Tech – for Everyone

Tech Tips and Tricks & Advice – written in plain English.

More Internet safety–Use your router for access control

A reader comment (thanks Mike) reminded me of a point I intended to make — most home routers/wireless routers have the ability to add another layer of protection for your kid’s Internet safety. Today I will show just how to take advantage of the features built into these devices. A big advantage is the router’s blocking (typically) won’t be undone by a savvy kid. Today’s free link was also inspired by a reader comment. Keep those useful comments coming folks, they often benefit everyone.

Tip of the day: Use your router’s security features to limit your child’s access to the Web. I wrote a three-part series titled “Steps you can take to keep your kids safe on the Internet” and this post should be considered part 4. In part 1, I showed you how to create a Limited User account and lock down Internet Explorer. In part 2, I discussed monitoring and controlling your child’s web-surfing with Parental Control programs. And in part 3 I told you how to monitor chat, and decipher the “code” language used there. If you missed any of these, click on the blue links to view them.

For the purposes of demonstration, I’m going to demonstrate on arguably the most common/popular wireless router sold to date — the Linksys WRT54G — but I want you to understand that these features can be found on most, if not all, makes and models and accessed in similar ways. If you have already gone in and changed the address range and/or router name and password, substitute your settings … I will show the Linksys defaults.

Step 1) Access your router’s control panel. Open your browser and type in http://192.168.1.1 and you will be asked for a name and password. Leave the name blank and type “admin” (no quotes) in the password box. You will now see the Linksys control panel’s Setup page, which is where you make general connection (to your ISP) changes.
lsetup.jpg
We are not going to make any changes here on the Setup tab (I am just showing you what to expect), we’re going to use the Administration tab and the Access Restriction tabs.

Step 2) To prevent our tech-savvy kid from undoing the restrictions we’re going to put in place a new password. Click on “Administration” in the upper black bar. The top input boxes are for our new password. Think up a complex password your child won’t be able to guess, like “Kepe0uThek1dz”, (and write it down, and keep it someplace they won’t snoop) and enter it, and “confirm” it. Now scroll down and click on “Save Settings”.
lpass.jpg
The control panel will disappear while the router absorbs these changes and then a screen will tell you your changes have been saved. Click “to continue” and the control panel will reappear.

Step 3) Now we’re going to put some restrictions in place — click on “Access Restrictions” in the upper black bar. On this page we are going to set up an ACL which Linksys refers to as a “policy”. You can establish more than one policy if you desire, but for our purposes one is enough. In the screenshot below, I have told the router that there’s to be no Internet access from midnight to 6am on any computer, but you can assign your child’s machine a fixed IP address and by clicking the Edit List of PCs button, apply these restrictions only to your child’s machine … if they have their own, that is. [update: you can also use the MAC address. For my article on how to find and use it, click here.]
lac.jpg
As you can see, you can ‘tweak’ the time restrictions on a day-by-day basis, so schoolnights can have a different shutoff time than weekends, say.

Now scroll down and you will see where we can do some more specific blocking.
lblock.jpg
Here I have specifically denied access to My Space, and if I were really doing this I would also add the other popular “social networking” sites (like Facebook). Please note that I used wildcards (“*”) in place of “www” and “.com” — this is done to eliminate/block all the pages of the site “MySpace”. You are not limited to four URLs as the boxes might indicate. You can put as many into one box as you’d like … just seperate each URL with a semicolon.

I have also started a “keyword” list to be blocked, which will block any websites that contain these words. This is far from the list you would want to use, I suspect — you would probably want to include “wild parties”, “wild sex”, “totally nude”, “wild girls”, “boys gone wild”, and you may want to include “gun”, “guns”, “shooting”, and such. This is up to you to decide and configure … just seperate each keyword (or phrase) by commas.

Step 4) Click Save Settings and exit the control panel. And that’s it. Congratulations: you’ve added another layer of security, and shown your kid you just may know enough “tech” to earn a little respect.

UPDATE 8/26:
A reader commented that he has done the above steps and could still access My Space. He naturally wondered why. The first thing to ar.jpgverify is that you have verified that your new policy is enabled.
It is not necessary to give your access policy a name, but it may help you to do so — I named mine “Restrictions” to demonstrate.

The second step may not be required, but if you can still visit the sites you’re trying to block, you need to tell the router which PC’s to apply this policy to. Click on the “Edit List of PCs” button.
ar2.jpg
Here you can “apply” the policy to a specific machine by using the MAC address or fixed IP, or to all attached machines by setting a range of IP’s. To ensure coverage of every machine, enter the range 0-254, as shown. Now Save Settings, and you’re set.

Today’s free link: A very thorough resource for parents concerned about Internet safety for their kids can be found at the all-volunteer WiredSafety.org. From site: “All-inclusive, free resource focusing on Internet safety, help and education for Internet users of all ages; providing information and solutions to online…

Copyright © 2007 Tech Paul. All rights reserved.

Share this post :

July 31, 2007 - Posted by | advice, computers, hardware, how to, kids and the Internet, networking, PC, routers, routers and WAPs, security, security zones, tech, Vista, Windows

24 Comments »

  1. Many routers offer the ability to control access based on time, however if there is an active link from that computer – which most internet games establish, the connection will not be interupted.

    Comment by Hal Skoog | August 4, 2007 | Reply

  2. Thank you Hal,
    It is typically true that existing connections will not be terminated. ACL’s are typically applied as the connection is established. However, some routers apply restrictions to each packet, which will effectively terminate sessions.
    The reason parents should be aware of this abilty is so that the child cannot arise, after being put to bed, and get into late-night mischief.
    I am not suggesting that parents let the router do all the work — a savvy user can easily undo its settings — but to be aware of this “layer” of defense.

    Comment by techpaul | August 4, 2007 | Reply

  3. I tried this and I can still go right to Myspace. com

    What gives?

    Comment by Sandlapper | August 26, 2007 | Reply

  4. Sandlapper,
    I have to make a couple of assumptions, such as that you’re using a WRT 54G…
    It is possible that you have simply omitted a step. Please scroll up to the UPDATE portion of the post, where I have published the answer.

    Comment by techpaul | August 26, 2007 | Reply

  5. Your help is greatly appreciated. Thanks to your post, I have figured out how to restrict access to porn and other bad stuff. However, how do I restrict access to specific sites (like facebook) DURING SPECIFIC TIMES ONLY (like, 7-9pm, when they should be doing homework!) but she can access it at other times. THANKS!!

    Comment by Steve | January 26, 2009 | Reply

    • Steve–
      Hmmm.. that’s a very good question, (maybe the best question I’ve had all week) and I am not going to be able to give you a step-by-step (I don’t know your router, for one thing) but Ill try to point you in the right direction.
      One option is iffy, because I’m not sure if the for-pay software solutions allow you to set time controls on a per-URL basis, but you might look into the likes of NetNanny.
      An option that has a better chance is to set a second policy (named.. “work time” or something) and set it to ‘enable’ (aka “run”) itself from 7-9, and block the URL’s. The two will work together during that time, and be more restrictive (the WRT 54G allows up to 10 policies to be set. Your make/model may vary.)
      If the router doesn’t allow two different policies to run at the same time, you could use another Parental Control software solution to provide the ‘tougher’ restrictions.. Use the router for the “always on” restrictions (xxx – rated, ie) and the software for the ‘work time’ restrictions.

      But .. people (and, yes, kids too) are pretty clever, and there are ways around access control lists. Perhaps a logging tool, or Parental Monitoring (essentially spyware) program might be appropriate (or.. the belief that there’s one installed..). Something that keeps track of (and timestamps) your child’s activity, and gives you indisputable evidence when rules are broken.

      Comment by techpaul | January 26, 2009 | Reply

  6. Wow….the blogs are full of people trying to get keyword filtering to work….with no answers. Although this page seems clear enough…I could still not get keyword filtering to work. Shame on Cisco for not knowing what the customers want and having detailed step by step on their site.

    Comment by Tim | November 13, 2009 | Reply

    • Tim,
      Cisco is very good at supporting customers and providing free telephone support. Look to the Cisco website for “live” support..

      Comment by techpaul | November 13, 2009 | Reply

  7. Thanks techpaul for all the useful information. I’m trying to set up a network for my office that will restrict web use to only 2 or 3 websites that my employees will need to use. Are there any routers that will allow you to restrict ALL except for a few websites?

    Comment by Tony | August 21, 2010 | Reply

    • Tony,
      Any router that allows ACL’s (which to the best of my knowledge is all of them) will allow you to “blacklist” (deny) and “whitelist” (allow) .. the trick then becomes crafting the list.
      (Believe it or not, your router manufacturer’s tech support (not the 1st tier, of course) can be quite helpful in this.)

      It sounds to me that you want to …
      allow: http://www.website1.com
      allow: http://www.website2.com
      allow: http://www.website3.com
      deny: http://*.*.* (wildcards)

      That sample is the idea, but there are ACL rules that vary somewhat, and so the manufacturer would be the place to start.. maybe the user forums.

      Comment by techpaul | August 21, 2010 | Reply

  8. One problem is that children don’t seem to have any problem posting private and personal information about where they live, what school they go to or even putting videos or pictures of themselves online. A lot of kids will openly get into conversations with strangers they have met online. Then another statistic says that 1 in 5 children say their parents have not discussed anything with them about staying safe online. Every person needs to really understand how crucial parental controls are for kids on the internet.

    Comment by Lance Regalado | November 10, 2010 | Reply

    • Lance Regalado,
      Keeping kids safe(r) on the Internet is it’s own category here on T4E.. and there’s even a dedicated page (upper right).

      Enter “kids” in my Search tool to see my other articles.

      Comment by techpaul | November 10, 2010 | Reply

  9. Great using a router/firewall as an additional layer of protection for kids on the Internet. Important to have the initial Admin password changed & protected to stop the tek savvy kids making changes.Thanks for sharing.

    Comment by Kid Internet Safety | April 23, 2011 | Reply

    • Kid Internet Safety,
      I take Internet safety very seriously. And I take children’s safety very seriously. Since children get on the intertubes…

      I advocate parents take proactive roles. And I support Parental Monitoring.. even though some might call it “spying”.
      The Internet is not Disneyland. No one – really – is working to keep it clean, safe, and well-lighted. (Those that are [aka "whitehats"] have no financing and no jurisdiction.) But criminals are using it as their tool of choice.

      Comment by techpaul | April 23, 2011 | Reply

  10. Many thanks for this useful info techPaul; I’ve set up my WAG200G and can can block sites as described, however the http:// is removed from the url whensaving so ends up for example as twitter.com rather than the url http://twitter.com. That’s no problem as it still works but I can’t get it to block https://twitter.com (defaults to http) and if I try using wildcards as per your example it returns a “Invalid URL” – any thoughts? I’ve not upgraded firmware as there is no mention of increased facilities for this in later versions.

    Comment by Kit | November 27, 2011 | Reply

    • Kit,
      You may be okay. It may be (I might go so far as to say probably) that blocking twitter.com (the domain) blocks all protocols (HTTP, HTTPS, FTP, POP, etc.) trying to go there (“communicate”).

      But each make/model is slightly different.. so you might want to contact Cisco (they make Linksys) and ask. Click here, http://homesupport.cisco.com/en-eu/support/gateways/WAG200G, and then click on “Live chat”.
      (They are free. I cost money.)

      I have called them in the past, and found them most knowledgeable and helpful (and I am inches away from being Cisco certified) and I am a “tough customer”.

      Comment by techpaul | November 27, 2011 | Reply

      • Thanks techpaul, I’ll give em a try, for info I found that by experimenting that http is blocked but https isn’t. Regards.

        Comment by Anonymous | November 29, 2011 | Reply

        • Kit,
          Fortunately there are other tactics available to you, but which one will be best for the WAG200G.. well, give ‘em a call (or use the “chat”).

          Comment by techpaul | November 29, 2011 | Reply

  11. I just want to add that on the WRT54G, under wireless, advanced settings, and with DD-WRT firmware installed, you can choose times (in 1 hour blocks) that the wireless radio itself is on. I have spent many hours trying to use the parental controls or the internet access policy and have found it lacking.

    Here’s how I finally eliminated the problems.

    #1 I installed a second router for the kids wireless access. This router in wired into the main router, connected to one of the 4 LAN ports on the main router and to the WAN (Internet) port of the second router. The WAN address is set to DHCP automatic while the router itself is 192.168.2.1 whereas the main router is as default 192.168.1.1

    #2 I blocked their access to the main router by changing the wireless SSID and by not broadcasting it. I also used the old SSID on the new router with the exact same security settings so for the kids, it was seemless.

    #3 I installed DD-WRT firmware on my router. Although this is somewhat advanced, you can just buy one that’s already done used on eBay for around $30-40, or you can buy a Buffalo Technology brand router. You are limited to creating 5 rules on the Linksys but have 10 with DD-WRT.

    #4 I made a list of the computers’ MAC addresses and using DHCP reservations in the router (available on Linksys or DD-WRT firmware) set an address for each computer and device (iPods, PS3, Obox, Laptops etc). this made things so much simpler, MAC addresses are impossible to remember, a range of IP’s proved much easier.

    #5 I made a set of rules to deny access at certain times, 1 from 9:00PM-Midnight school nights (Sun-Thur), 1 from Midnight-7AM (Mon-Fri), and 1 from 8:30AM-9:00AM (Mon-Fri)**This was so they were off the net and not missing the bus).

    #6 I set the wireless radio itself to only operate from 7AM-Midnight which insures they are off the internet, with some games they played, if they had been connected, it allowed them to stay connected as someone noted above. I’m not certain if this setting is available with the standard Linksys firmware or not because I no longer use the Linksys firmware so I can’t easily check.

    On holidays, the kids obviously want to stay online later, I solved this problem by enabling the guest access on my main router for those days or anytime I want to give them extra access. Not all routers have guest access but it’s almost as easy to just disable the rule that is limiting them, you just have to remember to turn it back off when you’re back on the regular schedule. The kids WON’T remind you!

    Hope this helps someone.

    Comment by Wayne Nocton | March 26, 2012 | Reply

    • Wayne Nocton,
      Thank you for taking the time to share that with us. I join you in hoping it helps some folks.

      Comment by techpaul | March 26, 2012 | Reply

  12. Is there any way to look at logs of what website my kids visited through a linksys router???

    Comment by John Mitchell | March 24, 2013 | Reply

    • John Mitchell,
      I know you can blacklist (block) websites but, I have not looked that deep into Linksys router config’s since, basically, when Wireless N came out (i.e. all the models I own, and support, are older) so I’d have to look up “DNS lookup logging” or “domains accessed logging” to answer that specifically. (If you set your DNS server to OpenDNS, they do free DNS logging.) You can look for a “Logs” tab in your (router’s) Control Panel. Generally speaking, I doubt your router creates logs that you could easily see where they visited.

      But, if your child has erased their browser’s History, my (technician’s) advice is to install parental control/monitoring software; such as the excellent and free K9 Web Protection or Norton’s Family Protection services (Norton Family is free).

      Comment by techpaul | March 24, 2013 | Reply

  13. Will setting up user accounts (step 1) work for any device that’s using our wifi? Two of our children have their own Chromebooks from their school.

    Comment by Anonymous | March 7, 2014 | Reply


Post your Comment/Question

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 198 other followers

%d bloggers like this: