Hi Windward, Home user here (SURF MK3, latest firmware).
-
Management Frame Protection doesn’t work yet.
-
To make a kids network you would want to go to Advanced, Firewall, Content Blocking and start testing from there. This affects all clients / networks so you would have to add “exempted subnets” for clients that get full access. Basically make some VLANs for different clients and then exempt the ones that get full access.
You can assign VLANs to wireless networks on their configuration page (AP, Wireless SSID) as well as the ethernet ports for wired computers, Network, Port Settings, VLAN.
The IP addresses you assign to the VLANs are the ones that you would exempt for clients that get full access if I am to understand this correctly. It seems like it would be easier if they just let you assign a VLAN to be subject to content blocking from a drop down list of available VLANs or if you could just click on clients from the client list and add them to the content blocking - but you can’t. You can however click on clients from the client list add them to the DHCP reservation and copy that IP address and paste it to the exempted subnets under content blocking. That might work. If anyone tests this please let us know.
I have tested content blocking but I have not tested exempted subnet’s - I am a home user just trying to help out so YMMV. You can also check YOUTUBE to see if anyone has made a tutorial. Or if anyone can correct me please do.
- Keeping WIFI hackers out is best accomplished through the use of large complex passwords. I generally use 30-40 digit alpha/numeric/symbolic passwords = 95^40 = 1.28 x 10^79 = very high security. My secret is I basically just randomly mash the keyboard (I’m really good at this) to create a new random password for the SURF (AP, Wireless Settings) and save.
After the SURF finishes saving, open that SSID, deselect “hide password” and then type your newly minted password into the wireless device. My method eliminates having to write down or memorize passwords. It’s also faster as I can just bash out 30-40 digit passwords effortlessly. Change your passwords often (once a month or whatever). Again my method is so easy I can do it weekly or even daily. You cannot use " or ’ in your password. No one in my home enters their own WiFi passwords - I do it for them. That way I don’t have to compromise security for easy to remember passwords for family members nor are they written down anywhere /easy to find.
Before committing to a 40 digit / difficult to enter password - try a smaller easier one just to verify the client can see and connect to the WiFi network first - punching in 40 digit passwords and failing to connect gets old fast and wastes a lot of time.
In theory you could even text message or email the password to the user and they could cut and paste it into their device - although you are sharing the password across text SMS / email if that doesn’t matter to you.
- If you find client devices are getting locked out a lot for no apparent reason then you are probably getting deauth’ed (google it). You can use KISMET security software to verify if that is happening. Deauth is just a denial of service - they are not breaking into the wireless. Deauth’ing is used however to try and get the 4 way handshake to attempt to crack the password - but at 1.28 x 10^79 possibilities good luck. It should only take a few quadrillion quadrillion quadrillion millenia (half a google approximately) to crack at the time of this writing.
Also you could switch to using 5Ghz AC networks and use a low transmit power setting. 5Ghz doesn’t travel as far as 2.4Ghz through obstructions etc. - so to sniff your traffic the attackers would have to almost be right on your property making them easy to spot. Also most deauth tools (up until fairly recently) are 2.4Ghz a/b/g/n only.
I had this exact problem so I also took the additional step of making multiple hidden networks and multiple VLANS to isolate clients from the attacks. If one VLAN / client network gets attacked it doesn’t affect the others because each device gets their own network. Because they are all hidden its more difficult to figure out which one to deauth etc… Not impossible, just more difficult and more risky. Again the SURF is hilarious because you can make up to 15 x 5 Ghz networks. I have never had such a great router before.
Isolating networks also simplifies reconnecting the affected client since only the affected device needs a new password. The script kiddies/ bad neighbor can still deauth 5Ghz (until they get caught and criminally charged) but its a lot harder / requires better equipment / more close proximity recon = higher risk etc… Its a lot of work (?) and risk to take for something that could land them in jail and it literally only takes me 500 milliseconds to bash out a new 30-40 digit random password and copy and paste a text. This is why I love the SURF. Its made this process quick and easy and put me back in control.
When Management Frame Protection is available it will help reduce or eliminate deauthing - until the next wave of “security tools” comes out. I wish Management Frame Protection came out 5-10 years ago to be honest but at that time many consumer client devices didn’t support it.
Please bear in mind I am not an IT guy so if anyone here can point us in the right direction it would be much appreciated.
Have a great day!