Safe Access With Safe Access, can you set it up to block new devices from being added, until you decide to allow it?

Currently reading
Safe Access With Safe Access, can you set it up to block new devices from being added, until you decide to allow it?

With Safe Access, can you set it up to block new devices (MAC addresses) from being added to the network, until you decide to allow it?
Can my kids get around this by using a VPN?
 
With Safe Access, can you set it up to block new devices (MAC addresses) from being added to the network, until you decide to allow it?
No. SA will work with devices that were already detected and behave depending on the actual profile.

You could use Network Center to again pick up any device that the router can "see" and use a single "banned" button to block all traffic until you are ready to configure it and allow the traffic.

Can my kids get around this by using a VPN?
Example?

Do you mean connect their device directly to a VPN provider while using the router to get to the internet? In that case, no. SA and Network center work based on MAC address, so the traffic layer will have no weight here. If the SA profile is configured to not allow Internet access at a specific time or towards a destination, SA will again monitor the MAC address
 
In Safe Access devices use the default profile for their VLAN unless their MAC address is assigned to another profile. So you could make the default profiles to be very restrictive. You would then assign devices to a different profile once you are happy with it.

You could block outbound VPN from the LANs. You should also consider enabling the setting to block access to DNS-over-HTTPS services. Then also use the firewall to block DNS requests from most LAN devices: they can use the router as their DNS server IP.
 
Do they have mobile phones? Can they switch its WiFi off?

Yes they have phones, but I can deal with that separately.
-- post merged: --

In Safe Access devices use the default profile for their VLAN unless their MAC address is assigned to another profile. So you could make the default profiles to be very restrictive. You would then assign devices to a different profile once you are happy with it.

You could block outbound VPN from the LANs. You should also consider enabling the setting to block access to DNS-over-HTTPS services. Then also use the firewall to block DNS requests from most LAN devices: they can use the router as their DNS server IP.

So when a new MAC is seen it automatically gets assigned to the default profile? If so, making the default profile really super restrictive would work.
 
Hi,

Wanted to draw your attention to the MAC randomization that is used by most devices now. If you’re going to work on MAC addresses, your best bet is to disable randomization, allow the stated MAC address and block everything else, or what @fredbert said as I don’t know how it’s done on Synology routers.

Note that MAC randomization on iOS devices (and macOS I think) is per Wi-Fi network. So if you disable it for your home network it doesn’t mean that it disabled for every other Wi-Fi network, which is good.

I still don’t know how to turn it off on macOS (if it’s at all possible).
 
A good point on the MAC address hiding features. It's a pain when running an internal DNS server too.

In my experience of this on iOS, and recently Mac, the feature can be enabled as default so new connections have it but then you can disable MAC hiding on a per connection basis. So my iPhone has it disabled on the home WiFi SSID, as does my Mac and on the wired Ethernet. When this was first added to iOS I'm sure that disabling and reenabling MAC hiding on my home WiFi kept the same hidden MAC address. So this can be added to the Safe Access profiles.

And when Internet isn't working it's amazing how soon you get told!

I still don’t know how to turn it off on macOS (if it’s at all possible).
Here... (macO Ventura)

1676107002817.png
 
I would be more likely to switch over to a Synology router if they made this easier. Should be "one click" and done.

On my Gryphon at home, I just set it to disallow a new MAC address until I approve it. It gets blocked and I can see the attempt to connect and approve it if I want. This is the "whitelist" concept.

At work, for security reasons our Wifi won't allow a device on until it's whitelisted. I'm not sure what WiFi router they are running, but I'll find out.
 
There is a setting to enable a MAC address list that will be either an allow or deny list. Don’t think it’s in Safe Access. I assumed you already had a SRM router and were figuring out your Safe Access settings.
I should have explained. I'm thinking of replacing my Gryphon with a Synology router. One of the options is to block new devices until/unless I approve it. When I see a device listed in the "Blocked Devices" list, I can simplky assign it to a user to allow it and manage it. If one of my kid's computers tries to use a random MAC address, it gets blocked.
 

MAC filters can be setup in WiFi Control. The Web access control is in Safe Access.
 
I have a running ticket with Synology support and I have been troubleshooting this issue where a device, ie. phone, iPad, iPod, can join the Wi-Fi and you get an notification "I know this device or Block" but if you choose to Block it only blocks that MAC address. Someone could easily rejoin using PA enabled and get a new MAC address and get online. I have been going in circles with Support on this topic.

The other issue that correlates is device name recognition. SRM is poor with recognizing the name of a device. Another words, if I have a phone called "Test" and join it to my Wi-Fi, I will get a notification that Apple, Inc wants to join the Wi-Fi. If I have a Chromebook, SRM will called it Intel Corporation instead of the actual name.

It would be helpful to know the name of the device instead of a random name then I can manage the devices a lot better.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I must have struck a nerve! 🤩
Replies
59
Views
3,694
I tend to use pihole and unbound, pihole is very good for getting rid of ads, and you can run it in a...
Replies
4
Views
1,029
Ok. I will have to explore this a little more with my own devices some on 15.7 and others on 16. Thanks...
Replies
5
Views
3,433
Release Notes for Safe Access Description: Safe Access integrates advanced parental control and...
Replies
0
Views
1,993
Some very quick testing... My normal SRM firewall rules include specific outbound rules to permit LAN...
Replies
6
Views
3,902

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top