kf59
asked on
Scheduled Port Blocking on Home WiFi Network
With a couple kids at home I would like some control over their time online, specifically at night. I have a home network with a Netgear WPN824 and a D-Link DI-624 hardwired from the FR114P firewall/router at opposite ends of the house. I bought a Netgear WNR2000 to add upstairs near the kids' rooms and have tried to use the 'port blocking' per a schedule that would limit their access at night.
For the previous 'grown ups' routers, I have given them the same hidden SSID, channel and WEP key so the kids will only see the WNR2000 in their wireless network.
After much trial and tribulation I discovered that the port blocking could only take place when using the WAN port on the WNR instead of daisy-chaining the LAN ports as I had done with the other devices. This would call for a seperate subnet for the kids, but that actually had a couple advantages: They can't browse the 'main' network ( although I could give the explicit access to shares using an IP address, i.e. \\192.168.0.8\Music ). Secondly, I could specify OpenDNS on the kids' router to have more control over content.
So, it looks like this:
FR114P
LAN: 192.168.0.1
DHCP for the 192.168.0 network ( Range .10 - .30 )
Netgear WPN824
192.168.0.200
and
D-Link DI-624
192.168.0.201
both share the hidden SSID, chanel 6 and WEP keys
I connect from a LAN port on the WPN824 to the WAN port on the WNR2000.
Netgear WNR2000
WAN 192.168.0.202
Gateway 192.168.0.1 ( FR114P )
LAN 192.168.1.1
DHCP for the 192.168.1 network ( Range .10 - .30 )
Channel 11
So now I have two seperate networks - The kids can connect to the WNR2000 out to the Internet, per schedule in theory, but not browse the contents of the 192.168.0.x network.
I say 'in theory' because I have still had issues and a couple questions:
1. When I make changes to the WNR2000 block services and scheduling, should I give the unit a hard reset? Somethines it doesn't appear to 'take' the new settings right away.
2. If I am logged onto the WNR2000 and change the settings to block ALL ports at ALL times, shouldn't that immediately kick me off the Internet? It doesn't.
3. Is there a basic tool I can use to test the path through the WNR2000 when it is getting out to the Internet during the times it is explicitly told to block all ports?
I hope this is clear and that someone with experience could give some guidence in this configuration
Thanks,
~K
For the previous 'grown ups' routers, I have given them the same hidden SSID, channel and WEP key so the kids will only see the WNR2000 in their wireless network.
After much trial and tribulation I discovered that the port blocking could only take place when using the WAN port on the WNR instead of daisy-chaining the LAN ports as I had done with the other devices. This would call for a seperate subnet for the kids, but that actually had a couple advantages: They can't browse the 'main' network ( although I could give the explicit access to shares using an IP address, i.e. \\192.168.0.8\Music ). Secondly, I could specify OpenDNS on the kids' router to have more control over content.
So, it looks like this:
FR114P
LAN: 192.168.0.1
DHCP for the 192.168.0 network ( Range .10 - .30 )
Netgear WPN824
192.168.0.200
and
D-Link DI-624
192.168.0.201
both share the hidden SSID, chanel 6 and WEP keys
I connect from a LAN port on the WPN824 to the WAN port on the WNR2000.
Netgear WNR2000
WAN 192.168.0.202
Gateway 192.168.0.1 ( FR114P )
LAN 192.168.1.1
DHCP for the 192.168.1 network ( Range .10 - .30 )
Channel 11
So now I have two seperate networks - The kids can connect to the WNR2000 out to the Internet, per schedule in theory, but not browse the contents of the 192.168.0.x network.
I say 'in theory' because I have still had issues and a couple questions:
1. When I make changes to the WNR2000 block services and scheduling, should I give the unit a hard reset? Somethines it doesn't appear to 'take' the new settings right away.
2. If I am logged onto the WNR2000 and change the settings to block ALL ports at ALL times, shouldn't that immediately kick me off the Internet? It doesn't.
3. Is there a basic tool I can use to test the path through the WNR2000 when it is getting out to the Internet during the times it is explicitly told to block all ports?
I hope this is clear and that someone with experience could give some guidence in this configuration
Thanks,
~K
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could kinda fix the unsecured wireless problem with group policy. It's not 100% but if your kids know how to get around that then I'd just be proud and call it a day (Start > Run > GPEdit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies.)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There are no open networks in my neighborhood and I like the low-tech timer solution. I did download Astaro and get the home key. While it might be overkill, I think I will consider putting it in the loop if just for the additional security - Problem is, the free version only supports 10 IP addresses and I have at least 5 desktops, 4 laptops and assorted routers and such. I'm told that I can aply for a 25-user beta license if I want to, but I think I'm going to try to concentrate on the router solution again.
Netgear Level 2 technicians got back to me with the following suggestion:
Instead of 'daisy-chaining' my networks like this:
FR114P LAN - WAN WPN824 LAN - WAN WNR2000
( Apparently this 'triple NAT" was only ARPing back fragments of pages and such I would guess )
I should segment it as such:
FR114P LAN - LAN WPN824
LAN
|
WAN WNR2000
Their suggestion was a seperate range for the router and the two access points, but I am trying to leave the FR114P firewall and the two WiFi routers, WPN824 and DI-624, on 192.168.0.x and create the new 192.168.1.x just on the WNR2000. Early testing looks promising.
The downside is the physical location of the modem and forewall ( The basement ). Although the WNR2000 is N class and more powerful than the other routers, it appears I will need to run some more CAT5e up to the second floor for coverage.
More to follow...
Netgear Level 2 technicians got back to me with the following suggestion:
Instead of 'daisy-chaining' my networks like this:
FR114P LAN - WAN WPN824 LAN - WAN WNR2000
( Apparently this 'triple NAT" was only ARPing back fragments of pages and such I would guess )
I should segment it as such:
FR114P LAN - LAN WPN824
LAN
|
WAN WNR2000
Their suggestion was a seperate range for the router and the two access points, but I am trying to leave the FR114P firewall and the two WiFi routers, WPN824 and DI-624, on 192.168.0.x and create the new 192.168.1.x just on the WNR2000. Early testing looks promising.
The downside is the physical location of the modem and forewall ( The basement ). Although the WNR2000 is N class and more powerful than the other routers, it appears I will need to run some more CAT5e up to the second floor for coverage.
More to follow...
I would highly recomend getting a new router. The new Wireless-N routers from Linksys all come with this standard, and it is a very easy to use interface.
ASKER
The responses were helpful, but none solved the issue like the Netgear engineer did, hence the split points.
ASKER
I will download and test the Astaro solution soon.
Strange - When I try to access the Internet from one of the supposedly limited .1.x connections it fails. I go into the router and run the 'test' button - It reports success and then I can get onto the web fine from then on.
and yet the time limits do nothing...