Wi-Fi Router Recommendations (Block HTTPS)

[Scutarius]

Hi,

Do you use any wifi router to block HTTPS sites? I am using OpenDNS but I am not satisfied with the functions.
I want to block the usual sites (FB, twitter, youtube) and be able to monitor each device.

Thank you

[timgiles]

You want to block individual sites, entering URL(s) - or all HTTPS traffic?

[Scutarius]

Individual sites, some old routers can easly be set to block HTTP but not HTTPS, so services like OpenDNS come handy.

[Shock]

[Berni]

Any proper router that's not a home use consumer toy will do it.

I personally use a MikroTik RB951G and it works great. Never needed a reboot, handles routing fragmented small packet data out of the WAN port unlike the majority of home grade routers and has all the features you get in the professional big rack mount routers that run entire office buildings since it runs the same software as those. Tho as a result configuring some stuff on it does need a lot more networking know how (or googling in my case)

For my particular router the solution would be to block outgoing port 53 (DNS) on the WAN port, this forces people to use the built in DNS server in the router. Then add manual entries into the DNS server that redirects lookups on those sites to a different IP. If you want to make sure you can also set the firewall to block all outgoing connections to the IP addresses of those sites on the WAN port.

Tho if you make me use your LAN i would quickly set up a VPN or Tor to tunnel my way out to the free uncensored internet, because im going to do what i want to do on the internet, not what some cranky IT nerd wants me to do.

[Scutarius]

Tho if you make me use your LAN i would quickly set up a VPN or Tor to tunnel my way out to the free uncensored internet, because im going to do what i want to do on the internet, not what some cranky IT nerd wants me to do.

Fair enough

Thank you

[Psi]

If you have a old PC space you could put two network cards in it and run smoothwall/monowall etc. on it.

[particleman]

Check out Pfsense. I have used it for close to 10 years now. Awesome firewall/router

[Berni]

Oh and PiHole can be used to block sites on a whole LAN via DNS. Its meant to block advertising, tracking and data mining parts of webpages, but you can add any web address you want to the block list.

https://pi-hole.net/

It can be run on a RaspberryPi with a ready made image or on any Linux machine that can run docker containers (These are sort of like portable packed apps in windows that run without any instalation, but its on linux).

[tooki]

By pure chance, I came across the Synology RT2600ac the other day, which apparently is extremely highly regarded, and one review said it’s one of the few routers that can block HTTPS.

[madires]

Blocking all HTTPS traffic is easy, just block TCP port 443 for traffic from LAN to WAN. A cheap SOHO router running OpenWrt can do this. If you want to block specific websites it will be more complicated. The best way would be to use a webproxy supporting blacklists. The alternative solution is a script which retrieves all the IP address of the websites to be blocked and then adds them to the firewall rules (TCP 443). The problem with that approach is that the IP addresses can change anytime (CDNs, load balancing, etc.).

[kaevee]

Blocking all HTTPS traffic is easy, just block TCP port 443 for traffic from LAN to WAN. A cheap SOHO router running OpenWrt can do this. If you want to block specific websites it will be more complicated. The best way would be to use a webproxy supporting blacklists. The alternative solution is a script which retrieves all the IP address of the websites to be blocked and then adds them to the firewall rules (TCP 443). The problem with that approach is that the IP addresses can change anytime (CDNs, load balancing, etc.).

As @madires pointed out blocking HTTPS based on IP address(s) can be messy and there is no guarantee.

As of now, your best bet is a commercial VPN appliance. Some of the commercial VPN appliances claim to give you application level (like youtube, BitTorrent) visibility. Few of these VPN appliances are offered on a trial. One can try them to find out if they work for a given use case.