dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1288
share rss forum feed


Bol

@ngi.it

Content filter differrent by LAN1 and LAN2

Hi...
i have bought a USG-20 because i need to make two different subnet, one for clients and one private for office with different content filter.
I want to block social network and sex related in office but for clients only the sex related.

I have tried the "Commtouch" content filter but don't block HTTPS calling.

There is some other solutions?

Tnx to all


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
You can assign different content filtering profiles by to each source IP/LAN on General tab in Policies section (check the built-in help for details).

You can't content filter encrypted (https) traffic. USG simply does not have this capability. All you can do is enable/disable https (block destination port 443 on firewall).


Bol

@ngi.it
reply to Bol
Damn...

this is a problem of 20 versions or Zywall in general?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
General. To content filter encrypted traffic you have to decrypt it first.

There are solutions on content filtering encrypted traffic, but they're typically costly and (to the best of my knowledge) always involve decrypting. Most common used is SSL proxy (man-in-the-middle) sniffing. ...google it.

If you need to filter HTTPS then you can work-around with DNS based filtering. Allow HTTPS for certain sites i.e. banks, kill https for facebook. ...this would require 3rd party service or to build your own. ...check opendns if they have something like this.

Alternatively white-list/black-list if you worry about small number of sites only.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Bol
The problem is the people you hire that are surfing porn instead of doing the work. Funny how everybody thinks its the internets fault LOL.


Bol

@ngi.it
reply to Bol
Ok...
I have tried with open-DNS system but i can't make difference between lan1 and lan2. Or i can block only one of 2 because opendns word on my connection ip.

It's correct? or i'm doing something wrong?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano
said by Brano:

You can assign different content filtering profiles by to each source IP/LAN on General tab in Policies section (check the built-in help for details).

You can't content filter encrypted (https) traffic. USG simply does not have this capability. All you can do is enable/disable https (block destination port 443 on firewall).

What General Tab Policies Section??????????? Is this a USG20 only place cause I dont see it on the USG300.

Why not have a standard nomenclature for locating configuration pages by starting at the top, as in oh Configuration, or Maintenance and Drilling down from there. Just a suggestion, for those of us that dont like obtuse directions.

Do you know what they call people that give hard to follow directions........... Vogons LOL.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Bol
Hey Bol, does that .it, mean your from Italy. No more answers until you send us some coffee!!!!


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
reply to Anav
Configuration -> Anti-X -> Content Filter -> General - Policies


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
reply to Bol
OpenDNS may not have solution for your requirement for specific LAN. I was just saying the DNS work-around approach may be a solution.


Bol

@ngi.it
reply to Anav
Yes...

Coffee for Anav...


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano
The question is can you drive a particular LAN to a particular DNS.

For example, LAN1 to Open dns and Lan2 to ISP DNS.
If not is this a desirablef feature??


Bol

@ngi.it
Yes, i can do that.

The problem is that i need to filter BOTH lan, one for some content and the two for other content.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Then you need to different ISPs as even if you bought a service with OPEN DNS I think that you cannot differentiate accounts to LANs.

Now if there was a different online service on the net, then you could point to different DNS servers and then assign each to a particular LAN......

breto

join:2013-03-12
Lake Zurich, IL
reply to Bol
You could do this with »dnsredirector.com (software) but it would require you have 2 servers, one behind each interface.

The only way to do it with OpenDNS or DNS Redirector cloud servers is if each network (LAN1 / LAN2) can be NAT'ed to a different WAN IP (would require multiple IPs from your ISP)