Block Some Sites/Ports on Network

We have a network set up at our office that looks like this:

    - A Linksys WRT54G wireless router, with WEP
    - Several laptops connected to the router wirelessly, with dynamic ips
    - One networked printer (Canon ImageRunner), with a static ip
    - One dedicated server running Windows Server 2000, with a static ip/dns settings, and an open drive share that all the other computer access.
    - We're using Rogers as our internet provider.

I need to set up the network so that certain websites and services are blocked. In particular, facebook, as well as Yahoo and MSN Messenger.

I don't want to put "net nanny" software on every laptop. An intelligent user can circumvent client-side stuff like that. It ought to work on *any* computer connected. E.g. I should be able to bring my laptop in from home, connect to the wireless network and still be blocked.

I was thinking of setting up a proxy server on our dedicated server, with the appropriate censoring rules in place, but the computers would have to use the proxy server instead of connecting directly to the internet, and I don't know how I could enforce that on the laptops. That is to say, what stops someone from turning off the proxy settings on the laptop and connecting directly?

Or maybe the linksys router itself has some parental-control type features I don't know about?

I also have no idea what kind of proxy software exists, what comes with Windows Server 2000.... and how to configure it X_X.

Can anyone help point me in the right direction? What's the right way to do this?
LVL 31
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The best route would be using a proxy. You can enforce this through group policy on the windows 2000 server - providing the laptops are part of the domain.

The other option is to upgrade the Linksys to a firewall appliance (you could still use the linksys just for wireless). An affordable firewall that could block these sites is a Draytek 2800/2900 series.

You could also do this using the hosts file. This would not block access to MSN as it is IP based, but you could block facebook etc and then push the hosts file out using the logon script.
I'm going to say the most simple solution for you will be to upgrade your linksys with
the DD-wrt firmware
This link will provide you several step by step examples of how to accomplish this

once that is configured you will be able to do almost anything with your newly mighty router.
This is a feature list of it

Basically once you have that accomplished you will be able to go under services and then set up blocking for the ports that messenger uses  
IN TCP 1863
IN UDP 1863

and also add the websites to the restricted list.

Good luck!
I would agree with my comrade smckellar83 - however since they are laptops I would assume your people move around with them - perhaps take them home or to client sites, by setting up your linksys with new firmware it will only affect people when they are onsite. Also you can boost your signal power of wireless transmission (don't put it too high).
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

The linksys router is going to limit what you can do and while I love how you can modify the software I wouldn't recommend it.  How would you explain to your boss that the office network is down because something went wrong with the hack?

For a small office environment I would use a Cisco 871W router which will give you the firewall, wireless, and allow you to close all the ports you want.  The firewall is stronger than the Linksys as well.

I would also use opendns ( for your dns servers.  If you sign up for the free account, they can provide web site filtering (adult sites, phishing, etc) and also allow you to manually block sites as well.

To prevent users at your office from using other external domain controllers, you can add an Access Control List entry to your 871 to force users to use the opendns name servers.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I started reading what I wrote and noticed a mistake.

The 871 can provide DHCP for your users.  To prevent users at your office from using other NAME SERVERS, you can add an Access Control List entry to your 871 to force users to use the opendns name servers when they are in the office.
Hello, You can use a content filtering product at the gateway.  I have used SurfControl (webscense), Barricuda, Sonicwall and others.  For the small office the Sonicwall would be my choice with the content filtering service added.  A quick internet search found the fee for the 2 year content filtering at 295.00 and the TZ150 unit for about 350.00 with one year included.
Frosty555Author Commented:
To give a little more information:

SmcKellar: The laptops and computers actually aren't on a domain >_> it's a regular workgroup style network, so group policies aren't an option... but perhaps there's another way to enforce the use of the proxy? Is it possible to deny access to the internet from all machines except the main server, using the linksys router?

ChiefoftheChiss: Surprisingly, no, the laptops are never taken home. They're shuffled around the office (on wireless), but aren't taken off the network.

Matt1705: Are you suggesting signing up for a free alternative DNS service, and then changing the router to use that DNS instead of the DNS provided by rogers, in order to filter out unwanted websites? I understand, but how does me signing up for an account at factor into it? Do users need to enter this information to connect to the internet? Can you explain a bit further?

CheifoftheChiss: I'm very tempted by the firmware hack. The router's not under warranty anymore. The price of these routers are going down too, if I brick the router I'll have a spare with me to swap in just in case ;) and the people at my office wouldn't mind the change since it doesn't really affect them. But I'm concerned about it's reliability. Does it actually work well?
You can go to Open DNS and sign up for an account.  Then you can specify the IP of the office and what you want blocked.  You just set the Open DNS servers in the linksys router and have the client comuters use DHCP for DNS. You can even set a custom graphic and message for when people try to visit offending sites.

It takes about 10 minutes to setup and you just need to flush caches to get it going.

Sure someone could use their own dns servers but I doubt many people would know how or what to put in there...
If the linksys is out of warranty I would be replacing it. Put in a Draytek, only a couple hungry and you can filter everything from p2p traffic, to keywords in websites.
With the disclaimer of possilbe problems I have installed this router for multiple customers and they have loved it. The largest site where I have implemented has about 10 fairly heavy users and 15 light users, with zero downtime caused by the router.
I definately agree with my fellow experts that if you have 300 - $500 to throw at new equipment you probably wouldn't go wrong. However based on my experience with this solution as well as the (as you mentioned) EXTREME cheapness of the WRT54g router, you get a lot of perfomance and simple redundancy (in case of problem - just have a second one handy and backup your origonal configuration file that you have currently as well as the file you setup with the new firmware and you will have almost 0 downtime if something does happen (as an added bonus setup a backup one with the config file you are currently running and that way even if you are on vacation and it goes down you can easily walk someone over the phone in replacing the dead one))   <- that is all worst case though.

I've yet to have one fail for either myself or other members of our team who have set this up. Sure it's not enterprise class solution, but neither are most companies IT budgets :(
Frosty555Author Commented:

Well after some extensive reading on DD-WRT... I've decided it isn't worth it. My router is a Linksys WRT54G v5. On of their "neutered" routers, and there's quite a large wiki page on their site talking about all the reasons why my particular router isn't easily moddable: . The numbers of complexities in the project tell me that I've got a better chance at bricking my router than modding it, and if I do mod it, I can only put the micro version of DD-WRT on it anyway. Will that have all the features I want? Who knows.

What else I found out is that the linksys's firmware itself actually lets me block specific domain names and ports! Or... at least, two ports and four domain names. That's a lame excuse for a content filter but it works.

So I will use this to block MSN/Yahoo, and combine it with OpenDNS to block specific websites. And I'll campaign for one day a better quality router (perhaps a Draytek as was suggested here).
Frosty555Author Commented:
So, I divided up the points split between CheifoftheChiss, for the DD-WRT firmware hack, and to Matt, for suggesting

A couple points to x86fix for the additional information, but what I was actually looking for from you is an explaination of how signing up with OpenDNS gets tied into your actual usage of the dns server... I had figured all the rest of the stuff out ;) The answer to that was, you map your IP address to your account on OpenDNS, and use a Dynamic DNS updating client to keep OpenDNS up to date.

Anyway, I went with OpenDNS, but another person visiting this page might very well go with DD-WRT. Had DD-WRT looked more reliable it would probably be the better solution, so points for that so that someone looking at this question will see that suggestion.

I'd say that is a very good assesment of the situation!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.