Posted on 2013-11-16
Last Modified: 2014-03-01

I have a network with more than 150 users,
its a school,

since the school was opened we notice that the internet is running very slow, so I ran a scan on the network to see whose on it.

well I find a set students online with they iphon, ipad etc......
we have password on the wifi but the teachers gives out the password.
I would like your recommendation for a router\firewall that I can use to restrict these students from getting on to the network,

im looking for something that when I see the students device on the network, I want to be able to block them by mac address,
also I would like to block websites, such as facebook, porn, etc......

thanks in advance for your help
Question by:MVGtechnology
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 39653421
Use to block all content types you want (it's free).  You can set that up on your router/firewall.

Any of the higher end Netgear or Linksys wireless routers can block Mac addresses.  If you have a decent budget to work with I would highly recommend going with a more industrial solution like Aerohive or Ruckus.
LVL 44

Expert Comment

ID: 39653486
What brand/model[s] of APs are you running now?
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 250 total points
ID: 39653495
Examine the objectives.  
- You started on this path because the internet connection was "slow".
- Then you discovered users that had been OK up to that point but, now that you know, you've decided to do something about them.  Part of this is to let them continue to connect??
- What good is porn filtering if the MAC addresses are blocked?  (I'm not suggesting there is none).

At this point it appears that you intend to continue to allow the traffic (within some limits) and somehow expect the speed to improve.  How is that going to happen?

So, the first decision should be to either stop the traffic or not.
If the decision is to stop the traffic then direct measures should be taken rather than peripheral measures like web site filtering (which admits the unwanted traffic WILL exist).

If the teachers are giving out the wireless passphrase then there's an employee discipline problem.  I would probably just shut off the wireless or the entire internet just before lunch whenever a rogue MAC address showed up.  Then explain that the password had been compromised and issue a new one.  That should be enough trouble to hamper the behavior.  You'd probably get some peer pressure going.... assuming you "package" your own behavior reasonably.  :-)

If you will allow the traffic, perhaps set up a "public" wireless network with QoS throttling and maybe web filtering.  
NOTE: Web filtering of a mainstream connection is a maintenance PITA.  Are you ready for that?  Yes, after a time it will settle down.  I have one in service now for 5 months with a new web filtering method and I'm still chasing requests for changes because some web site or service is needed and can't be accessed.  And that comes after rather careful planning of which categories would be permitted and blocked.  Thus, I would filter the public network only (if at all possible).  Then if things don't work for some it's "caveat user", i.e. too bad.

If you decide to stop the traffic then a MAC filter should be good enough for all except the most clever rogue users.  And, an IP filter might also be useful for this type of blocking.  It's a bit more work to set up reserved IP addresses per allowed MAC address and a bit of maintenance when computers change permanently in and out over time.  While wireless routers will do this, many wired routers won't.  So, having one that will might be useful if you want to do this.
LVL 17

Accepted Solution

BudDurland earned 250 total points
ID: 39653642
You really should consider installing a firewall/router/proxy server.  When I worked in the school system, we deployed SmoothWall (open source version)  It's very easy to manage, has good community support, and will help you with all the issues you've mentioned.

At our school, we configured DHCP leases for the "approved" computers & devices.  These IP addresses were in a range that was allowed out to the internet (configured at the firewall/proxy).  Any others got a 'generic' Ip address that did not get out to the world.  Sure, some really clever kid may eventually figure it out, but it'll be a while coming.

Expert Comment

ID: 39897149
You could consider a squid proxy for caching of web content, and squidguard for content filtering based on categories.  Both are open source.

MAC address filtering may not be effective if you use network segmentation.

You could restrict internet access based on user agent string (ie: limit what types of browser access the internet).

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question