Parental controls and gateway/access points

[JHZR2]

Always interested in internet security, but I don’t know a lot. I figure this is specific enough to warrant a separate thread from some of the other router and networking threads.

As discussed in some others, I recently bought a Ubiquiti cloud gateway ultra, and put my ASUS router into AP mode. It all works.

I have growing interest in parental controls. Most specifically, which MAC addresses can get wifi at what hours. Primarily because it is starting to be a thing to wake up early and play online video games, then ask for more later. That sort of thing. We talk about it and set the rules at home, but I’d like some level of restriction.

My ASUS router, when in router mode, had all kinds of subscription-free parental controls. Now that it’s an AP, it has none of it. It doesn’t seem like the UI gateway has much of any.

I’d like the security of the UI gateway, and the parental control of my ASUS router. Is this possible?

It seems lousy that the AP that is providing control of the wifi connected devices can’t limit them, that it turns off all control. It also seems that I can’t use the gateway to serve as a firewall and protective service, but allow the existing router to do the “routing” duties.

What’s my best bet? I don’t need much that is overly complex. And I trust my kids. But I’d like to have the option to limit access of certain devices as the desire to waste more and more time on video games grows…

Thanks!

 

[redhat]

If you have a Unifi Cloud Gateway, a new UniFi AP will most likely be your best bet. I’m sure they have under $100 offerings that will probably match if not surpass your ASUS routers AP features/capabilities.

With a UniFi AP, you could have the kids on a specific SSID that have hours of availability and or more comprehensive filtering controls. The UniFi Cloud Gateway should be able to manage many UniFi APs.

As far as parental control, I don’t think you’re going to get much from UniFi for that. Maybe it’d be worth looking into a Cisco Umbrella or Cloudflare DNS filtering subscription and have your kids SSIDs/networks using that for some DNS filtering.

 

[redhat]

 

[JHZR2]

If you have a Unifi Cloud Gateway, a new UniFi AP will most likely be your best bet. I’m sure they have under $100 offerings that will probably match if not surpass your ASUS routers AP features/capabilities.

With a UniFi AP, you could have the kids on a specific SSID that have hours of availability and or more comprehensive filtering controls. The UniFi Cloud Gateway should be able to manage many UniFi APs.

As far as parental control, I don’t think you’re going to get much from UniFi for that. Maybe it’d be worth looking into a Cisco Umbrella or Cloudflare DNS filtering subscription and have your kids SSIDs/networks using that for some DNS filtering.

Im less concerned with inappropriate stuff, as the only access they have is through Apple devices that have other controls for that.

Really all I want is permissives by Mac/IP address to keep certain things disconnected at certain times. My ASUS router does it when in router mode (haven’t used it yet but as kids get older and more enthralled with online gaming the writing is on the wall). Unfortunately and stupidly, ASUS removes those capabilities when set to AP.

Can I use the UI cloud gateway for its security features, but not for routing/IP allotment/etc., and keep my ASUS router as a router?

 

[redhat]

Im less concerned with inappropriate stuff, as the only access they have is through Apple devices that have other controls for that.

Really all I want is permissives by Mac/IP address to keep certain things disconnected at certain times. My ASUS router does it when in router mode (haven’t used it yet but as kids get older and more enthralled with online gaming the writing is on the wall). Unfortunately and stupidly, ASUS removes those capabilities when set to AP.

Can I use the UI cloud gateway for its security features, but not for routing/IP allotment/etc., and keep my ASUS router as a router?

See if you can implement some traffic rules.

https://help.ui.com/hc/en-us/articles/5546542486551-UniFi-Gateway-Traffic-Rules

Where it says “iPad” see if you can choose a specific MAC. In this case all of your clients will be Wired.

 

[OVERKILL]

As @redhat noted, create a rule for the individual clients and assign a schedule to it:

 

[JHZR2]

As @redhat noted, create a rule for the individual clients and assign a schedule to it:
View attachment 212882

Thanks. Found that in the app, and can use it if/when need be. Discussed with my wife and her primary interest right now is teaching self-regulation and control versus a nanny device block access… which I agree with. But it’s good to know how to do it if we need it in the future.

Now, a different question. I have some tp-link power line Ethernet adapters thst are used to feed an antenna that goes to another building a few hundred feet away. Nothing that communicates over that is critical. It’s just some cameras.

But since it’s tp link stuff, should I disconnect it from my existing router (now WiFi ap with ethernet), and plug those into one of the Ethernet ports on the gateway? Is there a way to isolate those devices from the rest of my Ethernet traffic? Is this necessary?

Just thinking because it’s tp-link…

 

[redhat]

Thanks. Found that in the app, and can use it if/when need be. Discussed with my wife and her primary interest right now is teaching self-regulation and control versus a nanny device block access… which I agree with. But it’s good to know how to do it if we need it in the future.

Now, a different question. I have some tp-link power line Ethernet adapters thst are used to feed an antenna that goes to another building a few hundred feet away. Nothing that communicates over that is critical. It’s just some cameras.

But since it’s tp link stuff, should I disconnect it from my existing router (now WiFi ap with ethernet), and plug those into one of the Ethernet ports on the gateway? Is there a way to isolate those devices from the rest of my Ethernet traffic? Is this necessary?

Just thinking because it’s tp-link…

You wouldn't have to. Without not knowing tons of your setup, it sounds like your ASUS router (acting in AP mode) has its routing/NAT and DHCP/DNS functions disabled. If that is all so (and I think it is from your discussions), the 4-5 ethernet ports on this ASUS router are acting as a switch. Basically those ports + the wireless radios in the AP are all acting as a switch. All except the WAN port of that device.

Then again, some of those routers/APs, you can config the WAN port to be a switch port. Really depends.

But long story short, you wouldn't have to. If a device plugged into the ports on that ASUS AP receive the same IP scheme/subnet as devices directly connected to your UniFi gateway and wireless clients, its acting as a switch and you're good to go.

 

[redhat]

If you're curious on directly connecting the "chain" of TP-Link devices to the UniFi gateway out of security concerns, that also is of no difference going through the ASUS AP's switch ports first. It won't be circumvented and still traffic has to go through the UniFi gateway to get out to the internet.

Now could a rogue TP-Link device directly connected to your ASUS AP sniff traffic of your wireless clients... highly unlikely. But I guess anything is possible (?). Are the cameras TP-Link as well as the ethernet adapters? Usually the ethernet power line adapters are such low-level devices, half the time they don't even have a management interface.

Cameras... ok sure, they can get kinda rogue if compromised. Usually their camera feed is on a mega-website showing all compromised cameras from around the world.

I am not a InfoSec/Cyber security professional so I'm not a pro on this specialized subset... just a jack of all trades IT Manager.

 

[BMW Dom]

I see no way a powerline adapter could do any harm?

 

[JHZR2]

If you're curious on directly connecting the "chain" of TP-Link devices to the UniFi gateway out of security concerns, that also is of no difference going through the ASUS AP's switch ports first. It won't be circumvented and still traffic has to go through the UniFi gateway to get out to the internet.

Now could a rogue TP-Link device directly connected to your ASUS AP sniff traffic of your wireless clients... highly unlikely. But I guess anything is possible (?). Are the cameras TP-Link as well as the ethernet adapters? Usually the ethernet power line adapters are such low-level devices, half the time they don't even have a management interface.

Cameras... ok sure, they can get kinda rogue if compromised. Usually their camera feed is on a mega-website showing all compromised cameras from around the world.

I am not a InfoSec/Cyber security professional so I'm not a pro on this specialized subset... just a jack of all trades IT Manager.

Well I’m concerned if there are security concerns of having those things in the network.

I think as I understand it, if some rogue device is in your network, everything in the network is compromised.

Thus if there is some way to isolate thst stuff so it sees the primary ip address, and the AP and all my other connected stuff sees the same primary IP address, but there is no other interaction, I think that’s best. But maybe it’s just folly.

I see no way a powerline adapter could do any harm?

Well I just don’t know me if it can sniff internet traffic, or what’s on other ip,addresses in the local network, or what not else, to me that’s a concern. I’d suspect that maybe if it’s all connected to a different Ethernet port in the gateway, it is completely isolated there…

 

[redhat]

Well I’m concerned if there are security concerns of having those things in the network.

I think as I understand it, if some rogue device is in your network, everything in the network is compromised.

Thus if there is some way to isolate thst stuff so it sees the primary ip address, and the AP and all my other connected stuff sees the same primary IP address, but there is no other interaction, I think that’s best. But maybe it’s just folly.



Well I just don’t know me if it can sniff internet traffic, or what’s on other ip,addresses in the local network, or what not else, to me that’s a concern. I’d suspect that maybe if it’s all connected to a different Ethernet port in the gateway, it is completely isolated there…

Unless you configure another port on the gateway to be on a different network with no “other network communication” (tag it with a VLAN tag of another VLAN and create firewall rules to not allow inter-VLAN routing between those subnets), just plugging those devices into another port on the UniFi gateway is not going to make a difference.

The entire logical layout of your network would need to be revised and changed. It sounds like you kinda don’t trust those devices but still want to see the video feed from those cameras.

Really depends upon how far you want to take this versus if you don’t trust those devices, perhaps they should be replaced with ones from a more trusted vendor?

However, to accomplish what it sounds like you want, one way you could is you’d create another VLAN on the UniFi gateway and assign it to a DMZ zone. Then assign another port to exclusively use this VLAN (default VLAN tag). You’d create rules that would only allow established and related traffic to propagate from your DMZ zone to your LAN, all LAN to DMZ allow and all DMZ to WAN allow. This would be a zone based approach.

Honestly so many ways to go about this. Dependent upon equipment and desired outcomes you could set this up many different ways. Maybe @OVERKILL can give some good insights from a first-hand UniFi sense as I think he uses it primarily. I don’t, but do know how I’d expect it to operate.

 

[JHZR2]

Unless you configure another port on the gateway to be on a different network with no “other network communication” (tag it with a VLAN tag of another VLAN and create firewall rules to not allow inter-VLAN routing between those subnets), just plugging those devices into another port on the UniFi gateway is not going to make a difference.

The entire logical layout of your network would need to be revised and changed. It sounds like you kinda don’t trust those devices but still want to see the video feed from those cameras.

Really depends upon how far you want to take this versus if you don’t trust those devices, perhaps they should be replaced with ones from a more trusted vendor?

However, to accomplish what it sounds like you want, one way you could is you’d create another VLAN on the UniFi gateway and assign it to a DMZ zone. Then assign another port to exclusively use this VLAN (default VLAN tag). You’d create rules that would only allow established and related traffic to propagate from your DMZ zone to your LAN, all LAN to DMZ allow and all DMZ to WAN allow. This would be a zone based approach.

Honestly so many ways to go about this. Dependent upon equipment and desired outcomes you could set this up many different ways. Maybe @OVERKILL can give some good insights from a first-hand UniFi sense as I think he uses it primarily. I don’t, but do know how I’d expect it to operate.

Thanks. It’s all consumer gear. But anytime I read anything about this stuff, it all has vulnerabilities.

I’m not concerned about the cams or what they see/show. I just don’t want tp link or anyone else seeing the rest of my traffic.

 

[redhat]

Another thing going thru my mind is — I think mentioned cameras? What else is on the other end of the power line adapters? Just cameras? What make/model?

If those cameras really only need outbound internet to function from an app on your phone or a service… this gets super easy. If they do need to interact with other devices on your network (a NVR or connection directly to a viewing device) this will be more complex.

 

[redhat]

Thanks. It’s all consumer gear. But anytime I read anything about this stuff, it all has vulnerabilities.

I’m not concerned about the cams or what they see/show. I just don’t want tp link or anyone else seeing the rest of my traffic.

With that said, what about taking out the powerline adapters completely, and running cable to your needed location?

The reason I mentioned that is, you would not only mitigate any potential vulnerabilities that you come across for a TP-Link device, but also the power line adapter themselves are not the most “closed off” device. While probably rare in occurrence, it is not unheard of for the communication frequency (RF over power line) to be additionally available to anyone else sharing your locales power feed. Now of course attenuation plays a factor and truly could your neighbor tap in… doubt it. Is that signal ever that strong by the time it gets anywhere, nah. But proof of concept probably wouldn’t rule it out.

Although a lot of these power line adapters are supposed to have a level of encryption in them… who knows what and if yours are currently configured for such.

I would imagine most of the TP-Link vulnerabilities you see, 99% of them aren’t power line adapters. There just isn’t much there.

 

[OVERKILL]

Well I’m concerned if there are security concerns of having those things in the network.

I think as I understand it, if some rogue device is in your network, everything in the network is compromised.

Thus if there is some way to isolate thst stuff so it sees the primary ip address, and the AP and all my other connected stuff sees the same primary IP address, but there is no other interaction, I think that’s best. But maybe it’s just folly.



Well I just don’t know me if it can sniff internet traffic, or what’s on other ip,addresses in the local network, or what not else, to me that’s a concern. I’d suspect that maybe if it’s all connected to a different Ethernet port in the gateway, it is completely isolated there…

The Unifi Gateway has a honeypot function (assuming you've turned it on), so in theory, it should be able to alert you of suspicious activity on your network. You can also isolate and packet log the TP-Link devices if you wanted, to see if they are doing any "phone home" activity.

 

[2009Caraman]

All new ios devices change the mac address periodically. Thats the "Private Wi-fi Address" setting. You'll have to disble that for your home networks on each device. Then likely have to set parental controls on each device so they cant change it back.

 

[OVERKILL]

All new ios devices change the mac address periodically. Thats the "Private Wi-fi Address" setting. You'll have to disble that for your home networks on each device. Then likely have to set parental controls on each device so they cant change it back.

And this is why my kids are all on their own VLAN that I can restrict without affecting my primary VLAN, lol.