The Ubiquiti gateways are very limited in what they can do as they are not a UTM solution. (They are basically a managed version of a consumer router at best.) Your only option without changing the gateway is going to be looking at a DNS based solution like OpenDNS or ChurchDNS. You should then be able to block DNS server use other than theirs, however you’re not going to be able to block VPN’s or other ways of bypassing it. Let’s just summarize what you’ll be able to accomplish as minimal best-effort.
Chris, thanks. I have talked with our IT support company and found out they already use OpenDNS to block adult content and other things like malware sites.
We currently use a combination of ChurchDNS and ThirtySeven4.
We also use a combination of ThirtySeven4 and ChurchDNS (now ScoutDNS). They’ve come in very helpful.
We use a Sonicwall Firewall with a subscription service for blocking content.
Since we also run a K-8 school, we have a WatchGuard firewall server that also gives us the ability to filter content.
For the record, Unifi routers do currently have some rudimentary ability to block some traffic/sites based on DPI. I regularly use it on P2P but it’s not one of those UTM’s or proxy devices that uses a middle SSL certificate. That being said, the Unifi USG line will have more UTM features added during 2019, but you would probably need an XG or maybe Pro to keep enough throughput without the hardware acceleration.
If your provider is using Cisco Umbrella (the commercial version of OpenDNS) then that is usually enough to do some content filtering (although they like to remind their partner service providers that they are primarily a layer of malware/phishing defense and that they shouldn’t be considered the primary content filter). For reference though, beyond using a UTM to block (which isn’t all that great in our mobile device era) you can use a proxy on-site (same mobility issue but leaves the Unifi gear to do what it’s great at), there are some antivirus products that include content filtering (Bitdefender Gravity Zone for example), and there are DNS based products like the aforementioned Umbrella and Webroot (these can suffer the same problem as a UTM or proxy unless you use the agents on endpoints that are mobile).
We use iBoss, which is geared more towards the education market.
We use Barracuda Web Security Gateway, and ThirtySeven4 AV.
you can look to use Adguard or AdguardDNS, which will stop some problems. However, to limit adult content yourself you really need to set up an internal web proxy server, ideally using a layer 4 redirect on your router. You can do this using something like a BlueCoat proxy system, which has a very effective commercial solution and are used by ISPs who provide such service. If you have the skillset and limited budget, you can achieve a reasonable level of control by using a linux-based proxy such as Squid running the OpenSource Dan’s Guardian.
Thanks to everyone that replied to this topic. I have learned a lot from your responses and I am very grateful for all you help on this.
If you have Bitdefender GravityZone then you can use the web filtering feature. Since it is client based, the content filtering works outside of office network as well.
Note that you can either get Bitdefender GravityZone through Techsoup for up to 50 users or through one of the re-sellers like Bradford. (bradfordsoftwarelicensing.com) I could get better rates through Bradford than Bitdefender directly. Make sure you identify yourself to them as a non-profit.
Bitdefender works on both Mac and PCs.
Ours is OpenDNS (with other-DNS-blocking), and on our public Wi-Fi, we also block things like VPNs. Pretty much only 80 and 443 are allowed out from the public Wi-Fi.
https://pi-hole.net/ Is pretty easy to setup and use. Despite the name it can run in a VM - but if you are a smaller church Raspberry PI’s are cheap, easy to set up and effective. Change your DHCP server to hand out the piHole for DNS, and block outbound DNS for everything but the piHole in your USG.
I’m on the fence with the paid solutions. They are marginally better and might have better User interfaces but piHole is pretty amazing for being freely available, and most have had higher subscription costs then I otherwise spend on IT in a year.
Sadly with DNS over HTTPS, VPNs over HTTPS and more content filtering is more and more a lost cause. And anyone doing man in the middle SSL filtering on a guest network would be better off using random limited time guest voucher codes for the guest network and radius to authenticate users to the private staff networks. Unifi supports both use cases very well with plenary of examples in their community forums.
The problem with Pi-Hole is you’re still on the hook for getting, validating and monitoring the quality of block lists. Perfectly acceptable for someone at home who has a lot of time on their hands, or doesn’t mind the Internet occasionally going down to troubleshoot.
I’d generally recommend OpenDNS Family Safety over Pi-Hole for someone who doesn’t have time to spend babysitting a solution, especially if they aren’t a relatively skilled Linux admin.
Meh - you have to monitor any block list. None of them are perfect. I’ve been messing with block lists from various vendors since the 90’s (surf control super scout anyone?) and none are “fire and forget”.
Aside from dropping to the command line to update the piHole software itself, everything else is done from inside the GUI. Linux knowledge is absolutely not needed no more than me needing to know Linux because my Tivo happens to run it under the covers.
If you want a true appliance with a seamless user experience then sure the commercial solutions will offer that - for a cost. If you have the funds more power to you. Some of us are in environments with extremely tight funding; having something that requires a bit more finesse (but not that much more, really) is better than not having anything.
I’d love something with the ease of use of piHole but the flexibility of pfBlocker NG on pfSense. Someday…
nxfilter is also another amazing DNS filtering solution, but it isn’t nearly as plug and play as either piHole or pfBlocker NG on pfSense.
The real issue is with encryption becoming pervasive, is any of this going to matter more than a year or two at most?
It’ll matter, as you can still force people to use your own DNS, unless major services start running TCP DNS on ports 80/443
126.96.36.199, 188.8.131.52, 184.108.40.206 and 220.127.116.11 all run DNS over HTTPS (443) which is natively supported in Firefox, so I’d say it’s already readily available.
I’m definitely with Alex on this one, a pihole just isn’t something meant to be used in an organization, it’s more of a hobbyist thing. Beyond that, I often ask myself “if I were called to the witness stand, how would a reasonable jury react to my choice of software/hardware?” There is no way I want to say “pihole” on the witness stand!
This is one of three main reasons we went with Meraki at our church.
Blocking is ridiculously simple. For our guest WiFi:
Those get everything we need, really. On the Office network:
We could do more, but the general idea is to not make it feel like Big Brother is in there. Rather, we help make staff feel safe.
I understand licencing costs are a concern, but our MX84 has made what used to be complicated and patchy, at best, into a robust and generally sure thing. We don’t have any full time IT staff at my church- I voluntarily manage this and other things. Also, being a Meraki partner, I was able to get the equipment and licenses discounted. Find a partner that’s willing to work with you for pricing. Tell them you’re a church and see if they’ll give it to you at cost.
We moved from a SonicWALL that worked fine, and had a paid content filter component that seemed to work okay. Had endless issues with the wireless though.