Block unknown devices on Deco M9 - user changes MAC address to fool parental controls

Block unknown devices on Deco M9 - user changes MAC address to fool parental controls

Re:Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
2022-03-03 17:27:10

The Gryphon router has this function and was instrumental in catching both a new device and a child learning to turn on random MAC address to try to bypass parental control.

 

On that router (I run Gryphon for humans, TP-link for IOT) when a new device is added (new MAC), I am alerted and the device is placed in a group with no access, but still tracked.  I can approve that device by adding it to an owner and profile.  This feature is why I switched.  I had undetected intrusions on the tp-link.

 

It's a great design and one I wish was in this router.  With the segregation I do I'd prefer not to have to switch out my IOT network but it's kind of going that way because of the handling of new devices.  The segregation allows me to also track DNS beyond any router I've found via cleanbrowsing.org, but if my IOT is compromised, none of this matters.

  2  
  2  
#74
Options
Re:Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
2022-03-03 18:45:58

  @Jeff_the_Tech 

Found the gryphon router on Amazon - seems it offers MAC filtering and is a mesh network. This is all I need to know to post my TP-Link on the marketplace. 
(Had to read some reviews to make sure you wasn't an advertising shill for them - ha)

Funny, that gryphon router is a mesh network and offers MAC filtering since TP-Link support stated they couldn't offer this. 

  0  
  0  
#75
Options
Re:Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
2022-03-04 09:58:19

Yeah. should have mentioned I hae no affiliation.

 

Gryphone is not a complete solution either, the issus I have so far are:

 

1. DNS monitoring is limited to latest 200 dns requests per profile and they only show in their app the most recent access, so you have no idea what the frequency is.  This allowed my son to bypass (more on that later) for longer than if I had been looking at a full DNS log.  That's in the list for enhancements.

 

2. They have on/off schedules that work well with one flaw - if you temporarily extend bedtime from say 10pm to 10:30, Bedtime is completely bypassed until the next night.

 

My son tried a couple of things:

 

1. Randomize MAC address in Windows Network Settings to try to bypass MAC based controls (didn't work because of the whitelist feature on Gryphon, which also notified me)

2. Set up Windows Mobile Hotspot then connected iPhone to that, bypassing the control above.  This recently became a "feature" for non-admin Windows users.  Thanks Microsoft.

 

So I've got more of a problem that perhaps most have (or are aware of).  #2 happened by buying used iphones from his friends to use as glorified iPods on my Wifi network.  Don't underestimate what you might be missing.

 

I'm a bit of a techie (40 years doing this) so what I've had to do is:

 

1. Cable Router/Wifi - locked down and whitelisted (no new device access - MAC controlled)

2. Plugged into Network Switch (I have TP-Link and Netgear, both work well and are cheap) for port-based packet capture

    a. Port 1 - Port from Cable Router

    b. Port 2 - monitoring port, can be set by the switch to mirror/monitor the other ports selectively

    c. Port 3 - IOT Wifi Router - Negear AC1750 - pretty cheap good router that can be flashed with Tomato or  DD-WRT if I want, but all I need is good streaming for the TV, etc and the ability to whitelist on wifi (block new devices).

    d. Port 4 - TP-Link Deco Mesh - today for the adults, few devices, relatively speaking so anything new is noticable

    e. Port 5 - Gryphon - for the kids and guests, parental controls

3. DNS for the Gryphon is set to use cleanbrowsing.org, no filters, just to capture DNS at a transaction level that I can download to a spreadsheet.  I tried OpenDNS but it will not track DNS by device and you can't download logs

 

This is the network layer.  At the PC I use MS Family Security as a first layer (pretty easy to compromise, but when you all of a sudden lose reporting or behavior changes, you know), then Questodio which offers more in general but limited search monitoring.  

 

At the windows level I do not allow admin level access, after than I am learning how to use Group Policies in windows to restruct things like access to registry, command line, settings/control panel and whitelist the wifi's they can connect to.  Also how to disable the mobile hotspot.

 

I haven't found any one wifi router product that gives me everything and nothing is foolproof.  Just google "How to hack...<product name" on youtube and you'll get a world of learning from some very smart kids, as young as 10-12.  I learned much of this using the network switch and wireshark to packet sniff the traffic once I isolated it.  

 

TP-Link, if you're listening, there's a HUGE market out there if you can get past the idea that 13 year old children deserve privacy rather than guidance from their parents.

 

  2  
  2  
#76
Options
Re:Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
2022-03-14 21:06:41

  @Jeff_the_Tech Thank you for your message. Very useful. It is really a pain that parental controls are so useless on TP-Link equipment, making them totaly useless. Kids younger than 9 years old (all of them) are smarter than R&D engineers (all of them) from TP-Link. I advise my friends not to buy Deco equipment for this very reason.    

  2  
  2  
#77
Options
[Troubleshooting] Block unknown devices on Deco M9
2022-05-27 15:35:32

  @TP-Link 

 

I've been using Deco for a couple years and didn't need this feature until recently. Looks like it's been a request for a while and doesn't seem like there's much traction. I don't understand why a white list requires comprehensive evaluation as it's a broadly deployed feature in the Network industry and I'm guessing TP Link offers it on other products. Even if it requires comprehensive evaluation, what about a simple option that requires approval for a new device based on MAC to be allowed access to the network? Deco already pushes a notification that something's been added. Why not follow the security best practice of implicit deny and change the default behavior of new devices to deny instead of allow?

 

Thank you.

  5  
  5  
#78
Options
[Troubleshooting] Block unknown devices on Deco M9
2022-07-22 15:16:13

I did the suggestion thingy from the Deco app.

 

Anyone using the Asus Zenwifi XT8? I'm considering switching to that but it would at least need to have better parental control and whitelisting options ;-)

  0  
  0  
#79
Options
[Troubleshooting] Block unknown devices on Deco M9
2022-07-26 00:27:33

  @Laggetjeuh 

 

I have done the same 

 

This really needs sorting or I'm going to have to switch to a new router bit I really don't want to 

  0  
  0  
#80
Options
Re:Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
2022-07-26 00:40:15

I blame myself.

 

I spent $600 on TP-Link Deco mesh hardware without doing my homework. I should have thought to investigate whether TP-Link had bothered to include a thought-out and functional parental control system.

 

You know, like every other vendor has.

  0  
  0  
#81
Options
Re:Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
2022-08-02 14:31:03

I just bought a pair of X50 and I need whitelist feature, should I return them? Or you going to fix this?

  0  
  0  
#82
Options
Re:Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
2022-09-06 15:14:00

  @WeroLuis 

 

I'd return them if still possible. This forum has multiple threads with over 1000 posts about this very same issue and nothing happens... 

  0  
  0  
#83
Options