Need recommendation - home network content filtering

[DocGreen]

Hey all!

Can any of the more adept networking gurus suggest a solution for my home network that would block inappropriate websites, proxies, etc. on all devices while still giving me the ability to exclude specific devices?

Essentially, I need to block my sneaky, tech-savvy son from accessing porn sites whilst still allowing myself to access whatever I please (because I'm an adult, and can look at whatever I want, lol).

Some details about my network:
Linksys LRT214 router
UniFi WIFI
Windows Server 2k12 R2 domain / DNS server
Son has access to both wired/wireless devices (Windows 10 pc's & Android)

I know there's a million and one options out there, but I've never really gotten into this type of stuff, so I'm hoping someone who's more familiar with what's out there can guide me. Thanks in advance!!!

 

[tek9]

I use Untangle firewalls for this type of stuff. You can get the home license for like $5 a month, if I'm not mistaken.

 

[Markverhyden]

To start, as @tek9 implied, you need to change routers. DNS is a great way to help control things but that requires locking down devices so they can't change the DNS servers. So that means getting device management for all devices.

 

[Slaters Kustum Machines]

I second Untangle. The home version is now $50 a year. They no longer offer the monthly version. You can run it on whatever hardware you want or buy an appliance.

 

[timeshifter]

Would Untangle introduce any delay for online gaming?

 

[Slaters Kustum Machines]

Would Untangle introduce any delay for online gaming?

No more than any other content filtering device. You do have the option to bypass or prioritize certain traffic if it is an issue.

 

[Diggs]

That's what OpenDNS Family is for and it's free, easy and seamless. At the router or on the machine. Works well.

 

[ComputerRepairTech]

I use untangle as well, its amazing, I really appreciate @YeOldeStonecat convincing me to give it a try.

 

[HCHTech]

sneaky, tech-savvy son

You're doomed.

Seriously, where there is a will, there is a way. I would say your energy would be better spent training the person, not putting more locks on the door. I appreciate that this is easy for me to say. I survived twin sons getting through puberty in my house. Let's just say we had "the talk" about this kind of stuff (separately, not together, I might add). I made sure they knew that I could get past their user passwords and that I owned their computers, not them. They knew I would be watching (which I did, just enough times to let them know I wasn't kidding). I had/have a Sonicwall and enabled content filtering, but I didn't put any other roadblocks up. I would be naive to think those efforts were 100% effective, but frankly, they weren't intended to be. In the end, they both turned out to be contributing members of society, so I'm taking that as a win.

 

[GTP]

Seriously, where there is a will, there is a way Google!

FTFY

 

[fencepost]

One thing I haven't seen mentioned along with all the Untangle discussion:

Separate network.

Also, if he's really tech savvy (or following people dedicated to working around security) and able to run on machines that aren't completely locked down he's likely going to be able to bypass any blocks you put in. Four obvious measures come to mind, and I'm not sure Untangle can reliably block any or all of them in real time, though you could likely catch them with later review of his traffic:

• VPN client: if he can install software on his machines, he can set up with a VPN service (free or paid) and configure so his DNS goes through the VPN connection when it's active.
• DNS-over-HTTPS: If you've blocked all outbound DNS to force devices to use the router as the DNS server, he could either use a browser that supports DNS over HTTPS or run a local DNS proxy on his PC.
  
• TOR: If you've ever tried to use it you know the user experience is horribly slow (or at least it used to be), but it's likely hard to block unless you're playing regular whack-a-mole with TOR endpoints. It might also be possible to do DNS-over-HTTPS-over-TOR, which would leave the IP addresses of data traffic unfiltered (but the content is likely HTTPS encrypted) while using TOR only for small-traffic DNS lookups.
• SOCKS proxy use? Not sure what browsers support this particularly with an authenticated proxy.
• Are web anonymizers still a thing?

Also,

• "Hey, my dad's messing around with new computer equipment again and our wifi's a mess and he keeps restarting it. Can I just connect to yours?"

 

[nerd2u]

Getting around blocks like this was how I almost got expelled from high school.

Give him something like Porteous kiosk configured with a white list of sites and password protect the bios to only boot from the HDD.

Getting a standard windows machine locked down properly can take a lot of tweaking.

You could force him to run a stripped down Linux distro.

Sent from my SM-G870W using Tapatalk

 

[SAFCasper]

As an alternative to Untangle you could try Sophos UTM. It's free for home use.

The UI seems a bit weird at first but once you get used to that it's really powerful.

 

[YeOldeStonecat]

Also, if he's really tech savvy (or following people dedicated to working around security) and able to run on machines that aren't completely locked down he's likely going to be able to bypass any blocks you put in. Four obvious measures come to mind, and I'm not sure Untangle can reliably block any or all of them in real time, though you could likely catch them with later review of his traffic:

• VPN client: if he can install software on his machines, he can set up with a VPN service (free or paid) and configure so his DNS goes through the VPN connection when it's active.
• DNS-over-HTTPS: If you've blocked all outbound DNS to force devices to use the router as the DNS server, he could either use a browser that supports DNS over HTTPS or run a local DNS proxy on his PC.
  
• TOR: If you've ever tried to use it you know the user experience is horribly slow (or at least it used to be), but it's likely hard to block unless you're playing regular whack-a-mole with TOR endpoints. It might also be possible to do DNS-over-HTTPS-over-TOR, which would leave the IP addresses of data traffic unfiltered (but the content is likely HTTPS encrypted) while using TOR only for small-traffic DNS lookups.
• SOCKS proxy use? Not sure what browsers support this particularly with an authenticated proxy.
• Are web anonymizers still a thing?

It can. It does take effort, someone monitoring it.
*VPN clients..simple firewall rules for outbound prevent ports/type/destination. We stay busy with schools playing cat 'n mouse, but yes it can block VPNs. (same with anonymizers).
*HTTPS. Untangle does have an SSL module. A SSC from Untangle has to be installed on all client devices, and Untangle becomes the trusted "man in the middle" to crack open and inspect any/all HTTPS traffic.
*TOR..yup, has a built in rule for that. And Untangle devs have added a lot of "canned" types of traffic detection and block rules that would be utilized by those that think they can outsmart the firewall.
*Proxy too.

Can certainly block outbound DNS so only Untangles DNS can be used.

And the OP asked if it can apply rules to 1 computer, but unlock rules for him. Yes Untangle has a quite flexible policy manager which can apply different rules (racks of rules) to different groups of users..be they end users, IP addresses, and a few other criteria.

But honestly for home users, I don't recommend something as complex as Untangle. It becomes too time consuming. Residential users don't have a full time IT person, they want to get some "set and forget" thing to plop on their network.

I have NOT seen it or played with it, but I've seen so many people praise Disneys Circle product.

 

[Sky-Knight]

I use Untangle at home, now granted I pay MORE than the home user... (my NFR is here)

I have a 14 year old daughter that tests boundaries, I have her in her own policy, two infact, to control things based on times of day.

My other three kids have two policies they are impacted on as well, this gives them Video and Audio Streaming rights from only 1pm to 3pm... which during school effectively means they can't get on YouTube unless it's the weekend and only for 2 hours...

Honestly, I don't know WTF I'd do if I didn't have it. My kids all push the envelope, they're always testing, and all of them have had their on computers since they were 18 months old. I set this up to create this reality, so I run a full IT department in my home as a result.

If you don't need all that, you can get a comparable and easier solution via OpenDNS, but it's nowhere near as granular, though it is more portable.

Disney's Circle is a joke, only ignorant idiots that want feel good fluff would report it as being anything useful.

Nothing is perfect, and you'll never be done. Whatever you choose you're still going to have to keep an eye on the kids. Because nothing beats mom and dad paying attention.

 

[hjelpio]

Hmm... the Untangle appliance looks rather nice. I should look into picking one up next year.

How's the Untangle AV working? It looks like the full version of the AV is running Bitdefender. Now, I'm running Emsisoft on my computers, but never hurts having an extra layer covering the other devices.

 

[YeOldeStonecat]

Disney's Circle is a joke, only ignorant idiots that want feel good fluff would report it as being anything useful..

That was my first hunch...sounded like a romper room toy to me because of the "Disney" name on it. But I've read enough reviews by good (competent) tech sites that said it was pretty decent. And seen comments by more than 1 IT person that they used it at home and like it. Haven't sat down and used it or played with it.

 

[YeOldeStonecat]

Hmm... the Untangle appliance looks rather nice. I should look into picking one up next year.

How's the Untangle AV working? It looks like the full version of the AV is running Bitdefender. Now, I'm running Emsisoft on my computers, but never hurts having an extra layer covering the other devices.

Pay for versions have Virus Blocker which is based on BitDefender
The Virus Blocker Lite is based on ClamAV
So you have dual engine AV there.
In addition Untangle has its own ScoutIQ which is their own zero day threat service that comes with Virus Blocker and compliments it with quicker communications to analyze via cloud scanning when new unknown files are found.

 

[Sky-Knight]

That was my first hunch...sounded like a romper room toy to me because of the "Disney" name on it. But I've read enough reviews by good (competent) tech sites that said it was pretty decent. And seen comments by more than 1 IT person that they used it at home and like it. Haven't sat down and used it or played with it.

The problem I have with Circle is it's yet another ARP hacking mess... I'm sure you remember Untangle's ReRouter fiasco, that's Circle...

1000 times no to arp shenanigans I've got enough gray hair.

https://support.meetcircle.com/hc/en-us/articles/115001381932-How-Does-Circle-Work-

When the Circle device is configured in a home, it identifies the router and begins to pose as the gateway to the other devices on the network.

 

[PNW-ITGUY]

That's what OpenDNS Family is for and it's free, easy and seamless. At the router or on the machine. Works well.

Yep, I second that. OpendDNS is awesome and FREE! Bam! Welcome to content filtering DNS town!