image for Experiences with Network Firewalls at Home

Experiences with Network Firewalls at Home

Stories about various firewalls my dad has enabled on the network (like currently), and how I have gotten past them | Aug 2 2025

(this was originally written on april 6th but I have now just uploaded it :p)

sorry it's been a while since the last post... I had to focus on school and I ran into a little issue with the network at home that led you to click on this blog post :p

soo one thing to know about my dad is that he works on network technology for a living. he basically consumes information pertaining to how devices communicate with networks all day long, and that, in addition to prior experience of course, led to him being tech savvy. most people I tend to meet have parents that are not very tech savvy, and either tend to have completely unrestricted networks or just take away the devices of their children if it's their bedtime for instance. but my dad? he never did this. he kept trying to restrict my internet usage, and even admitted to monitoring my internet traffic, for my safety.

now I'm not entirely opposed to the idea of keeping me safe. but in this manner? despite the fact that I'm still technically a minor, to me it felt like survalliance while behind bars.

My First Experiences: 2020/2021

yes... the pandemic. since I was restricted to the confines of my own house, I guess my parents thought it was a good idea to try and limit my screen time. you know, as any reasonable parents would do. they did experiment with the "taking my phone away" idea once, but I don't remember how well it went, besides me trying to tear the house apart trying to find it. that was until, my dad enabled a little program on the router known as disney circle.

it's possible you might have heard of this. disney circle is an internet parental controls device that allows you to add profiles, customize filters, add downtime (which is mainly bedtime and such), and even give rewards for good behavior. circle is typically shipped as a separate device that you plug into your router, but my router came with its program built-in, so all my dad had to do was enable it remotely and it would work like that.

I did not like these internet parental controls, as you could imagine. I thought they were restrictive and lame, and I urged to find methods to get around it. due to the nature of the firewall and the network setup, I was able to find some workarounds.

the most obvious workaround you might think of is a vpn. but I believe circle blocks a lot of popular vpns from running, in addition to blocking popular vpn operational ports and such. however... I found out that cloudflare warp, a vpn service built on top of their popular dns service 1.1.1.1, was not blocked at all. so mark that as my first bypass method. however, as you could expect, I tripped up and my dad caught me using that vpn. I don't remember exactly what happened, but I believe cloudflare warp did not work anymore. this might have started the mistrust between my dad and cloudflare that actually remains to this day. more on that later.

another workaround I came up with was a bit more clever. I read around for anyone who has been able to get around their circle internet parental controls and I found a few articles and a github repository of a little script that gets around it for you. the script utilizes a feature I was not aware existed: a circle api. the script fetches the circle's mac address, then it uses a bit of arp table magic to get around it and point directly to the router. the problem is that since the circle device and router are of the same thing, there is no "second device" for circle to use its arp-warping magic with (yes, circle uses arp spoofing to pretend to be your router, when it really isn't). despite that failure, I came up with a more clever idea.

one thing I noticed is that the printer I had at my house seemed to work at all times of the day, indicating it was not subject to a circle profile. if circle decides it wants to use one kind of spoofing to get control of me, I decided to use another kind to get around it! the idea was simple: set my mac address to that of the printer, disconnect the printer, and now the circle device thinks that I'm a printer. genius, isn't it?

I don't remember how my dad found out what I did, but eventually he did. I felt really proud of myself, because I was able to fundamentally exploit the network by tricking it into thinking that I'm a priveledged device when in reality I am not. it kinda reveals an underlying problem with the ethernet layer: the implicit trust between devices that they are who they say they are from their mac addresses. I don't think this can really be fixed efficiently tho, but let me know your thoughts! anyways, my dad moved the printer into my profile after that, so no more printer exploit. I think I experimented with using the apple tv to get around it, but I don't remember if that worked well or not.

circle didn't last too long tho... I don't remember why it got disabled, all I know is that one day, it was completely off. I could browse the internet freely again, and I didn't have a problem for the next 4 years.

Recent Experiences

well, the firewall-less internet unfortunately didn't last long. 4 years later, and I had since moved in with my dad instead of living with my mom. I'm now under his house with only his rules instead of joint custody between both of my parents, with each of their rules. initially, I had no troubles with the internet in this new house. it even had a mesh network set up months after we moved in, so I could stay connected no matter where I was in the house. it was amazing!

one day, I noticed that some websites, like discord and reddit, were completely inaccessible. and that google and youtube had restricted mode enabled by default, which disabled comments and hid content that I would've liked to watch. I thought that this was some sort of misunderstanding, and I quickly got around it by using a vpn. no, not cloudflare warp this time. I decided to use mullvad vpn, because I heard great things about it from various youtubers and other internet people for a long time. it worked great (except for random disconnections every so then) and I liked their pricing of $5 per month. months go by without any issues. but that began to change...

on january 14th, my dad made an announcement to my siblings that the network would have to be rewired from scratch to "avoid data storms" due to "dns conflicts". he made some enthustastic speech a day later about how there's "obfuscated flows on the network" and how there's "connection attempts from all over the world". he complained about not wanting to be encrypted flows within the network, and stuff like that. I didn't think much of it at the time, but I wish I did to bring up my complaints with him earlier on.

so yes, that was the beginning of the second iteration of the new firewall. this firewall was way more strict than the previous one. I could be browsing results on a search engine, click a result, and there's a good chance that whatever random website the result is for is blocked. my dad boasted about how the firewall uses an ai-agent system to determine what domains and ip addresses to block or not, but in effect, it feels like it's a mostly whitelist system, where permission has to be granted to access these websites.

my dad initially blamed me for these "hackers" on the network that somehow were granted internal access. he claimed that whatever vpn I was using was sketchy and brought in these attackers into my devices somehow. I really didn't know what to think of this -w-. first off, of all places to hack, why would hackers try to get access into this random ip that they might have scraped from my vpn connections? second off, how would these hackers even determine my ip address based on my connection to a vpn server? are they just monitoring the outbound requests of a particular vpn server to determine devices to hack? I just don't get it...

I never did determine who these "hackers" were anyways. I wasn't even convinced that there were any hackers within the network. I mean, my dad even made a false claim relating to tls connections that I disproved. he claimed to me that within the network, tls connections are actually initially unencrypted within the network until they leave the network and enter the greater internet. this is false, because no data is transmitted between the client and server until they have properly performed a tls handshake, meaning that no unencrypted data ever leaves the client into the local network.

but that's not even the beginning of it all. while I didn't notice, my dad was secretly surveying my internet traffic and somehow using those ai-agents to decrypt my sensitive packets and figure out I was doing inappropriate stuff online. I suspect he might have only looked at my bluesky and inferred from there, but I can't really tell :P. from what I said earlier anyways, decrypting my packets sounds like a spooky thing already.

about a week earlier, my dad also told us that he would be switching our phone providers from verizon to t-mobile. sounds pretty straightforward, right? well... my dad used that transfer as a weapon to basically block me off from the open internet. instead of terminating our phone plans and moving us to the new provider in a timely manner, he spent his sweet time and trapped my phone in the in-between stage. it had a verizon e-sim but no active plan, meaning it could not connect to cellular data. the real slap in the face is that none of my other siblings were affected. I was the only one who was affected by this change.

so now, I was up against a new enemy, and completely back to square one on how I would try to approach bypassing it. for quite a while, I was stuck on what to do and I tried to suck it up as much as I could. I did occasionally launch wireshark or an ip scanner to see what was on the network, but that was mostly it for a while. I researched different methods to try and get around it, knowing what I did at the time. and I was able to try a few methods.

while writing this, I almost forgot about the actual first method I tried: dns over https. this is supposed to be a secure version of normal dns, which uses port 53 and is completely unencrypted and easily sniffed. this is how the firewall works in terms of domain sniffing: it sniffs out any dns requests made (whether it's to the firewall's dns server or not), calculates whether the domain is allowed, and gives a response that's determined on whether I can access that domain. so the simple solution at first was to route all these dns requests through tls, and make https requests to make it seem less suspicious. there are a few agents you can use that do this for you, but the one I used is called dnscrypt-proxy. it's called that because it also supports a custom protocol called dnscrypt, which works a lot like dns over https, but has different packet structure and I think a few different features.

dns over https almost worked at first, but I quickly realized tcp requests to google or cloudflare dns servers are completely blocked, and I had to find another way around that. my dad also claimed that I couldn't trust google and cloudflare dns servers, but he never gave me a reason why, so I see it as bullshit. I found other dns servers that worked, and quickly I was able to access websites as I could before. however... since the firewall is more clever than I thought, it started blocking the ips of the websites I could access. some websites had both their domain and ips blocked already, so I still couldn't access those at all. it turned out to be a short-lived success, but it inspired me to keep going and find other ways around.

another successful method I was able to use was tor. tor probably needs no introduction, but just in case, tor is a peer-based network obfuscation service that tunnels your traffic through a network of community-ran nodes until it finds an exit node, which makes the final requests for you. it is quite infamously known for its connection to the dark web, but it is often used in an innocent context. unfortunately tho, accessing tor nodes directly did not work, because tor has a public list of the ip addresses of nodes and websites (and advanced firewalls) often block all the ips found on that list. to get around that, tor offers a few other services known as bridges that obfuscate your connection to tor with varying techniques. snowflake bridges, which typically work for most people, did not work under this network -w-. fortunately tho, I found luck in the meek-azure and obfs4 ones. obfs4 was faster for me, and I was able to access the websites I wanted to again! :D

despite the firewall allowing access to these tor bridges, it seemed quick to detect when I was using one and blocking them. this is a common theme you'll see later on. I was only able to use bridges for 3 days until the get bridges tor website ran out of other options to try, leaving me back where I started yet again.

later on, in a conversation with my dad, he told me that he noticed I was making tor connections, and I think it could be because the exit nodes tried to directly contact my laptop. not sure tho. so with tor easily detectable and gone as an option, I had to rethink what else I could do.

eventually, I noticed something interesting about the system. I noted I couldn't access certain websites, like linkedin for example, but my dad obviously could. so I realized that like circle, there's some sort of profile-based bias for what websites are allowed and aren't. my devices all happened to get the most strict setting, blocking every other website I try to access from a search result. another thing to note about the firewall is that new devices would not immediately be allowed internet access; they had to be manually approved by my dad. meaning the solution to all my problems could not result in just buying a new device or setting my mac address to a random hex string. however, my next method did come from a similar method to that last solution I just mentioned.

I had also realized that all of the tvs had unrestricted internet access. I used to notice that the tvs would stop working around the time the internet stopped working for me, but later on, that changed. all the tvs could access the internet, and basically without restrictions, anytime throughout the day. so... the solution was to turn off one of the tvs (we have 3 of them, 6 including all the apple tvs connected to them, which had separate internet connections from the smart tvs themselves) and to change my mac address to that tv I turned off. it was really that simple :P.

I did this on a random friday night when my dad and I had "aligned to the same side". I was never really on his side, but I saw a bit more of his perspective. however, I didn't think what he was doing was right, and seemed quite extreme to me. and also, I had nothing to do on a friday night, and I didn't want to sleep... so why not bypass the firewall :P. I was able to get away with it on the next day, and it felt so refreshing and I felt free once again. I was able to talk to my friends, navigate to places seen as "unsafe" and just automatically blocked without good reason.

the next day however, it seemed that my dad finally noticed what was up. he said to me that I orestrated a "planned-out mac spoofing attack", despite the fact it wasn't really an attack at all. it was merely an attempt to get to access the websites I wanted to access, but my dad refused me to behind this firewall. he got more angry than what I saw from him in a while, and resulted to turn off the network entirely for a day while he installed something new.

once the day ended, I lost access to the original network, and had a new network entirely for my own devices. he quarantined my devices from the greater network. I knew that since this was the only measure he took in order to patch this hole, I had found a gaping vulnerability that would still allow me full access unless the tvs were put under my profile as well.

it's been about 4 months since this firewall was put into place. the firewall has put differing levels of restraint on me, and as I write it, it seems to be less restraining than before. I'm able to access some websites I couldn't touch anymore. but I still have problems with it, and unless I can come up with an ultimate compromise, I'll have to keep dealing with it in different ways.