Jump to content
RESET Forums (homeservershow.com)

Website logging / filtering at User Level - best solution?


Recommended Posts

Hi guys - long time listener to the podcast, but first time poster!


I'm after a bit of a steer on a suitable home network product for web filtering and monitoring.


I've had a N36L running WHS2011 for the last 4 years which handles the below tasks :-


* DHCP and DNS for local network

* RADIUS server for Wireless AP access (using the WHS user accounts as authentication so household have a 'single sign-on' across devices).

* Cloudberry syncing to Amazon S3 / Glacier for home photo/video & document backups

* No-IP updater (ISP supplied router only supports Dynamic DNS so stopped using that last year!)

* OpenDNS updater (use OpenDNS as my external DNS forwarder and filter out non-family friendly websites)

* iTunes (standard app) to support iPad / iPhone and Apple TV content through HomeSharing

* NFS share for a virtualisation share to ESXi VM box


I've also experimented with the following services but switched them off due to processor load



* Windows Deployment Server


The N36L box is using standard hardware, only upgraded the RAM (to 8GB) and installed a dual gigabit NIC (which isn't currently being used).



My latest project is trying to find a suitable product which will provide website logging at a user ID level. I've not looked in depth at Sophos UTM or Squid, but from a quick glance in a VM they seem to only offer IP based reporting and filtering. I've also experimented in the past with Forefront TMG 2010 under Technet in the past, but again couldn't get it to report at a user ID level.


I'm hoping there's a solution which will allow me to get the following features :-


1) User level authentication to connect to the network (either Wired or Wireless - already have this via the RADIUS server for Wireless and presume I can do something similar for Wired).


2) Access filtering based on user - so parents get full access to the network and internet, whilst the kids get a restricted access to the network and content filtering on the Internet


3) Website reporting based on user - so kids website visits are logged at a name level, rather than a device IP level as seems to be the case in the default Squid configuration.


4) Proxy site caching - broadband link is very poor in my area. I can only get 10mb down, 1mb up on a ADSL link so anything which will cache Windows Update content (often spinning up new VM's for testing) and frequent videos (kids love Minecraft videos!) will improve the wider performance for the household.


5) Possible guest wireless network (I have 2 x TP-Link WA901ND Access Points and an AirPort Express, the ISP Router is pretty bad, but can't be switched into a Modem only mode and also can't easily be replaced as the ADSL uses MER as it's authentication).


So - any ideas from the community on what solutions I could use?




Link to comment
Share on other sites

User level logging and filtering is a big ask especially if you don't want to pay. Drashna might know but I have no idea!

Sophos will handle all you want but i suspect only at a device (IP) level.


Such a program would have to embedded into the Windows Active Directory Domain Service.

Link to comment
Share on other sites

Hi Poppapete


Thanks for replying!


Bit of a shame there's nothing out there - have been hoping it would be exactly the type of solution more people would be after as their families grow up in this day and age.  I think I'll have another play with Sophos UTM and use the IP level for the mobile devices and keep using the Windows Family Safety on the PC's together with OpenDNS for the house and see how I get on - would like a Proxy solution for the downloads though!


Thanks again!

Link to comment
Share on other sites

Don't know how old your children are but from my experience (with Grandchildren) they all have their own devices by the time they are in later primary school. Thus IP level control will work.  However in my opinion it is a complete waste of time and effort because they will be online at a friends place or on a smartphone where you have no control.  Best solution is to form a good relationship with your family, formulate rules and trust them.


However, Sophos has detailed reporting facilities, including real time graphs. It is very easy to look back over a time period to see which local IP's have been where and when.

  • Like 1
Link to comment
Share on other sites



My girls are 5 and 10 so it's more about stopping them straying onto inappropriate websites (which OpenDNS does a reasonable job of already in fairness) and we've already got pretty good ground rules with them around what they can and can't go on and when they are allowed to use the devices. Totally agree education and relationship building is key to this and technology should only ever be a single layer of defence in your approach to internet safety with your kids.


Sounds like I need to fire back up Sophos and have another play with its functionality.


The question now is whether I should turn the N36L into an ESXi box and run Sophos and WHS2011 as VM's on it so I can make use of the additional network ports, or whether the N36L is too underpowered and I should look to have a separate box running the gateway security?

Link to comment
Share on other sites

I do like having my UTM on a separate box, mostly so that it doesn't have to be rebooted just because another computer has installed updates. I think the viability of using an N36L for what you want will depend on how you want to use the WHS2011.

Link to comment
Share on other sites

I think it's pretty important to have the UTM in a separate box. If it is setup properly it will run for a year or more without the need for a reboot. Sophos has many category filters, country filters, ad filters which can be switched off or on in a matter of seconds as required.

  • Like 1
Link to comment
Share on other sites

Get a cheap Intel Atom D2550 CPU. It's a dual core with hyperthreading CPU, 1.8GHz, IIRC. 

I use it personally as my Sophos UTM device. The CPU uses less than 20% for the most part. The most taxing part being virus scans of downloaded files. :)


As for "away from home"..... if you set up the VPN on the router and configure it for their devices, that may get you the protection you want.

Android supports the IPSec VPN, and you can use that. And while, I haven't really looked into it, Android does have an "Always on VPN" option. It requires using IP addresses vs just dns names... it would be perfect for what you want (from the sounds of it).

I'm not sure about iOS devices, but those should support VPN as well. And it sounds like at least iOS7 supports always on VPN. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...