Question Wireless Router/Firewall to block websites

[zillapod]

I'm looking for a decent wireless home router with good website blocking features. My old TP-Link could block tons of sites using target domains and rules, but I just upgraded to a TP-Link AC4000 but effectively you can only block 16 websites. The reason I need this is to block ALL adult content and search results. I use CleanBrowsing DNS which handles most of it, but there are 15 or so adult URLs we've found that aren't auto-blocked, and many search engines aren't safesearch enforced by cleanbrowsing and also return adult results to searches (yahoo, etc.) so I want to block those too.

I honestly just want something that is easy to maintain. Pointing to Cleanbrowsing DNS server takes care of 95% of it, then I want to be able to block websites on a per device basis like my old TP-Link lets me. As I test the Cleanbrowsing DNS filtering and come upon new websites that aren't properly blocked, I want to be able to blacklist them so I don't want some low upper limit of sites you can block like 16 or 32 like Linksys and TP-Link do. I want to keep adding more blocked sites over the years ahead. If easiest to just put a firewall appliance inline between the router and cable modem, I can do that too. OpenDNS isn't the right answer as it blocks across the entire network rather than just per device.

My old TP-Link WR841N blocks up to 64 sites and is simple to configure, I just want that same capability on newer hardware. Any ideas?

 

[SamirD]

Why did you upgrade in the first place? Was it only for the wifi?

 

[mxnerd]

OP needs to setup another device/PC running Pi-hole DNS (https://pi-hole.net/) and points router's DNS IP to it. (Linux only)

Don't think there are WiFi routers with built-in Pi-hole DNS yet.

The problem is, there is no way to block every single adult website in the world. There is just no way. New websites pop up everyday.

Someone must update the list (public ad-blocking DNS, of course you then have to wait for their updates) or you have to do it yourself, blacklist the websites with your own Pi-Hole DNS PC/device.

 

[zillapod]

Yes the upgrade is just to get GigE interfaces and improve WiFi. My old one is pushing 10 years old but still works.

To mxnerd, I know blocking all adult sites is impossible but my strategy is that if I can force safesearch on google and block all other search engines by url, then I can’t even really search for new adult sites popping up. Cleanbrowsing blocks most and forces google safesearch, so then I just need to block search engines and sites like twitter and tumblr with mixed content.

ive done all that easily on my rusty old TP-link, just wondering if I can still have that exact same capability on a new router or router firewall combination?

 

[mxnerd]

Google Search

Believe that most of the consumer routers will let you add your own websites to filter out.

The problem of course is that no one can tell you exactly how many entries you can set.

No vendor will tell you that until you have the product and test yourself.

I also don't have any parental control router or business class router/firewall.

==

See if you want to go with Ubiquiti EdgeMax router. Only you can determine whether it's simple or not. Edgerouter are really cheap compared to other business class router/firewall.

It's a bit hard to block plain website URL though since it requires text editing.

Amazon.com : Ubiquiti EdgeMax

Be noted that Edgerouter is wired only. You need to have AP to pair with it. Since you already have TP-Link AC4000, you can turn it into an AP.

 

[mxnerd]

Pi-hole 's URL black list will be a lot easier.
You get to keep using TPLink AC4000 as your router.

 

[killster1]

Pi-hole 's URL black list will be a lot easier.

do you have a goto model for a pfsense box? i am always overwelmed with choices on things like this. Something with 4+lan would be nice.

 

[mxnerd]

do you have a goto model for a pfsense box? i am always overwelmed with choices on things like this. Something with 4+lan would be nice.

I only test pfsense in VM. 🙂

Here is a review for a Protectli model.

Buy directly from Protectli or Amazon.

Protectli: Trusted Firewall Appliances with Firmware Protection

Secure your network with a trusted Protectli Firewall Appliance! Fully compatible with open-source software. US-based support, warranty and repairs.

protectli.com

Don't recommend its optional WiFi kit since pfsense's support for WiFi is extremely poor.

Be sure to choose model with AES-NI if you use VPN.

Amazon.com : Protectli

 

[killster1]

I only test pfsense in VM. 🙂

Here is a review for a Protectli model.

Buy directly from Protectli or Amazon.

Protectli: Trusted Firewall Appliances with Firmware Protection

Secure your network with a trusted Protectli Firewall Appliance! Fully compatible with open-source software. US-based support, warranty and repairs.

protectli.com

Don't recommend its optional WiFi kit since pfsense's support for WiFi is extremely poor.

Be sure to choose model with AES-NI if you use VPN.

Amazon.com : Protectli

wow i was actually looking at those already and bookmarked this one, https://www.amazon.com/Firewall-App...d=1&keywords=Protectli&qid=1587876064&sr=8-15
most likely i wont need the power of a 7200u cpu for the 500$ version, add my own ddr42x8gb and a small ssd that i have laying around and i should be good. hopefully a mSATA to SATA adapter will work fine.

 

[mxnerd]

wow i was actually looking at those already and bookmarked this one, https://www.amazon.com/Firewall-App...d=1&keywords=Protectli&qid=1587876064&sr=8-15
most likely i wont need the power of a 7200u cpu for the 500$ version, add my own ddr42x8gb and a small ssd that i have laying around and i should be good. hopefully a mSATA to SATA adapter will work fine.

It already supports mSATA. You don't need the adapter if what you have on hand is mSATA SSD.

Take a look at at review video at 3:00 mark, there are 2 mSATA slots, probably one for mSATA SSD and the other for WiFi kit.

Do contact vendor see if the optional "Internal 2.5" drive mount with SATA III Header" is included.

 

[killster1]

It already supports mSATA. You don't need the adapter if what you have on hand is mSATA SSD.

Take a look at at review video at 3:00 mark, there are 2 mSATA slots, probably one for mSATA SSD and the other for WiFi kit.

Do contact vendor see if the optional "Internal 2.5" drive mount with SATA III Header" is included.

well maybe i said it backwards because i have TONS of sata drives and not sure if i have any msata drives around. ill have to look at a teardown of the device OK i see in the i5 model they have a sata port next to the msata. NICE

 

[bfun_x1]

We use a first gen Disney Circle. It works pretty well for our 8 and 10 year old but we mostly use it to limit screen time. It has a pretty simple phone app interface and I can choose which devices bypass the proxy. It was well worth the $50 we paid for it. There is also a second gen but it has a monthly subscription fee.

https://www.amazon.com/Circle-Disney-Parental-Controls-Connected/dp/B019RC1EI8

 

[mxnerd]

well maybe i said it backwards because i have TONS of sata drives and not sure if i have any msata drives around. ill have to look at a teardown of the device OK i see in the i5 model they have a sata port next to the msata. NICE

The Celeron model also has SATA port, just don't know if the mounting kit is included or whether you have to purchase separately.

Be noted each pfsense port is meant for different network. If you want to use some of the ports as switch ports, you need to bridge them.

 

[SamirD]

Yes the upgrade is just to get GigE interfaces and improve WiFi. My old one is pushing 10 years old but still works.

So why not let your old router be the router and your new one be a switch and access point? Best of both worlds using what you already have.

 

[mxnerd]

So why not let your old router be the router and your new one be a switch and access point? Best of both worlds using what you already have.

Didn't think of that. 😁 I'm so focused on the blocking stuff.

Use the new router behind the old one is feasible too, and nothing to change as long as OP has no need to have 2-way communication between the 2 networks.

 

[SamirD]

Didn't think of that. 😁 I'm so focused on the blocking stuff.

Use the new router behind the old one is feasible too, and nothing to change as long as OP has no need to have 2-way communication between the 2 networks.

I'm very much from the 'fix only what is broken' camp. I hate changing stuff that works.

I actually would only set up the new router as an ap and let the original one route and handle all the blocking. Then you don't have any network issues either.

 

[Genx87]

Throwing in my hat for Sophos XG home edition. It is free and offers everything you require. Will need hardware to run it on. An old laptop or desktop will do. home edition is limited to 4 core\6GB of ram.