• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:



I have a network with more than 150 users,
its a school,

since the school was opened we notice that the internet is running very slow, so I ran a scan on the network to see whose on it.

well I find a set students online with they iphon, ipad etc......
we have password on the wifi but the teachers gives out the password.
I would like your recommendation for a router\firewall that I can use to restrict these students from getting on to the network,

im looking for something that when I see the students device on the network, I want to be able to block them by mac address,
also I would like to block websites, such as facebook, porn, etc......

thanks in advance for your help
2 Solutions
Use http://www.opendns.com/ to block all content types you want (it's free).  You can set that up on your router/firewall.

Any of the higher end Netgear or Linksys wireless routers can block Mac addresses.  If you have a decent budget to work with I would highly recommend going with a more industrial solution like Aerohive or Ruckus.
What brand/model[s] of APs are you running now?
Fred MarshallPrincipalCommented:
Examine the objectives.  
- You started on this path because the internet connection was "slow".
- Then you discovered users that had been OK up to that point but, now that you know, you've decided to do something about them.  Part of this is to let them continue to connect??
- What good is porn filtering if the MAC addresses are blocked?  (I'm not suggesting there is none).

At this point it appears that you intend to continue to allow the traffic (within some limits) and somehow expect the speed to improve.  How is that going to happen?

So, the first decision should be to either stop the traffic or not.
If the decision is to stop the traffic then direct measures should be taken rather than peripheral measures like web site filtering (which admits the unwanted traffic WILL exist).

If the teachers are giving out the wireless passphrase then there's an employee discipline problem.  I would probably just shut off the wireless or the entire internet just before lunch whenever a rogue MAC address showed up.  Then explain that the password had been compromised and issue a new one.  That should be enough trouble to hamper the behavior.  You'd probably get some peer pressure going.... assuming you "package" your own behavior reasonably.  :-)

If you will allow the traffic, perhaps set up a "public" wireless network with QoS throttling and maybe web filtering.  
NOTE: Web filtering of a mainstream connection is a maintenance PITA.  Are you ready for that?  Yes, after a time it will settle down.  I have one in service now for 5 months with a new web filtering method and I'm still chasing requests for changes because some web site or service is needed and can't be accessed.  And that comes after rather careful planning of which categories would be permitted and blocked.  Thus, I would filter the public network only (if at all possible).  Then if things don't work for some it's "caveat user", i.e. too bad.

If you decide to stop the traffic then a MAC filter should be good enough for all except the most clever rogue users.  And, an IP filter might also be useful for this type of blocking.  It's a bit more work to set up reserved IP addresses per allowed MAC address and a bit of maintenance when computers change permanently in and out over time.  While wireless routers will do this, many wired routers won't.  So, having one that will might be useful if you want to do this.
You really should consider installing a firewall/router/proxy server.  When I worked in the school system, we deployed SmoothWall (open source version) http://www.smoothwall.org.  It's very easy to manage, has good community support, and will help you with all the issues you've mentioned.

At our school, we configured DHCP leases for the "approved" computers & devices.  These IP addresses were in a range that was allowed out to the internet (configured at the firewall/proxy).  Any others got a 'generic' Ip address that did not get out to the world.  Sure, some really clever kid may eventually figure it out, but it'll be a while coming.
You could consider a squid proxy for caching of web content, and squidguard for content filtering based on categories.  Both are open source.

MAC address filtering may not be effective if you use network segmentation.

You could restrict internet access based on user agent string (ie: limit what types of browser access the internet).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now