Network filtering on the cheap
August 15, 2008 11:20 AM   Subscribe

Network filtering on the cheap: Small office network filtering....yet need to be able to bypass (for some.)

Our office is plagued by interns that don't respect the 'law' - no face book, youtube, myspace etc. Yes, they're not professional. Yes, we're supposed to be teaching them professionalism. I'm not looking for advice on that.

Preferably on the cheap, I think I need a router new router. I can't run a dedicated pc for this. Mac + PC office mix. Is there a router on the market that easily does this?

I need a way to easily create/control:
• a blocklist/filter
• a set of users (ip based?) that can bypass the filter (as some of those sites, on occasion do need to be accessed.)
• logs of users+sites to be reviewed

The other method I'm thinking is two routers....one where I can control the DNS info (with a block list)...and use my existing router for MAC based 'freedom'.
posted by Towelie to Technology (7 answers total)
 
It looks like the tomato firmware has access restrictions and logging. This video shows access restriction setup. Tomato runs on Linksys WRT54GL and similar hardware. Wikibooks documentation available.
posted by and for no one at 11:40 AM on August 15, 2008


OpenDNS would be good for the two routers setup-- blocks porn and phishing sites, allows blocking of specific domains (for the facebooks, etc).
posted by sharkfu at 11:50 AM on August 15, 2008


2nding OpenDNS, but with this caveat:

If your interns are technically inclined, they will be able to get around this sort of blocking by making an entry in their Hosts file. It would take 30 seconds.

That said, I think most consumer-grade routers have this sort of blocking functionality right out of the box, though I'm not sure how "small" your office is.
posted by toomuchpete at 11:56 AM on August 15, 2008


My super cheap Netgear wireless router has this as a basic feature. It's the MR814, but it was also a feature on my much older MR314. It's very likely the router you currently have already supports this.
posted by advicepig at 12:50 PM on August 15, 2008


OpenDNS is totally the way to go here.

* You get to use all your existing hardware. Nothing to spend at all.
* You get to paint with broad or narrow strokes. It's up to you. There are between 4 and 54 categories that you can block at your discretion, all based upon how granular you want to get with your control. You also get full custom white- and blacklists (facebook, youtube, myspace).
* You get built-in spam and phishing protection. Malicious sites are blocked by default.
* You get full logging (not per-user, but for the whole company). It logs all DNS requests, both blocked and allowed.
* Have I mentioned it's free?
* Use your own company logo on blocked pages.
* Stable - zero downtime since July 10, 2006 (their launch date I believe)

So, it's the greatest thing since sliced bread. So how do you break it?

Two options:

* Set static DNS servers on certain PCs. 4.2.2.2 is easy to remember.
* Set up an internal web proxy server and set the DNS server on that. This lets you get application-level DNS rather PC-level DNS. Firefox is allowed to hit all sites - all other programs go through the OpenDNS filter. Bonus: set up the web proxy box to use authentication and only certain users can use it :-)

How do you stop people from being able to bypass it and use their own DNS?

* Disallow external DNS lookups to servers other than OpenDNS (208.67.222.222, 208.67.220.220) at the firewall level
posted by mysterious1der at 3:28 PM on August 15, 2008


Just in case I wasn't explicit enough, just tell your existing router to start handing out 208.67.222.222 and 208.67.220.220 for DNS servers as part of your internal DHCP leases. Don't use whatever garbage your ISP gives you for free. I promise, if you're not seeing any instability in the network currently, you absolutely will not have to spend a dime to replace any new hardware. Your current router is more than sufficient.

PM me with any questions, or post here if you think they can help future readers.
posted by mysterious1der at 3:31 PM on August 15, 2008


To reframe your question a little, the cheapest, oldest machine sitting in the corner of the storeroom should be able to handle this task just fine. If you were inclined to set it up and had such a beast available.

I have a Linksys wrt54g with Sveasoft Alchemy on it, and it has the capabilities you require. But I've never tested it to see if it works.
posted by gjc at 4:28 PM on August 15, 2008


« Older Why must Javascript from http://a.example.com...   |   Good workout today? Newer »
This thread is closed to new comments.