04-26-2020 12:58 AM
04-26-2020 02:42 AM - edited 04-26-2020 03:13 AM
I suspect that there's more to it than just a VPN. I don't use the app, and possibly use a different modem (CODA-4582). In any event, I believe that the control groups that are set up probably use the device's MAC address as part of the control scheme. The only way that a device could bypass the controls in place would be to change the MAC address, so that the rules no longer apply to the device in question. So, that's one problem to contend with. The other problem is the VPN usage which provides access to material that you would probably not allow.
Have to admit, downloading a VPN is kinda sneaky. This is the same problem that corporate or enterprise admins have to face, rogue VPNs running within their network, which is a security issue for any company or government organization.
I'm not familiar with the app but I'm wondering if it allows you to build more than one allowed device list, where internet access is only given to those devices on the allowed list. All other devices should be blocked, regardless of their MAC address. That way, if there is a time allocation function, you might be able to flip between different allowed lists. The problem of blocking an unknown device is due to the design of the rules that are set within the firmware and whether they allow or block devices that don't fall into any declared category. That's probably where you are now, with a changed MAC address on the device and now the modem doesn't know what to do that device.
The other potential problem here is the encrypted data transiting back and forth. I wonder if the firmware designers had encrypted data in mind when they designed the blocking rules? Maybe not??
I can't think of a way at the present time to block a rogue device with the app as I don't know the capabilities of the app. I'd look closely at the how the block rules are stated within the app, whether they show something like Allow All, Allow Listed, Block Listed or others and see what flexibility there is to set up new groups or change the allowed rules that might apply to a smaller subset of all of the devices. That's a bit of a pain as you would have to identify all of the devices on your network and commit them to appropriate groups with their own allowed / blocked times.
Look at the security tabs in your modem for a VPN Pass-through tab. Disable any VPN Pass-through settings. Save the setting and reboot the modem. This may or may not have the desired effect, depending on the VPN protocol in use.
If you had an idea of the VPN that was in use, you might be able to block the domain name which should cut off access to the VPN company domain. You would simply add the VPNname.com into the keyword filter, which should prevent access to that specific VPN company. That won't help if the VPN fires up and simply uses an IP address to connect to a server instead of using a domain name. That might not be of any help given that there are several free VPNs available apparently, so, kill one VPN and your kids simply move on to another VPN program.
What device are your kids using? Windows desktops/laptop, Android tables and phone, etc, etc. Do you happen to know which devices have the VPNs loaded?
Fwiw, if its a Windows desktop/laptop that implies that your kids have access to the admin account in order to load programs like VPNs and change the MAC address. Running a desktop or laptop admin account for daily purposes is a no no to begin with. That account should only be used to run updates, troubleshoot problems or load / unload programs. Everything else should be done with a user account which has limited privileges. You can't load programs and you can't change the MAC address with a user account. So, if this is the case, you're the supervising adult, your kids are kids, the adults in the room own the Admin account, period. Any objections? If so, the device disappears for a few weeks or months. As the Admin account owner, you should unload the VPNs and any other objectionable program. After cleaning up the desktop/laptop, set up user accounts for the kids.
When that is done, and while still in the admin account, disable DNS over HTTPS (DOH) in Firefox as it will bypass your selected DNS using encrypted DNS queries over HTTPS connections instead of the normal unencrypted DNS query over port 53 to your selected DNS server:
To do that, follow these instructions when you're in the admin account. Start Firefox and turn DoH off:
go to Settings->Network Settings and untick the Enable DNS over HTTPs checkbox. Alternatively, go to about:config in the address bar, search for network. trr. mode and set it to 5.
That should (I'll have to try this) stop Firefox in any account from using DOH.
To do the same for Chrome, while in the admin account follow the instructions in this link:
That link also brings up the issue of the DNS IP address that is set in the device's wifi or ethernet adapter. You would have to drill down into both network adapter settings and set both IPV4 and IPV6 IP and DNS as follows:
IP address: select "Obtain an IP Address automatically"
DNS address: select "Obtain DNS server address automatically"
Hit Ok at the bottom and change the other (IPV4 or IPV6) settings as well. Reboot the desktop or laptop. Changing the IP address prevents any IP address spoofing, although I don't think that's an issue. Changing the DNS server choice to automatic forces the desktop/laptop to use the DNS server of your choice as set in the modem. That locks out the possibility of the device bypassing your selected DNS.
Switch to the user account and check the DOH settings in Firefox and Chrome. They should be disabled but I don't know that for sure at the moment and its rather late at night.
Ok, going to have to give this more thought. With a capable router, you could snoop on the network and determine what IP addresses were in use, determine what company they belong to and what IP addresses to block. That wouldn't take very long. With a more capable router, you could assign the devices to virtual LANs, which might be what the app does, but, the router would probably work as designed. That's probably much further than you want to go, but, that avenue is there, if necessary.
I still think that the biggest problem at the moment is access to an admin account on the device which allows your kids to load programs such as VPNs and change the wifi and ethernet adapter MAC addresses. That would be the first item on my list to take care of. Whether or not you can do that with all of their devices is a good question, so, some research might be required to determine how to exert parental control over all of their devices.
04-26-2020 08:29 AM
I still think that the biggest problem at the moment is access to an admin account on the device which allows your kids to load programs such as VPNs and change the wifi and ethernet adapter MAC addresses. That would be the first item on my list to take care of.
Hi @Rf13! Welcome to our Community!
Thanks, @Datalink! You're always so thorough but I wanted to add my emphasis on this part too so that @Rf13 understands the importance of this particular step.
If it's possible, you should set up two accounts on each of your children's devices. One admin account that only you can access, which has permission to install new apps/programs and one user account that lacks said permission that your children will log in to.
That way, your children must get your permission before they can install anything on their device so that you can maintain full control over what they can access and consume on their device.
04-26-2020 08:37 AM - edited 04-26-2020 09:30 AM
@Rf13 still thinking about this. Its possible that your kids may have found a legitimate way around the firewall controls. When the VPN is set up, the modem firmware might hand control of the VPN data processing over to a hardware processor which in turn might place it out of reach of the normal CPU software processing, including your group or parental controls. If that's the case, then its possible that the device itself might not be able to establish any new outbound connections via normal means outside of the VPN, but, at the same time, with the VPN up and running, it might be possible to explore the world, thru the VPN, without hindrance of the modem's parental controls. So with the group or parental controls time limits in place and running at their appointed time, any new "normal" outbound connections to a web site or gaming site should be blocked, but, thru the VPN which is already up and running, it might be possible to do anything.
Just as an example, some routers allow the admin to select two data paths, one thru the VPN and one outside of the VPN. Maybe its possible to do the same with a VPN client which your kids would have loaded. Don't know, but, just pointing this out. With the VPN running and in use, it wouldn't matter to the kids, they would probably run everything thru the VPN.
If this is the case, the fastest thing to do is to take over the admin account of the devices in question and banish any VPN software as I indicated above.
Can you have a look at the bottom of the modem to see which version of the modem you have. It will either be an Arris TG-3482ER or the Technicolor CGM-4141COM. Can you let us know which version you have.
04-26-2020 09:48 AM
Not an officially supported solution, but I would purchase a cheap Wi-Fi repeater that supports bridge mode (not the same as the modem bridge mode). It basically repeats the main Wi-Fi with a separate name and password.
Then, link the kids devices only to the repeater (change the main Wi-Fi password & hide it from them). When you want to turn off the Wi-Fi, you only need to block the repeater - all the linked devices will turn off.
No amount of VPN or MAC address changes will make their internet work. And it's a lot easier than doing changes to their devices/computers all at once. Be aware, though, if it's a game system - look for a 802.11AC repeater.
Using a slower repeater will lead to latency they'll also hate and complain about. You can even connect the repeat to the main modem with ethernet cable for the best performance. It's then called an access point.
The repeater should support both modes, but the latter will be at full speed.
04-26-2020 11:32 AM
04-26-2020 11:35 AM
04-26-2020 01:29 PM - edited 04-26-2020 01:29 PM
I've tested a system like this, and it will work (with Eero as well). It only wirelessly repeats the signal that Eero puts out and gives the new Wi-Fi network a new name (usually _EXT added to the end of your Wi-Fi) and password. It will be a secondary network, just for your kids to connect to.
The kids would then not need to know your Eero password.
It will work to block any VPN, as long as they don't have mobile (Rogers Wireless) internet on their phones. If so, you'd need to use the MyRogers app to turn Data Access OFF on their phones when you need to. Changing the main Wi-Fi password will also change the router password, a good thing as they're likely logging into your router.
04-27-2020 11:15 AM
VPN stops Rogers spying on you and they hate that, due to a glitch last year Rogers re sent every email I have recieved since I was with them, 11 years, my preferences were set to delerta after a week or month depending but they kept them 11 years anyway, it was no jike filtering 40000 emails to keep teh 400 I wanted kept! You cannot use a VPN with Amazon prime video either! More important what are your kids doing needing a VPN??
04-27-2020 12:22 PM
It's likely not a VPN that allows them to access video streaming when internet is paused. I've experienced that with my daughter, who was using YT Kids when paused. It turns out that when they've connected to a Guest network option the system remembers and lets them on again.
I would change the router password immediately, disable the guest network option (likely secretly re-enabled I imagine) and reboot the cable modem. Likely, if the modem password is the same as the Wi-Fi password, they've been in there making changes.
I would simply change the password, not tell them the new password, and enter it into their devices yourself. They'll never know it, and you'll have control again.