I have a little question here. In my household I seem to have a “little” hacker (10 year old girl) who does not agree with Dad’s network access configuration.
Thing is, I have configured the Kids systems to have Internet and NAS Access times based on the day of the week and hour.
Now - this little beast (and I have to say that I’m quite proud of her ) has started to change the MAC Address of her Android Tablet to bypass this security.
and here goes my secured time-plan for the kids…
What I can do however, is make all IP’s static incl. MAC Addresses.
How can I configure the DHCP Server in such a way that it will only deliver IP/MAC’s that are “Known” and marked as “Static”.
Is that possible in routerOS or is one other way of achieving this?
You can set address-pool=static-only for dhcp server, then it will serve only known clients with static leases. Then to prevent manually assigned addresses, add also add-arp=yes. And finally set arp=reply-only for LAN interface.
Way around that would be to “borrow” MAC address of your notebook/tablet/phone and use it when you’re not at home. So difficulty level is not really much higher.
Next level would be dedicated kid network, limited as whole, so it wouldn’t matter what and how is connected. For tablet I’m assuming it’s just wireless, so you can create virtual AP with different SSID and then keep password for unlimited one for yourself.
Thx for the hint on the dhcp-server (static-only). Wonder how long it will take my little hacker to figure something out :}
I was thinking about the dedicated Kid network.
I have a router that can do 2.4Ghz and 5Ghz - Kids devices on 2.4Ghz, others on 5Ghz. But we have some old device that would not work on 5Ghz. And 2 Network on 2.4Ghz ? Dunno yet.
Very cool kid. I have two girls (7 and 12), both too smart for their own good.
For my house, I ended up with a virtual AP on a vlan that is time based. As long as I keep the router and access point security, I’m all good.
You could also go with static MAC’s and disable ARP. Or maybe even WPA2/EAP.
yes - they definitely are too smart for their age (Got 10, 12 and 13 years old girls). The little one is the devil in disguise
Question - how did you set the Time-control into the vlan?
And - if I understood it correctly, the Virtual AP is just adding a new bridge-ap to an already configured wireless card?
I do lots under Linux (cli), and I knew that virtual intrerfaces existed also in RouterOS. I admit though that I never thought to add a virtual AP for the girls…
I created a separate (virtual) access point on a different vlan. Then setup a time-based drop rule for the vlan in the filter. at 8pm the forward rules turns off and a reject rule turns on.
Virtual AP uses same radio and frequency as base AP (it doesn’t really have much choice there), but has different SSID and behaves as independent interface. So it can have own DHCP server, filtering and everything.
) has started to change the MAC Address of her Android Tablet to bypass this security.
