Router Lockdown – Limiting child access to the internet

Access to the internet for children isn’t what it used to be – 20 years ago there were no tablets, WiFi was in its infancy before it was even called WiFi, computers were still dialing in to 56.6k connections and children still played console video games and technology was less prominent than it is today.

Every day we inch closer to increasingly faster internet connections, more content, higher resolution images & video, ability to download vast amounts of data in mere seconds without discretion.  The need to monitor our kids’ access to the internet is even more important today, especially now that educational requirements mandate they have such access for school work both in class and at home, access to email, YouTube and other instructional videos, but where does their access end?  Some families require that the computer be located in a central location in the house so it’s easily monitored, but what about personal devices, laptops, or homes where the children know more about computers than their parents do?

Some people want to avoid the added cost of subscription-based services, don’t want to have to add monitoring software to their family PC and add more burden to RAM and CPU requirements (and these days kids are pretty adept at circumventing such software).  The best way to lock it down is at the router, your gateway to the internet.

But not all routers offer parental controls, and if they do, most of them are either sorely lacking in their capabilities or they offer a really strong filter but poor QoS, or time restriction limits and no way of choosing what devices they are applied to (ie: all or nothing).


See my previous writeup on the R7000 and XWrt


I have researched, implemented and evaluated several routers and custom firmware packages over the years and I have really come to like XWrt-Vortex, which is a third party variant of AsusWrt-Merlin which was designed for Asus Routers except that it has been re-compiled for use with Netgear R7000 routers in addition to the Linksys AC1900 and Huawei WS880.

XWrt-Vortex has all the standard router features you expect in off-the-shelf routers such as port forwarding, port triggering, IP filtering, etc… But with XWrt my favorite key features include:

  • Custom DNS (Parental Restriction, choose from OpenDNS, Norton, Comodo or Yandex)
  • Bandwidth Throttling (select any device, set the max up/down limit)
  • 3G/4G USB Cellular support (if you live in the boonies and have cell signal but no access to Cable/DSL internet, just plug in your cellular USB dongle and it becomes your WAN connection for your internal WiFi network.)   It supports a specific USB dongle though (USB760 Verizon Novatel Wireless 3G)
  • Up to 3 guest network SSID per band (2.4/5 GHz) (Present on the R7000, not sure about the others)
  • Time Restrictions (per device, set time limits for when devices can access the internet)
  • DDNS (so you can access your router remotely by domain name if you open the remote access port)

and my personal favorite – custom scripting.

For example – you have two wireless networks (XWrt on the R7000 allows for three different SSID’s on each band), one for the parents devices and the other for the kids.  The parent WiFi network is unrestricted, while the kids WiFi network gets a password reset automatically every weekday morning and sends a text message to the parents letting them know today’s Kids WiFi Password based on a list of words you choose and the script adds a three digit random number.  After school the kids get their chores and ask for todays WiFi password.

On the weekend, it is configured to reset the password back to the common one they already know and Monday begins the process all over again. (Or make it change on Saturday and Sunday too, your choice)

Imagine time limits so all connectivity ceases at 8pm, and QoS Bandwidth Limiter gives each child up to 3Mbps (or more, or less) of bandwidth so the rest of the family can still get online during their online game play or video streaming sessions.

Parental filtering controls?  No problem.  You can designate which online filter you want to use, per-device!  For example, you can use OpenDNS and you can enable category filters to block any website having to do with porn, weapons, online dating, etc without having to worry about all the websites out there that you don’t want them to gain access to, at least from your own home anyway.

I would like to note that if your child has a cellphone, there’s no way to implement this as they can turn off WiFi and use cellular connectivity to bypass your controls, that is unless you take it away at night or have some “nanny app” installed on their device.

Setup is simple, I’ll use the R7000 for example.  Just download XWrt for the R7000, then go to the Administration > Firmware Update section of the Netgear web interface, browse to the XWrt “.chk” file you just downloaded (remember to unzip the file first in order to extract the firmware) and hit Upload (or begin, start, whatever the button label says)

Once the router is flashed with the XWrt firmware, it will reboot, it may do this several times and you’ll see the lights on the router flash on and off, sometimes more that once, don’t panic, it’s doing its thing.  Once the router is flashed, you should be able to gain access to the admin menu by going to http://192.168.1.1 in your web browser.  Default username and password should both be admin (or admin and password).

If you’re connected via WiFi, you’ll need to rejoin the default network, ie: NETGEAR, NETGEAR-5. It will be without password so you’ll want to get in there and set a password before your neighbor sees an open network and does it for you!

Set your administrative password

Click Administration, then choose System from the tabs on the right.

  • Enter your new password and retype it in the box below for verification.
  • Scroll down and click Apply.
  • Router will update, you may have to log back in using the password you just set.

Set your Wireless Password

  • Click Wireless
  • Choose 2.4GHz Band
  • Type in the Wireless name you previously used before the change to XWrt where it says Network Name (SSID)
  • Authentication Method: WPA2-Personal
  • WPA Pre-shared Key: (enter the WiFi Password)
  • Click Apply
  • Router will reboot
  • Do the same thing for the 5GHz Band.  I name mine separately, ie: Home 2GHz and Home 5GHz.

Kids WiFi Network

I set the kids up in Guest Network section.  You can choose to create a WiFi SSID on the 2GHz band, 5GHz band, or both.

  • Click Enable
  • Enter the Kids SSID Name ie: Home_Kids
  • Change the Authentication to WPA2-Personal
  • If you want the kids to be able to access a printer on your own network, or do file sharing, etc, then you will want to turn Intranet Access On.  If you want to create a guest network strictly for guests with no access to anything on your home network, then you will leave Intranet Access Off.
  • Click Apply

Parental Filtering & QoS Bandwidth Limits

You’ll need to enable BWDPI

  • Go to Tools
  • Other Settings in the tabs on the right
  • Scroll down to the bottom and set BWDPI to Yes
  • Click Apply

Now AI Protection, Traffic Analyzer, Adaptive QoS will be available in the menu.

In order to OpenDNS, you’ll need to create a free account.  Then start selecting categories you want to block.

Then in XWrt, go to AI Protection, choose Parental Controls then DNS Filter in the tab menu.

Turn on DNS Filtering by toggling the switch to On.

Global Filtering: No filtering (unless you want EVERYTHING to go through OpenDNS, in which case proceed no further)

Custom DNS: You can use 8.8.8.8 and 8.8.4.4 if you so choose, otherwise leave blank

Client List: Add each child device you want to filter, and choose OpenDNS Home.  If you want default Family Friendly filtering, choose OpenDNS Family otherwise use OpenDNS Home to use your custom category choices (and you can define additional domains within OpenDNS, both block and allow domains.

Click the Plus (+) sign and add the next device.

Click Apply when you’re done adding.

Time Limits

  • Go to AI Protection
  • Click Parental Controls
  • Click Time Scheduling (top right)
  • Enable Time Scheduling
  • Choose the device from the list
  • Click Add (+)
  • Now it’s in the list, click the pencil icon to edit the time limits.
  • Click and drag to set the block(s) of time when you want to allow access.
  • Click OK to save

Repeat as necessary for other devices then click Apply to save changes.  To disable time limits on a device, just uncheck the box and click Apply.  This will leave the time limits set but not enforce them until you re-check the box and click Apply.

Bandwidth Limiting

Go to Adaptive QoS

Here you can set priorities on a device level, drag the “Highest”, “High”, “Medium”..etc label to each device in the list if you want to change their network traffic priority (ie: Your work laptop gets Highest, children devices Low or Lowest)
You don’t need to set any priority if you don’t feel the need.

  • Click QoS at the tab menu
  • Enable QoS
  • QoS Type:  Bandwidth Limiter
  • Queue Disipline: sfq
  • WAN Packet Overhead and ATM: leave it
  • Now as before with filtering, choose the device, set the Download and Upload limit in Mb/s, 3 is good on a 50+ Mb/s connection.  If you have 8Mb/s DSL, then 1 or 2 should suffice.

Click Plus (+) to add, repeat as necessary.

Click Apply to save.

Now perform a speed test on one of the devices you throttled to confirm the limit is working.

Allow Remote Access to your router

This is useful if you want to access your router from work, or cellphone while away from the house.

  • Go to Administration, then choose System in the tab menu
  • Scroll down and Enable Web Access from WAN.  Leave remote access port at 8080 for this example.
  • Click Apply
  • Now go to WAN, then choose DDNS from the tab menu
  • Enable DDNS Client: Yes
  • Server:  Choose your preferred method, I left it at www.asus.com
  • Hostname:  Choose a name.  ie: myhouse
    (Choose something only you would be able to guess!  myhouse is just an example)
  • Click Apply

Now you can reach your home router by using http://myhouse.asuscomm.com:8080

If your IP changes, it will automatically update the DDNS provider (Asus.com in this case) with your new IP address.

Other Features

If there are other features you’d like to cover, please let me know.  If you choose to buy the R7000, please use the links on this page so I get referral credit.

If this writeup helped you decide on using this router or configuring, please consider making a donation to cover operating expenses.


Amount


Disclaimer

Changing your firmware to anything other than manufacturer specifications is at your own risk and you will likely void any warranty.  If you brick your device, you will need a USB-TTL cable to get it back to stock firmware using TFTP and firmware from the manufacturer. (See this post about recovering a bricked R8000, similar process to the R7000).  Support to change your firmware, or recover a bricked device is not offered or implied.