[SOLVED] Wireless router with extensive website blocking capability?

[zillapod]

I'm looking for a decent wireless home router with good parental controls and website blocking features. My old TP-Link could block tons of sites using target domains and rules, but I just upgraded to a TP-Link AC4000 but it is limited to 32 entries, which isn't enough because you have to enter AAAA.com and www.AAAA.com to effectively block the site, so effectively you can only block 16 websites. The reason I need this is to block ALL adult content and search results. I use CleanBrowsing DNS which handles most of it, but there are 15 or so adult URLs we've found that aren't auto-blocked, and many search engines aren't safesearch enforced by cleanbrowsing and also return adult results to searches (yahoo so I want to block those too.

My old TP-Link still does the job but I'd like to upgrade to something to GigE interfaces and better range. I didn't think this would be so hard but apparently I'm the only home user who needs to block a bunch of websites? I chatted with Linksys and they don't have any product that can block enough either.

 

[vov4ik_il]

Check out Open DNS Family Shield. I use it for my kids' WiFi devices.
As for routers, my personal preference is pFsense firewall appliance and dedicated WiFi access points (so I do not have to upgrade the whole thing every time a new radio standard comes out).

P.S There is a good open-source project for routers, OpenWRT, which significantly expands capabilities of many routers and wireless devices, it does have the options you look for and might work with non-expensive hardware. I ported OpenWRT to a couple of devices, the community is great and provided support. You might want to check it out.

 

[zillapod]

Check out Open DNS Family Shield. I use it for my kids' WiFi devices.
As for routers, my personal preference is pFsense firewall appliance and dedicated WiFi access points (so I do not have to upgrade the whole thing every time a new radio standard comes out).

P.S There is a good open-source project for routers, OpenWRT, which significantly expands capabilities of many routers and wireless devices, it does have the options you look for and might work with non-expensive hardware. I ported OpenWRT to a couple of devices, the community is great and provided support. You might want to check it out.

I did test OpenDNS FamilyShield initially, but it didn't reliably enforce safesearch and filter adult content out of Google and especially Bing images and the blocking feature went across the entire network rather than per device (an example, blogspot.com can return adult content so I want it blocked on certain devices but not all). Cleanbrowsing DNS server seemed to do a better job. ?

I've thought about adding a firewall to my setup, especially if it makes life easier. Would something like that pFsense you listed be simple to block a bunch of websites on a per device basis?

I honestly just want something that is easy to maintain. Pointing to Cleanbrowsing DNS server takes care of 95% of it, then I want to be able to block websites on a per device basis like my old TP-Link lets me. As I test the DNS filtering and come upon new websites that aren't properly blocked, I want to be able to blacklist them so I don't want some low upper limit of sites you can block like 16 or 32 like Linksys and TP-Link do. I want to keep adding more blocked sites over the years ahead.

 

[vov4ik_il]

I've thought about adding a firewall to my setup, especially if it makes life easier. Would something like that pFsense you listed be simple to block a bunch of websites on a per device basis?

pFsense is very robust with professional-grade capabilities, however, it is not simple to configure as opposed to SOHO devices.

https://imgur.com/rjDPdlr

 

[zillapod]

pFsense is very robust with professional-grade capabilities, however, it is not simple to configure as opposed to SOHO devices.

https://imgur.com/rjDPdlr

Yes, probably much more capability than I need. I'm willing to put a firewall appliance inline between cable modem and Wifi router if that is the easiest way to go. It really seems like there isn't a good home use model router that can reliably and simply block a bunch of websites. Any recommendations from anyone on a firewall appliance to buy that can just flat out block websites? Or a home router with that capability if such a thing exists?

 

[bill001g]

It is actually very hard to do since everything is encrypted. You can't actually see the data stream any more because of HTTPS. All that is left is DNS snooping type of filters. This hole too is being closed. Microsoft has been testing encrypted dns not sure when it releases. Many browser also have support for it.

There are also many proxy function things like chrome that will also hide what is being done.

Pretty much you are stuck with ip filter lists which don't work well when companies use hosted server on google or microsoft etc. You can't really block those without sometime blocking valid sites that share the same ip.

Pretty much you are only going to block someone who is not willing to make even a small effort to bypass you. Every 13yr old kid knows all about free vpn and proxy sites.

 

[zillapod]

It is actually very hard to do since everything is encrypted. You can't actually see the data stream any more because of HTTPS. All that is left is DNS snooping type of filters. This hole too is being closed. Microsoft has been testing encrypted dns not sure when it releases. Many browser also have support for it.

There are also many proxy function things like chrome that will also hide what is being done.

Pretty much you are stuck with ip filter lists which don't work well when companies use hosted server on google or microsoft etc. You can't really block those without sometime blocking valid sites that share the same ip.

Pretty much you are only going to block someone who is not willing to make even a small effort to bypass you. Every 13yr old kid knows all about free vpn and proxy sites.

I understand that it's tough and VPN/proxy workarounds are there and it's all easy to work past. That being said, I'm still interested in a solution that would meet my requirements, which are:

Ability to block websites for specific network devices, at least up to maybe 64 individual URLs?

I'm interested in either a wireless router that can do the above, or an inline firewall appliance with that capability. I don't need anything else, just to block a bunch of websites at the router level. Is there anything simpler than a pFSense firewall that can do this? I've seen Fortigate and Synology devices mentioned in other threads and forums but not sure about number of sites you can block with those?

My cheap old TP-link WR841N can block up to 64 sites using host/target/rules, its very easy to configure, all I want is the same capability on newer hardware.

 

[bill001g]

Lots of commercial solution some actually based on pfsense. You are paying someone to to do the work. All depends how much money you want to spend. Used to be many more vendors but as https has become almost standard a lot are being sold or going out of business.

The largest issue with using any consumer router is going to be processor power. It is not even the filtering function itself that is the major issue. Traffic in modern routers bypass the cpu to use a hardware nat assist. You must disable this feature to use any form of traffic management and it will drop your speed to about 250-300mbps even on the fastest router cpu.
Although I have not tried it I suspect you can use static routes to do simple filtering and leave the hardware accelerator on. You would put static routes in for ip and send them to some invalid nexthop.

Although a pain pfsense on a dual nic pc tends to be the simplest. Getting the OS loaded is trivial. Configuring it is mostly a matter of finding the correct screen.

Still all you really can do is block lists of ip addresses. The concept of URL blocking is not really valid anymore. Only the domain part can be blocked and the router will look the names up and put in IP in the actual filters to increase performance. When you have xxx.yyy.com/???? Anything past the "/" is no longer visible.

 

[vov4ik_il]

Still all you really can do is block lists of ip addresses. The concept of URL blocking is not really valid anymore. Only the domain part can be blocked and the router will look the names up and put in IP in the actual filters to increase performance. When you have xxx.yyy.com/???? Anything past the "/" is no longer visible.

While that is true, at a point where the user is capable of bypassing DNS filter and IP filter (which should have most free proxies and VPNs included), it is probably the time to cut him/her loose

Stateful packet inspection indeed takes hardware resources, but since packets are usually long in bw demanding applications and only the header is inspected, high bandwidth is still achievable with relatively low processor loads.

The firewall performance is measured in packets per second, which can be approximated to mbps but is never precise in those measures.