ERL / Mikrotik / Gargoyle / Other

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
I am looking to modify my home network by adding in some content filtering.
Initially I am looking at something that can implement a blacklist.
I want to be able to keep my wired network at gigabit speeds for transfers and backups to my nas while at the same time applying the filtering to specific devices only.

My perfect device would:
1) Allow content filtering to specific devices, both wired and wireless.
2) Maintain my gigabit wired network, (organically or with an added switch).
3) Ability to batch add the blacklist in some way that I am not typing in every address.

I am not looking into DNS blocking because it seems that google has a simple bypass as a top three result and admin rights are restricted but admin rights are restricted at every office everywhere and the internet has long ago found simple bypasses.
This is a fact finding mission on what I can do at the router.

Question always asked at this point is "Why do you want this".
Answer, "Because I think allowing access to the entire internet to my children and children's guests is not how I want to run my home". This is not a parenting issue per se but if you want to turn this into a parenting conversation please send pictures of your perfect children prior to telling me how I should be able to leave Playboy's around the house and know they will not be opened because I told them not to. Blocking the world is not my intent, being responsible with the resources I am providing is.
 

bds1904

Gawd
Joined
Aug 10, 2011
Messages
1,007
So you have no clue what you want to accomplish at all or you can't ask a simple question.

Google utm content filtering

That will get you started.
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,384
There are some threads on blacklisting/content filtering with the ERL on their forums. Basically it uses some maintained lists (I can't remember the name of the main list they use) to block known bad URLs.

If you want fine control, IDS, and so forth, look into Endian, Sophos, and Untangle. I used Untangle for years and just switched to Sophos/Astaro. You'll get the most sanitation and control with this route.

You can also use simple things like OpenDNS.

Or, you could roll up your sleeves and get dirty with OpenBSD, pf and Snort. :D
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
So you have no clue what you want to accomplish at all or you can't ask a simple question.

I appreciate the response, snarky though it may be. Just a heads up, the definition below kind of covers the intent of a forum, (number 3 specifically). Generally questions will be asked or opinions voiced by some and responded to by others. Not much point in starting a conversation if I already knew everything about the topic. I know, hard to grasp.

fo·rum [fawr-uhm, fohr-uhm] Show IPA
noun, plural fo·rums, fo·ra [fawr-uh, fohr-uh] Show IPA .
1. the marketplace or public square of an ancient Roman city, the center of judicial and business affairs and a place of assembly for the people.
2. a court or tribunal: the forum of public opinion.
3. an assembly, meeting place, television program, etc., for the discussion of questions of public interest.
4. the Forum, the forum in the ancient city of Rome.
 

bds1904

Gawd
Joined
Aug 10, 2011
Messages
1,007
I appreciate the response, snarky though it may be. Just a heads up, the definition below kind of covers the intent of a forum, (number 3 specifically). Generally questions will be asked or opinions voiced by some and responded to by others. Not much point in starting a conversation if I already knew everything about the topic. I know, hard to grasp.

fo·rum [fawr-uhm, fohr-uhm] Show IPA
noun, plural fo·rums, fo·ra [fawr-uh, fohr-uh] Show IPA .
1. the marketplace or public square of an ancient Roman city, the center of judicial and business affairs and a place of assembly for the people.
2. a court or tribunal: the forum of public opinion.
3. an assembly, meeting place, television program, etc., for the discussion of questions of public interest.
4. the Forum, the forum in the ancient city of Rome.

There is also something called the internet, and on that internet there is something called a search engine. You type things in and magically it gives you MANY things to read directly related to what you typed in. Funny thing is that the internet is made by people and is a collection of things people have talked about, or are interested in.

I'm pretty sure you aren't the only person ever to want to filter internet content on your home network, so this discussion just might have happened elsewhere before.

Try this link here

The top five results are guaranteed to get you on your way. There are also these nifty things at the bottom called related searches. They tend to lead to other things that are RELATED to what you searched for; generally leading you to a more specific topic related to your first search.
 
Last edited:

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
There are some threads on blacklisting/content filtering with the ERL on their forums. Basically it uses some maintained lists (I can't remember the name of the main list they use) to block known bad URLs.

If you want fine control, IDS, and so forth, look into Endian, Sophos, and Untangle. I used Untangle for years and just switched to Sophos/Astaro. You'll get the most sanitation and control with this route.

You can also use simple things like OpenDNS.

Or, you could roll up your sleeves and get dirty with OpenBSD, pf and Snort. :D

Thats what I was considering but I was hoping that a more concise solution had developed. Something more like Mikrotik but with an Untangle / Ipfire kind of software development. Perhaps I can't find it because it does not exist. Appreciate the response.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
I use OpenDNS and just use NAT rules to force all DNS traffic to them. No way for anyone to bypass OpenDNS that way.
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
bds1904. No reason to go into giant colored font. You gave a snarky response and you got one back. You can scream all you want, my monitor is only so big though so at some point your efforts at internet domination will soon result with diminishing returns on your wrath.

I said I appreciated your response and I have spent a fair amount of time doing searches. How would I know about Mikrotik? Not like they are that well known. RouterOS however is not known in depth by a lot of people and from what I have been able to determine it may or may not offer the level of content filtering along with routing capability I am interested in. Same for the EdgeRouterLite. I know it may come as a surprise but not everything you read on the internet is true...
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
I use OpenDNS and just use NAT rules to force all DNS traffic to them. No way for anyone to bypass OpenDNS that way.

Thanks for the idea. Someone recently told me about this "Google" thing so I think I'll try that and do some checking.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
RouterOS CAN do some filtering, but it's poor at best and difficult to work with. You need to create a bunch of regex rules and it's messy.

ERL could too, but again you would need to go outside of the normal config and install your own packages on it.

Both platforms are awesome firewalls/routers but lousy UTMs and they really aren't meant or advertised to be.

I have quite a bit of experience with both platforms.
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
RouterOS CAN do some filtering, but it's poor at best and difficult to work with. You need to create a bunch of regex rules and it's messy.

ERL could too, but again you would need to go outside of the normal config and install your own packages on it.

Both platforms are awesome firewalls/routers but lousy UTMs and they really aren't meant or advertised to be.

I have quite a bit of experience with both platforms.

HUGE Thank You! That is really helpful. I was willing to learn either system but finding an explanation that clear is hard to come by. Eliminating that direction as an option makes it easier to corral the legitimate options and compare them.
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,384
Thats what I was considering but I was hoping that a more concise solution had developed. Something more like Mikrotik but with an Untangle / Ipfire kind of software development. Perhaps I can't find it because it does not exist. Appreciate the response.

What do you mean by more concise? Like an Untangle or Sophos appliance? Zyxel Zywall UTM? There's Juniper, Sonicwall, Checkpoint, and even Cisco if you want more options. You're going to pay through the nose for those devices though, and the lower end ones may not give you the throughput you desire.

A PC with Sophos/Astaro or Untangle is pretty much going to be exactly like an appliance from a setup/maintenance perspective, just most likely in a smaller form factor.

I ran Endian before I went to Untangle. It was a nice piece of software that had kind of a lull in development--part of why I jumped ship. It has come back though.

There's a plethora of devices that will suit your needs, you just have to decide what you want to pay, how much elbow grease you're willing to impart, and how much you want to spend. If you don't want to spend anything or very little, slap OpenDNS on your existing hardware and call it a day.
 

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
For the OP, do you have any sort of budget in mind for this project? There are a ton of hypotheticals thrown out on both sides but no absolutes. You state that you're looking for a polished product, great. What potential hardware resources do you have to bring to the project, what kind of time are you willing to put in and what kind of budget is available?
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
161
We're using OpenDNS with DNS blocking firewall policies. My suggestion would be to assign static IPs to devices you don't want blocked (or IP Reservations in DHCP) then setup an outbound DNS rule for them to any where (4.2.2.2, 8.8.8.8, etc). Then put your DHCP Pool (not-reserved) in another outbound DNS policy to 208.67.222.222/208.67.222.222. Then a third rule to block all DNS requests. Now your children and their friends will be unable to pass OpenDNS block by changing the DNS setup.

Make sure to set 208.67.222.222 and 208.67.220.220 in your DHCP server as the DNS hosts.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
You can run the ERL boxes on FreeBSD and install whatever you'd want to do filtering like squid or whatever, given the performance your milage may vary though.
//Danne
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
What do you mean by more concise? Like an Untangle or Sophos appliance? Zyxel Zywall UTM? There's Juniper, Sonicwall, Checkpoint, and even Cisco if you want more options. You're going to pay through the nose for those devices though, and the lower end ones may not give you the throughput you desire.

A PC with Sophos/Astaro or Untangle is pretty much going to be exactly like an appliance from a setup/maintenance perspective, just most likely in a smaller form factor.

I ran Endian before I went to Untangle. It was a nice piece of software that had kind of a lull in development--part of why I jumped ship. It has come back though.

There's a plethora of devices that will suit your needs, you just have to decide what you want to pay, how much elbow grease you're willing to impart, and how much you want to spend. If you don't want to spend anything or very little, slap OpenDNS on your existing hardware and call it a day.

I was initially looking for something like a Mikrotik. Simple to get started, room to expand as I learned more about the system, powerful but low financial overhead to get into and run. Pretty obvious that I am looking at something more like a Zyxel or Pfsense / Astaro box. I think I would rather put together an Atom 2500 system with a good distro on it than the Zyxel just from an options point of view.
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
You can run the ERL boxes on FreeBSD and install whatever you'd want to do filtering like squid or whatever, given the performance your milage may vary though.
//Danne

Yeah, they get great reviews and I have read about loading FreeBSD, I read someone had Pfsense running on it as well. But I think you are spot on with the milage though.
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
For the OP, do you have any sort of budget in mind for this project? There are a ton of hypotheticals thrown out on both sides but no absolutes. You state that you're looking for a polished product, great. What potential hardware resources do you have to bring to the project, what kind of time are you willing to put in and what kind of budget is available?

I think I am to the point where if I want this to be as flexible as possible it is going to be an Atom dual NIC setup and you are right, plenty of options and examples out there.
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
We're using OpenDNS with DNS blocking firewall policies. My suggestion would be to assign static IPs to devices you don't want blocked (or IP Reservations in DHCP) then setup an outbound DNS rule for them to any where (4.2.2.2, 8.8.8.8, etc). Then put your DHCP Pool (not-reserved) in another outbound DNS policy to 208.67.222.222/208.67.222.222. Then a third rule to block all DNS requests. Now your children and their friends will be unable to pass OpenDNS block by changing the DNS setup.

Make sure to set 208.67.222.222 and 208.67.220.220 in your DHCP server as the DNS hosts.

I am saving this. Thanks.
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,384
If you're wanting the highest in flexibility, you'll want an i3-based system. The Atom will do well for a lot of things, but if you start down the UTM path and add a lot of features, you'll probably run into some limitations with the Atom. Email scanning will usually take a big hit on devices, but if you only use webmail you'll never see that. Otherwise, if you don't need more than 2 interfaces, the Atoms are nice rigs. I would check to see if they have AES-Ni; if you want to run a VPN at all that will increase performance significantly.

I think the people on Astaro forums are even suggesting i5's with 8GB RAM. I currently have an older E3300 with 4GB RAM in mine with 3 interfaces, and it does fine. Not much traffic though. I may be adding email scanning and VPN soon, so we'll see if that causes any problems.

Get good NICs in either system--no Realtek stuff. Intel or Broadcom. I have old 3COM NICs in mine, but they are old hardware cards.
 

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
If you're wanting the highest in flexibility, you'll want an i3-based system. The Atom will do well for a lot of things, but if you start down the UTM path and add a lot of features, you'll probably run into some limitations with the Atom. Email scanning will usually take a big hit on devices, but if you only use webmail you'll never see that. Otherwise, if you don't need more than 2 interfaces, the Atoms are nice rigs. I would check to see if they have AES-Ni; if you want to run a VPN at all that will increase performance significantly.

I think the people on Astaro forums are even suggesting i5's with 8GB RAM. I currently have an older E3300 with 4GB RAM in mine with 3 interfaces, and it does fine. Not much traffic though. I may be adding email scanning and VPN soon, so we'll see if that causes any problems.

Get good NICs in either system--no Realtek stuff. Intel or Broadcom. I have old 3COM NICs in mine, but they are old hardware cards.

Thanks for the insight. Regardless of bds1904 and me being snippy with each other he is right and the UTM is where I want to go. I am not sure how much overhead I am going to need but I have no need for a VPN and web mail is all we use. However the smart move is to take your advice and use what I have, which is a celeron e3400 system that was my WHS, (that I am shutting down because the Qnap I am replacing it with cost's $40+ less a year to run). I can gather a few parts and try out a few distro's. I really wanted to drop the power consumption of the 24/7 devices but a few more months wont kill me.
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,384
I did a power/cost calculation (made an Excel spread sheet) of buying new devices, and just like buying a hybrid to save gas--it doesn't pay out. My E3300 firewall uses about 25W according to my UPS. Replacing it with a ~10W i3 device for $300, at my cost for power (which is pretty high compared to where we used to live) would take 20 years to pay off.

Replacing my server, that uses about 80W at idle, with a device that uses only 45W, assuming about $450 (which is cheap for a nice server) would take about 13 years to pay itself off.

Your E3400 should do fine for you. Just get a couple good NICs. New Intel desktop cards are about $30, or you can get multi-port ones of eBay for about the same.

ETA: with the E3300 and 4GB RAM, Sophos is reporting about 35% RAM usage and never really above 5% CPU. I'm not sure why people recommend such high horsepower, but it's possible I just don't have the traffic other people do.
 
Last edited:

PoorBehavior

Limp Gawd
Joined
Oct 23, 2004
Messages
312
I did a power/cost calculation (made an Excel spread sheet) of buying new devices, and just like buying a hybrid to save gas--it doesn't pay out.

Yeah, I did the same. My new NAS will pay itself off in 2.5 years. $200+ for a nice little atom system will take a few more, like twelve.
 
Top