I was wondering if there was a way to disable the Ethernet ports on the Arris XB6 modem? Trying to make it as “secure” as possible to ensure internet can’t be accessed when it’s not allowed to be 😉 I already disabled the WPS and I think the Ethernet ports are the last thing I have to do. Any help or useful suggestions would be great. Thanks!
@mandilou2373 I can't think of anything other than keeping the XB6 in a locked (and ventilated) enclosure. Even if there were configuration options to either disable or block access from the Ethernet ports, somebody could always gain access to the device and to the network by performing a factory reset using a paper clip.
@mandilou2373 One of these might be another option:
Advice: blocking LAN ethernet port (or other solutions)
Dear Rogers Community:
Do you know of any way either to block access to a LAN ethernet port (using the Arris modem) or, alternatively, to create some sort of high-level block to prevent any new devices from joining a network?
We are using the Ignite WiFi hub to create downtime for our kids. This works just fine for their wireless devices (each of them has an old iPod), but my son has a desktop computer that plugs in via an ethernet cable. He seems to be using internal MAC cloning to make his desktop appear like a new, unassigned device, and this gives him access to the internet in what should be downtime hours. Is there any technological solution that will enable me to program a shutdown of the LAN ports or, alternatively, to create a setting that will prevent any new device to join the network?
With the COVID issues our son's school has gone online, so we're not in a position at the moment to just take the computer away. Until the COVID stuff settles, we'll need a technological solution.
Any help would be much appreciated.
Greetings and welcome to our Community @DDAW1!
You should be able to go into your modem's settings and manually disable the Ethernet port but this may be a bit of a pain to do every day because you'll have to re-enable the port in the morning.
Alternatively, you could just take away his Ethernet cable and tell him he must use WiFi which you have control over using the Ignite WiFi Hub. Most network cards have WiFi built-in nowaday's, so be certain that he isn't just claiming he can't use WiFi if this is a computer he built himself.
That may be enough to scare him into compliance. If he's a gamer, he definitely won't want to lose his direct connection.
Another alternative would be to simply unplug the modem at night and take the power cable when everyone is supposed to be shut down.
A technological solution may not work in this case if he's this savvy to get around the blocks you put up already. You may need a physical solution, otherwise, you could end up playing a game of whack a mole with your son as you try various solutions that he finds workarounds for.
Unfortunately, I can't recommend any third party products that may work for you. Perhaps one of our intrepid Community members has a different idea for you!
Many thanks. I appreciate your response enormously. I have been trying to get help from tech. reps at Rogers in to do what you suggest at the beginning of your message: i.e., to manually disable the ethernet port from within the Gateway settings module. I've been told by some Rogers staff that this is possible, and by others that this is not possible.
When I go to the LAN settings inside Gateway, I have the option to "Associate Ethernet Port 2 to HOME SECURITY NETWORK." This is accompanied by a checkbox and the following message: "Note: Associating Ethernet Port 2 to HOME SECURITY network will remove the port from your home network."
I had hoped that this would solve the problem, but it doesn't...
Do you know of any other way to disable the LAN ports?
@DDAW1 if the change in mac address is bypassing the assignment of an Ethernet port to a security group, then that is a failing of the security implementation. It shouldn't matter what is plugged into the port in question, that device should follow the rules as assigned to the port, not to the device. It would appear that the user function might be mislabeled or that the coder misinterpreted the software design requirements.
That's an issue for Rogers to investigate and fix.
For yourself, it would appear that your son is using the admin account or has access to the admin account. If he's using the admin account day in, day out, that's a no no. The golden rule for anyone using a desktop or laptop is that the admin account is used only for administrative purposes, updates, installs, removals, troubleshooting. Everything else should be done using a user account. That is for the users protection as the admin account has much more authority to carry out intended and unintended actions.
Personal opinion, the desktop is your son's, but as the supervising adult, the admin account belongs to you.
If your son doesn't have a user account already set up, backup his browser bookmarks. Then set up a user account and change the password on the admin account to lock him out of the admin account. Start the user account, it will take a couple of minutes, and then restore the browser bookmarks from the backup file.
Return to the admin account and copy any school assignments from the ADMIN/Documents folder and any other admin folders and paste them into the user account documents and other folders. I belive then should be easily accessible in the user folders thru the user account, but just to check, log out of the admin account and log back into the user account and access a few of the files to ensure that your son can read/write to the documents in question.
That might sound a little harsh, but, if your son is young, enforcing the admin / user access rules is for his own online security. A user account should not be able to change the MAC address. I'm not in my office at the present time so I can't try this out in advance to confirm it.
It sounds like you have the grey or black XB6 that is used for the Ignite TV service. There is a parental capability in that modem that I'm aware of. Does it have NextDNS.io as a DNS selection? If so, there is a filter capability to prevent access to gaming and other sites. I don't know if there is a time dependent capability with NextDNS but it might be worth checking out. I think the accounts are free for home users.
Edit: If you go this route, which is probably the only way to really stop MAC address changes, while you're in the admin account, drill down into the Ethernet port advanced settings and disable IPV6 so that the desktop runs IPV4 only. Depending on which DNS you're using, you might see filtered IPV4 and IPV6 web address resolution, or, you might see filtered IPV4 web address resolution while the IPV6 address resolution is not filtered, allowing access to sites that you don't intend your son to access. With IPV6 running, it will take priority over IVP4 potentially bypassing any web site filtering that you're trying to enforce, depending of course on the DNS that you happen to be using.
Edit II: Also drill down to the IPV4 properties and ensure that the DNS setting is set to "Obtain DNS server address automatically", not to some DNS address which would bypass your preferred DNS.
Edit III: Check the modem for MAC or Device filtering. That filtering would have to have an "Allow Listed" selection. Basically you would have to take stock of all of the MAC addresses on the network and enter them into a managed device list. Once that is done, you enable the "Allow Listed" selection. That should block any other MAC address from joining the network. It wouldn't prevent anyone from spoofing an address, but, unless that particular address was of another network device in the list, it should be denied access to the network. On the Hitron modems including the white CODA-4582, thats included in SECURITY .... DEVICE FILTER. Not sure if the XB6 modem for the Ignite IPTV service has a similar function.
Many thanks for your extremely helpful suggestions. I'll digest them this evening, and it may be that my son has managed to run an admin account.
I do have a question based on the opening of your message. The Rogers technicians to whom I have been speaking have been unable to explain just how I can go about assigning rules to the port. Is it possible simply to block the ports with a command? (Perhaps via the firewall functions?) Thanks again for your detailed and thoughtful message.
@DDAW1 it depends on which modem you have as to whether or not you can simply block an ethernet port. Here's the Switch Control page from a Hitron CODA-4582 modem, where the ethernet ports can be enabled or disabled at will. The same setting is used in Gateway and Bridge mode. There is no timer function however.
So you can choose which ethernet ports are enabled or disabled. I don't know if the Arris or Technicolor versions of the XB6 modem, which is used for the IPTV service has the same function. If not, there wouldn't be any way to run the same type of port rule as you can't or shouldn't be able to SSH into the modem. All of the modem ports and interfaces except the official user and tech support interface should be disabled externally and at the chip level.
Here's the Device Filter page where you build a list of allowed devices, including their MAC addresses and enable the "Allow Listed" Block Rules which in theory should only allow the listed device MAC addresses onto the network.
@Datalink Unfortunately, the security controls on the XB6 are very simplistic compared to what you have on the CODA-4582.
@DDAW1 Somebody else also recently asked about how to block access to the Ethernet ports on the XB6: https://communityforums.rogers.com/t5/Ignite-TV/Disable-Arris-XB6-Ethernet-Ports/m-p/455674
presumably to ensure that the network could only be accessed through Wi-Fi.
The XB6 is pretty hard to secure while it is unattended. I found some devices on Amazon that you can use to physically block access to the LAN ports. However, as long as you have physical access to the device, you can still gain access to the network by performing a factory reset using a paper clip.
If this computer requires a wired Ethernet connection, I don't think there is much that you can do to secure the LAN ports. Unlike Wi-Fi, I don't know of way that you can apply filters to restrict access only to known MAC addresses.
I'm not an expert on the Ignite Wi-Fi hub parental controls. Can new/unknown devices be automatically assigned to the Guest profile and can you then simply indefinitely pause Internet access for that profile?
Of course, if you want to cut off access, you can also always physically unplug the Ethernet cable from the XB6.