Parental Control/Access Control Info

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Parental Control/Access Control Info

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Parental Control/Access Control Info
Parental Control/Access Control Info
2017-05-20 04:10:45
Model : Archer C3200

Hardware Version : Archer C3200 v1

Firmware Version : 0.9.1 0.1 v004b.0 Build 160704

ISP : Verizon Fios

For anyone that is having trouble with their Parental Controls or Access Control you will want to pay attention to this information. I have spoken with TP-Link Technical Support twice now - once for each of the features mentioned. I'll provide specific info on each and then detail my experience below to provide more information on the issues that I personally ran into.

Parental Controls:
This feature works by denying DNS responses to the listed devices within each device's allocated time frame. In order for this to work those devices must be receiving their DHCP and DNS from the TP-Link router directly (not merely passing traffic through the TP-Link router). If you have a different device on your network providing these services (another router, a domain controller, etc.) then Parental Controls will be completely useless to you. Yes, this should be mentioned in the documentation but it isn't.

Access Control:
This feature will deny all incoming/outgoing traffic to any device listed under Access Control with one caveat - it must also be directly connected to the TP-Link router. If the device is connected to another router/switch/hub and is simply passing traffic through the TP-Link router you will have mixed results (I know this from experience and is why I contacted Technical Support). In other words - if you're using the TP-Link router as your Internet gateway and a device added to Access Control is connected to another router/switch/hub on your network the TP-Link will (probably) not block the device from accessing the Internet.

My experience with the Archer C3200:
Preface: I work in IT and have for the past 20 years. I'm very familiar with networking technologies (DHCP, DNS, TCP/IP, etc.). I also use my home network as a lab and, as such, have 2 domain controllers handling my networking needs. This information is important as you will find out.

I purchased 3 cameras for home security and planned to run them through security software on my NAS for surveillance and recording. I initially setup 1 of those cameras to test for functionality. During the process of setting up the first camera I updated the firmware assuming, as most would, that newer firmware would increase stability and features. Unfortunately, I was only right when it came to stability - some key features were actually removed in the most recent firmware which made the camera nearly unusable for my purposes. Before setting up the other 2 cameras I wanted to make sure they could not access the Internet to auto-update, but still had access to my internal network. Easy enough, right? Wrong - at least using the TP-Link Archer C3200 with stock firmware. Here's why...

Parental Controls: First I attempted to use Parental Controls to simply block the update servers. No luck, nothing. Then I figured I would just block Internet access outright to the devices. Again, nothing worked. I worked on this for at least 2 days trying to figure out where I could possibly be going wrong. Failing to find any issue with my setup (and I tried many different configurations within Parental Controls) I decided to contact TP-Link Technical Support. After over 30 minutes on the phone with James it was determined that using Parental Controls simply blocks DNS responses from the router to the device. Obviously, that isn't going to help me since my devices receive their DNS from my domain controllers. I, frustrated, thanked James for his time and became determined to find another way to accomplish my goal through the router (which SHOULD be the easiest way to do it since it is the single device passing traffic between the local network and the Internet).

Access Control: At this point I decided to try using Access Control - the only other feature in the router that should, in theory, be able to block a device's communication through the router to the Internet. A quick note that is key - the camera is connected to a different wireless access point in my home for better reception outside and because if I connect it to the Archer C3200 the Access Control would block it from both the Internet and my internal network (zero communication in/out). I set it up (Access Control enabled, set to Blacklist, added the device's MAC address and set it to enabled) and went to testing. At first my device was still able to access the Internet. Well, crap. Then, like something clicked inside the router, all of a sudden Internet access to the camera ceased (easy to tell because the light on the camera is green when it has Internet access but blue when it's connected to the network without Internet)! Fantastic! Or so I thought. Everything was fine for several days - I was able to see the live feed though my NAS software but unable to connect to the camera through the company's website - until today. Our power went out early this morning and was out for about 3 hours. Once the power came back on I checked the networking equipment and everything seemed okay. Then I noticed the green light on my camera. What?! Sure enough, the camera feed was once again available through the company's website. I decided that, rather than wasting time trying to track down the issue (that I probably wouldn't be able to find anyway), I should call TP-Link Technical Support again. Once again I got James (this guy must never have time off). After explaining the situation James asked to place me on hold while he does some checking and I happily agreed hoping he would come back with a resolution. A resolution, however, is not what he came back with. What I was told next still blows my mind and makes no sense. I was told that because the device isn't connected directly to the Archer C3200 that the Access Control feature is unable to block it because the Archer sees the communication as being from the other WAP and not from the device itself. WTF?! I see 2 issues here. First, it was working before! Second, the communication is still tied to the device's MAC address - network packets (frames) contain the MAC address as the first portion until the packet moves across the router from the internal network (LAN) to the external network (WAN) - which means each packet sent to the Internet from a device on my LAN should have the associated MAC address until the Archer C3200 removes it during the transition from LAN to WAN. When I asked James why it had worked previously he couldn't give me an answer and simply said that it shouldn't have worked in the first place.

Honestly, I don't know what the hell is going on at this point. If it worked before and nothing changed then it should be working now but, as I sit here writing this, the light is still green and the feed is still accessible from the company's website.

I was a huge supporter of TP-Link before this and have been using their devices for over 10 years, but at this point I can honestly say I won't be recommending them for anything but the most basic of home setups (if that). If you need parental controls or access control I highly recommend looking elsewhere for the time being. TP-Link just doesn't have these features figured out well enough yet.

Note: Just before clicking the "Submit New Thread" button on this post I checked the camera for the heck of it - it's now blue. As expected, it's also no longer accessible through the company's website. I checked it less than 5 minutes ago and it was green at that point. As a reference, our power came back on approximately 7 hours ago. The only thing that changed is I unplugged the camera power for 10 seconds and plugged it back in about 10 minutes ago. It isn't supposed to work but I guess it *might* if you power-cycle the device once the Access Control is enabled and all the network devices on your LAN are on and initialized. If I have a chance to do more testing I will update with my findings.
  0      
  0      
#1
Options