Community discussions

MikroTik App
 
amano
just joined
Topic Author
Posts: 6
Joined: Sun Mar 12, 2023 12:02 pm

Internet access control at home

Sun Mar 12, 2023 3:12 pm

Hi there!

So I have a hEX routerboard to be the main router in my house.
One of its tasks to allow or deny internet access for the given devices. I have a solution for that, but it is not working as I expected. Please give me hou could I change the configuration to fulfill the tasks.

The different device types:
- routers and other network devices.
- devices of the parents.
- kid's devices
- multimedia devices
- home automation gadgets
- unknown devices

Basically the network devices, parent's stuff and all the home automation has full access to the internet. These are quiet a lot, about 50-60 pieces.
The kid's devices have not internet during the night
The multimedia devices have a different time schedule, they are not getting internet during the school time.
Everithing ellse work only in the time period during the day when we can expect guests. Basically there is a range defined for dinamyc IPs.

My solution for that was to:
- setup a DHCP to have IP ranges for the categories above
- add all the devices to the DCHP leases list
- create firewall rules to allow or deny internet according to the time periods.

So far so good... but my older child is more creative than that. If he sets the IP of his device manually and not let the DHCP do it, he can set IP outside of his range - like the home automation - and have internet access during night.
What I found yesterday is, that the ARP can also bind an IP to a MAC address. It could be a good option, however
- the ARP can be set for the Interfaces of the router, which are the ethernet ports. Maybe the correct option would be to set is reply-only. If so, all the new devices have to be added by hand to get IP. I would like to keep the option to dinamically assign IP for the devices into the "unknown devices" range.
- what if my kids figures out that he can clone MAC address as well? E.g. copies the MAC of the TV and uses it during night.

So this is where I am stucked.
Should I somehow reorganize my network to have separate subnet or something for the dinamic and the static IP range with different ARP setting? Or is it not the bet solution for that?

Why I am not using "Kid control"? It does not fulfill my needs.
Why I am not using PPPOE? The home automation devices, which requires full internet access, are not capable to use PPPOE.
 
apestalménos
just joined
Posts: 14
Joined: Wed Sep 16, 2020 8:22 pm

Re: Internet access control at home

Sun Mar 12, 2023 8:21 pm

An easy solution is to unplug the router. Or disable the WAN connection at certain times.
 
gabacho4
Member
Member
Posts: 331
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: Internet access control at home

Sun Mar 12, 2023 8:34 pm

Just create a vlan and corresponding SSID for wifi that only kid devices connect to. Then create a rule that disables the vlan access to WAN at a given hour. This way, it doesn't matter if your kid statically sets his IP or not as the kids vlan access to WAN will go dark. Of course, were it one of my kids, I'd create the above described setup to monitor kid compliance with rules and then confiscate devices being used or attempted to be used.
 
amano
just joined
Topic Author
Posts: 6
Joined: Sun Mar 12, 2023 12:02 pm

Re: Internet access control at home

Fri Mar 17, 2023 10:16 pm

@apestalménos: it is a good solution if you really want to turn off all internet connections. In my case I have to be able to use the net and also certain home automation stuff requires it.

@gabacho4: yes, it is a good idea. I just started to read more about is, since I am not familiar with this kind of setup. E.g. how to route ports between the vlan and the original one like NAS, printer, home automation dashboard... At the end I have choosen the other option, which works better than I thought.

In the interface setting I have set all elements to "reply only" so that the static IP configurations are not allowed.
At the DHCP server I have set the "Add ARP for Leases" to true.

There is a static and a dynamic range in the DHCP for the devices. Basically everything is put into the static range, only the unknown devices gets dynamic IP.
And it works pretty well. I deleted all ARPs in the ARP list and just waited for a while untel the DHCP recreated all the entries. It is also possible to make them static as well.
Originally I tought that a due to the reply-only APR setting all unknown devices will be just closed out from the network, but since the DHCP created ARPs for them, it's fine.
 
amano
just joined
Topic Author
Posts: 6
Joined: Sun Mar 12, 2023 12:02 pm

Re: Internet access control at home

Fri Mar 17, 2023 10:19 pm

It does not solves the case if someone clones a known MAC address, e.g the smart TV's...
 
amano
just joined
Topic Author
Posts: 6
Joined: Sun Mar 12, 2023 12:02 pm

Re: Internet access control at home

Sat Mar 18, 2023 5:20 pm

BUMP!

Today I noticed that there is a new lease added to the DHCP config into the non-dynamic area. How is it possible?
Which cetting would prevent the server to let those kind of registration?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Internet access control at home

Sat Mar 18, 2023 6:01 pm

isnt there kids home function on router??

Who is online

Users browsing this forum: astelsrl, CGGXANNX, mkx, Vyizis and 38 guests