[SOLVED] Wireless Security Woes

[bleeargh]

I have three teenage boys. 17, 16 & 14 respectively. It's my 16 yr old teenager who is very motivated to get around the security protocols that I've set up on my wireless router. My router is a Linksys EA7300.
First Attempt:
My wife and I started with the parental controls. This would control the time they could access the wifi and certain websites were blocked. He got around that. I'm not sure how, but he circumvented the parental controls.
Second Attempt:
I enabled the MAC filtering and blocked his device from accessing the wifi. I would enable his device MAC address whenever he needed to do homework. He downloaded a random MAC address generator and got around this option.
Third Attempt:
Still using the Mac filtering, I changed the option to only certain mac addresses to be allowed rather than trying to block an infinity of computer generated mac addresses. He then got the MAC address off of my wife's phone and hijacked it somehow thus allowing him access even though his MAC address is blocked.
Fourth Attempt:
Change the router password and revoke his privileges all together. He hopped onto his bothers laptop and somehow through the CMD commands obtained the password.

As a Dad, it's now sort of become a challenge. He's very resourceful and I can't help but reluctantly admire him a little. BTW this kid uses a linux operating system on his laptop rather than Windows because he thinks windows is "stupid." He reads crytology books from the library for fun. He's brilliant, but uses his powers for evil instead of for good.
Joking aside, unfettered access by a teenager to the internet is something we as a family just can't justify. Is there any other methods or protocols of protection that are available?

 

[drivinfast247]

Sounds like he's a smart kid. Hopefully he's going to pursue a career in IT and cybersecurity.

 

[bill001g]

Make sure WPS is disabled that is a major source of security exposure.

Shared passwords is the problem it depends on the users to protect them. The mac filter stuff is pretty much worthless as you found out but router manufactures do not want to admit that they can't really do security.

The password part is sorta simple but not really. Maybe get your son to help you secure it

What is done is you set the router to use enterprise mode and run a radius server. This gives everyone their own ID/password. It takes almost nothing to run a radius server for home use, some claimed they have it on a raspberry pi.

Still there does not solve the problem of someone giving someone else their userid and password. The solution for that is to use certificates. You install a certificate on the machine which is unique. It is basically a mac address that can not be changed. But the router has no clue about this it just blind passes this data to the radius server which then say Yes or No to allowing access. It can not use it to filter traffic. This is where you use a firewall to do this function, and you would run the radius server on it.

The best solution is to get another simple router. Change the wifi on the main router so only you have it. On the second router you put the kids wifi. Now since they can only connect to the second router and all the traffic on the second router gets translated to the wan ports IP and mac address. This mean no matter what mac he connects to the router with all the traffic coming to your main router with the filters see it as the same mac/ip.

In general parental filtering or any content filter in general is pretty much worthless. All traffic is encrypted so all the so called "deep packet inspection" is impossible. Since this was done to prevent the government from snooping it pretty much shuts everyone out. The only hole is related to monitoring DNS but chrome is going to go to encrypted DNS. Still DNS monitoring is very easily bypassed even without encryption.

Still if you goal is to disable all access at certain times of day that you can still do with parental controls.

 

[hang-the-9]

I learned from a very wise person that the more you tighten your grip, the more star systems will slip through your fingers. First step, is tell him WHY you want the access restricted. I don't do anything like that for my kids, never have. My youngest daughter is 14 now, if she wants to know what a penis looks like or what sex is, first, they already learned that in school, second, If she really wants to see something naughty, she can look it up on her phone when out of the house, at a friends house, Netflix R rated movies, really 2,000 places that are not at your house or that you block. There is no stopping information now, you just don't make a big deal out of it. Don't be like China LOL

Unless you think he is buying black market eyeballs from China or is selling guns or 500 lbs of cocaine online, it's not a big deal, it has already happened, or will happen, or his friends will show him or tell him. Your option is to cut all cords, wireless, phones, TVs to the house and lock him in his room till you think he can know stuff. It's silly to restrict things in your house when there are much much more places to access anything that you don't have control off. You hide your vodka, he will find a friend that can get some. You tell them not to smoke, they will find a way to buy cigs anyway. You tell him no playing violent games, he will play "Rip Head Off Hookers Online" at his friends house. Your only option is to deal with that fact and make sure that the kids know what the decisions they make will mean to them, then let them fly.

I hate 75% of the crap my daughter watches on YouTube, but blocking it when she wants to see it would be totally useless. Phones have data plans that don't rely on the house WiFi, McDonalds and malls have WiFi, friends houses have WiFi, etc... What's the point of getting into arguments at home over it? I just let her know why I think the stuff she watches is idiotic and let her know what ways of behaving are OK in public or in her school or work, or future life. Then I let it go.

 

[TJ Hooker]

Still if you goal is to disable all access at certain times of day that you can still do with parental controls.

Yeah, I think it's probably worth giving this solution another shot if this behaviour meets their needs.

@bleeargh did you change the router's management login? Not the wifi password, the password (and username, if you want) that you enter when you go to the router's webpage to configure settings.