.