A miles is 640 acres, and cantennas have a range of at least 1 mile+...
Agreed reset SSID and passphrase, then create a guest SSID (almost all modern consumer routers have this "guest" feature) for your son, and give him his passphrase to only his SSID, only to change it on a regular basis.
This also helps when my son does not do his chores, I can disable "HIS" SSID, and mine runs fine. My daughter has her own to so I can disable if abused, or caught late at night watching Youtube makeup videos, or whatever, independent of mine and his...
Additionally, if being disassociated, try changing this to a valid MAC (anything that starts with 00, and is A-F and 0-9 seems to work for me, as long as chars aren't repeated, it seems), until you get a different IP via "ipconfig /release", then "ipconfig /renew":

(000000000001 didn't work.)
This MAC change does not guarantee it won't be changed on an attacker's side to include the change, but he can't know what specific MAC your son is using at that moment, just that it is an active on your ESSID:

Not my captures, but a screen-scrape I found real quick, and as you can see MAC filter's are of no use, in any way, shape, or form, they are all listed under BSSID, and the associated ESSID to the right. This can be done in a VM, or a natively running a FREE Linux distro, freely.
All one has to do is plug the BSSID as their own MAC in the 1st screen(scrape), and one bypassed MAC filtering, that easy, and natively supported in modern OS's (well drivers actually?), even the current 1903 build of Windows 10, OOTB!
If you think "friend" is getting on your network, what I have done in the past, and currently for most of my used devices is to give them reserved IPs, so they always get a low number in the 4th octet (say 192.168.1.[2-200]), and DHCP gives out the higher IPs (say: 192.168.1.[201-254]), if you want to go this route... I am not sure it is much of a "security thing", but you will know what is pulling DHCP, separate from "your" regular-stuff as just another "layer" for manual filtering/weeding, and it might be more noticeable if something is pulling DHCP against your will... (but won't help if they spoof a MAC). Personally, I don't use 192.168.x.1 as my router's address, in case someone gets on, they can't get out to the Internet if they don't use DHCP, by default, so they have to pull DHCP to get out, if they crack into my WiFi, if not MAC spoofing. My TVs I run wired Ethernet (where possible, but the danged new Roku's don't have a wired port anymore, the bastages).
Agreed reset SSID and passphrase, then create a guest SSID (almost all modern consumer routers have this "guest" feature) for your son, and give him his passphrase to only his SSID, only to change it on a regular basis.
This also helps when my son does not do his chores, I can disable "HIS" SSID, and mine runs fine. My daughter has her own to so I can disable if abused, or caught late at night watching Youtube makeup videos, or whatever, independent of mine and his...
Additionally, if being disassociated, try changing this to a valid MAC (anything that starts with 00, and is A-F and 0-9 seems to work for me, as long as chars aren't repeated, it seems), until you get a different IP via "ipconfig /release", then "ipconfig /renew":

(000000000001 didn't work.)
This MAC change does not guarantee it won't be changed on an attacker's side to include the change, but he can't know what specific MAC your son is using at that moment, just that it is an active on your ESSID:

Not my captures, but a screen-scrape I found real quick, and as you can see MAC filter's are of no use, in any way, shape, or form, they are all listed under BSSID, and the associated ESSID to the right. This can be done in a VM, or a natively running a FREE Linux distro, freely.
All one has to do is plug the BSSID as their own MAC in the 1st screen(scrape), and one bypassed MAC filtering, that easy, and natively supported in modern OS's (well drivers actually?), even the current 1903 build of Windows 10, OOTB!
If you think "friend" is getting on your network, what I have done in the past, and currently for most of my used devices is to give them reserved IPs, so they always get a low number in the 4th octet (say 192.168.1.[2-200]), and DHCP gives out the higher IPs (say: 192.168.1.[201-254]), if you want to go this route... I am not sure it is much of a "security thing", but you will know what is pulling DHCP, separate from "your" regular-stuff as just another "layer" for manual filtering/weeding, and it might be more noticeable if something is pulling DHCP against your will... (but won't help if they spoof a MAC). Personally, I don't use 192.168.x.1 as my router's address, in case someone gets on, they can't get out to the Internet if they don't use DHCP, by default, so they have to pull DHCP to get out, if they crack into my WiFi, if not MAC spoofing. My TVs I run wired Ethernet (where possible, but the danged new Roku's don't have a wired port anymore, the bastages).




Comment