URL filtering on EdgeRouter



  • I have a network where I only want the computers to be able to get out to Windows updates and their AV software. Both of those things work on URLs and not IPs. Is the correct way to go about this command line on the ER with some commands like:

    url-filtering {
         squidguard {
             redirect-url http://google.com
              rule 10 {
                 local-allow windowsupdate.microsoft.com
                 local-allow *.windowsupdate.microsoft.com             
                 local-allow *.update.microsoft.com
                 local-allow *.windowsupdate.com
                 local-allow download.windowsupdate.com
                 local-allow download.microsoft.com
                 local-allow *.download.windowsupdate.com
                 local-allow test.stats.update.microsoft.com
                 local-allow ntservicepack.microsoft.com
                 source-group LAN-desktops
             }
     source-group LAN-desktops {
                 address 192.168.10.2-192.168.10.254
             }
    
    

    Is there a better way to go about this?



  • You could do it through DNS filtering as well. But Squidguard should do what you want.



  • Well the correct way is not to try to shoehorn this into your edge router but if the site is small enough yes you can add the packages and do it this way



  • Does Squidguard block https sites now? I used to have it setup on our pfSense firewall but it didn't block https back when we used it.



  • @romo said in URL filtering on EdgeRouter:

    Does Squidguard block https sites now? I used to have it setup on our pfSense firewall but it didn't block https back when we used it.

    Squid Proxy needs to be set up for it for SquidGuard to block https sites.
    Screenshot from pfSense using Squid 3 package
    0_1533774369157_e54b0b3c-ea57-42ef-9293-2f5811c78ce2-image.png



  • @black3dynamite But is it still doing a MITM to block it or is it doing it some other way?



  • @jaredbusch said in URL filtering on EdgeRouter:

    Well the correct way is not to try to shoehorn this into your edge router but if the site is small enough yes you can add the packages and do it this way

    This would be for 4 computers and a server. Since the users won't be able to get on the internet and it's only windows updates and AV updates that will generate traffic, I think they will be OK.

    Have you used this in a typical office environment? Where would you draw the line in terms of number of users/number of rules? I've never used the ER to filter on domains before.


Log in to reply