Banish the kids to their own network!

A few weeks ago I received an unpleasant bit of email from my Internet provider. At first, I thought it was yet another lame spammer or phisher sending me some official-looking notice, but after a moment’s inspection I realized that this was a real bona-fide official notice.

Their network security department very kindly (and politely) informed me that they had received a “cease and desist” order from a particular game publisher. They had included the game publisher’s email, complete with the incriminating evidence.

There it was: logs showing the MAC address of my cable modem being involved in suspicious BitTorrent activities.

Considering that at any time during the week there can be from two to six or seven different teenagers hanging out in my humble abode, carrying virus-ridden machines, the message was clear: I had to get serious about locking down network access

The Problem

I would have liked to have bought some net filtering software to slap on the offending machine and been done with it, however I knew that this was insufficient.

Even if this one event could be traced to a youthful source, a more ominous danger comes from the inevitable malware and viruses that teenagers collect on their machines as they swap cool stuff with their friends.

Complicating things, there are many devices on our home network: Besides their school laptops, the kids have video game consoles and one has an iPod touch, all with wifi access. Think about how many different gadgets are on your home network.

And shutting off access altogether was not an option—there is still schoolwork to be done!

The answer: A Private Network for the Kids

My solution was to put together an unusual network configuration using a second wireless router; I wanted the ability to manage every single kid-owned device at the flip of a switch, while leaving the grownups untouched.

I hooked the cable modem (red) to the main router, shown in green. I then plugged a second wireless router, shown in blue, into the first.

By doing this, you can see that there is one single wire connecting the entire blue network (the kids) to the green network. It was trivial to then configure the green router with appropriate access control and filtering for that one single device: the blue router.

Some quirky details

Home routers like these are, by default, configured with a NAT firewall. They work sort of like one-way mirrors: someone on the network can see out, but nobody can see in. As a result of this, the kids (blue devices) can see any device on the main router (green devices), such as our print server and the NAS device, but no one can see into the kids’ network.

As paradoxical as it seems, this is exactly what I wanted. By making the kids’ network a private network, it appears to the green router as a single device. When I am configuring access restrictions, I only need to control access for the blue router’s IP address or MAC address.

Many consumer-grade routers have flakey firmware that just doesn’t really behave well when you start doing things like turning on filtering for multiple machines. I simplified things by bringing down the number of controlled devices to one. In addition, if one were to try filtering on the IP addresses or MAC addresses of individual machines, this can be easily defeated by manually changing the IP address or MAC address. With my configuration, the MAC address being filtered is the blue router, locked away safely.

The Finer Points

If you want to set up a network like this, do the following:

• (Recommended) Reset the kids’ router. Hold the hard reset button on the router in while you turn on power; hold the button for 15 seconds or so.
• Hook the kids’ router up to a spare laptop using an Ethernet cable. (Turn off the wireless of the laptop for the time being).
• Use the laptop to navigate to the configuration web page (usually 192.168.1.1).
• Set the router’s own address to a different network from the main network, such as 192.168.2.1. This is critical.
• Configure the router’s gateway and DHCP server entries to all point to the main router (192.168.1.1). This tells the kids’ router to use the main router as a source for its DHCP lookups and such, rather than going to cable modem.
• Navigate to the configuration web page at the new address (192.168.2.1). You may need to close the browser and replug the Ethernet cable.
• Set up your wireless security for the kids however you like. Make sure to choose a different channel and SSID from your main router.
• Remove the laptop and plug the WAN port of the kids’ router into one of the LAN ports of the main router. Restart everything.
• Test both networks to make sure things work the way you think they should.
• (Optional) You might want to connect to the kids’ router and set it’s external IP address statically. Make sure that this is set to a number on the home network (e.g. 192.168.1.2).

Some notes:

• You can only maintain the kids’ router from a machine connected to the kids’ network; the home network cannot see the management screens. If you wish, you could enable remote management for the kids’ network only, since the main home router is still protecting the whole network from intruders.
• Computers on the kids’ network can see all devices, but they aren’t on the same network. This means that network printers and NAS devices are accessible, but you will have to attach to them using IP addresses. I was able to easily set up the machines on the 192.168.2.1 network to use a print server on 192.168.1.100.
• For machines that should have full access (a.k.a. yours), make sure that you either set the green network to be a higher priority or remove the blue network SSID entry altogether. I found out the hard way that my iMac would randomly pick the green or the blue depending on which one it saw first when it woke up.
• This does not wall off your main network; it simply provides a single point of control to the entire kids’ network. In other words, don’t depend on this setup to prevent malware on the kids machines from seeing your machine. You can, however, set up your PC to not trust the kids’ network.

Wireless Network Security

Regardless of how you set up your network, make sure you use at least WPA encryption (Never use WEP!). Make sure your passwords are solid.

Using DD-WRT on my new wireless router

In addition to the new network configuration, I went one step further and chose a main router that lends itself well to installation of open-source firmware. I ordered a Linksys WRT54GL from Amazon for a little over fifty bucks. I chose this one because, as a direct descendent of the venerable WRT54G, this router is very well suited for running alternative firmware such as DD-WRT, giving substantial control over things like, say, access control…

Within a half hour after my new router arrived, I had gone to the Supported Hardware page, obtained the latest build of DD-WRT, and replaced the Linksys firmware with the far-better open source code.

I won’t go into the specifics of installation here, but it isn’t very challenging. Check out the DD-WRT site for details.

Closing Thoughts

Make no mistake: we are responsible for whatever goes on our home networks. Just like your home telephone; if someone dials up some 900 number and rings up a thousand-dollar phone bill, the phone company won’t care a whit who did it, you will still pay. Likewise, regardless of who did the BitTorrent download, there is a certain degree of responsibility of the homeowner to lock down the network.

Another point: Without some degree of personal responsibility on the part of the kids in the house, this sort of activity would simply be an arms race of filtering and blocking versus hacking. My goal is to help keep the honest people honest and to make life more difficult for the viruses and malware.