Tutorial Please!!!

[Sarah Poulin]

I have no idea how to start with NxFilter. This is my current set-up: I loaded DD-wrt firmware on a router, and pointed it to OpenDNS IP addresses. I can configure the categories in OpenDNS via the dashboard online. OpenDNS works great for blocking things like pornography, and even social networking and games and things like YouTube. But I don't want to block social networking and videos permanently like I do with the porn. So I attempted to set time restrictions through DD-wrt. The problem is that there are too many sites out there to block each and every game site, each and every photo sharing site, each and every video share site, etc.

So... I began manually logging into the OpenDNS dashboard and checking and unchecking the categories at specific times. Obviously this is a big pain in the butt.

Then I ran into NxFilter. But I don't understand it. I downloaded something (I don't even know what it is or how it works), and I log into some sort of dashboard in my browser. It looks local (and not like an online dashboard like OpenDNS) because it says "http://localhost/" in my browser. What have I just installed?

What exactly is this? I go to config, and I can enter in DNS Servers. I was told that NxFilter uses "Shallalist": http://nxfilter.org/tutorial.php#shallalist

I went to the website, and I don't understand how to implement "Shallalist". I was also told that I can use OpenDNS. So I put in the OpenDNS IP addresses like I would in the router. But would it conflict if I put it both in the NxFilter dashboard and also in my router? Why am I doing it twice? Can I somehow use NxFilter to time restrict certain OpenDNS categories? If not, how do I use NxFilter and "Shallalist" to time restrict certain categories?

Can some please give me a step by step tutorial on how to do what I am hoping to do? Complete with "click on the 'Config' menu, under the DNS Setup heading, enter 'blah blah blah' in Resolving DNS server #1." I'm sure you get what I mean. I have NO IDEA what I am doing with this.

Also, in order to implement Nxfilter, do I need to have my computer on at all times? I don't understand what exactly is running and why. If there is already a tutorial out there, please direct me to one!

[Jinhee]

You'd need to have a dedicated server for NxFilter. There are several home users for NxFilter but basically
it's for enterprise users not for home users. You install it on your own network and you can monitor and restrict
internet usage in your network with authentication. With OpenDNS basic you can't have authentication and that's
very important for enterprise users coz they want to have different policies based on user or groups.

There is a tutorial already.
  http://nxfilter.org/tutorial.php

But it requires some knowledge for network and systems. The reason you log into 'http://localhost' is because
it has its own webserver for GUI. If you're a home user I thnk it might be better for you to stick to OpenDNS.
As it is working on cloud and doesn't require extra hardware.

For you one good thing with NxFilter would be dual-policy or quota-time but you still need to have a dedicated
hardware. But you can't use it if you rely on OpenDNS category anyway.

Jinhee

[Carl Miller]

With the DD-WRT you can use "Access Restrictions" to control Internet access.  The simplest to to deny access when you don't want them online.  You can filter services too.  I would do it by MAC address.

[Sarah Poulin]

I've already implemented the time restrictions in DD-WRT. An example as to why it's not that effective, is even if I use the keywords 'game', 'games', and 'gaming', it is not able to block every single gaming website and server out there.

[Joseph Keegan]

Sara:

You seem to want a plug and play solution, this is "free" (as in no licensing cost) because there is no real support.  The level of support you're asking for is the reason that companies like Barracuda charge so much for their Web Filter product.  So if you don't get the needed level of support, remember that Jinhee is developing this for free...if he helps you, that's great, and nice of him.  However, based on what you're asking and how you're asking, you may need something like the Barracuda Web Filter product.  THEY will give you spoon-fed instructions because you're paying them to.  

That said, you do need to run this on a dedicated system OR a dedicated IP address.

I have mine setup in my office on a single server (approx. 20 users, NX Filter running on a member server, non-domain controller, not running WEB SERVICES / IIS and not running DNS).  I setup NX Filter to run as a service (I had to install JAVA on the server), and I configured it to import my Active Directory DNS zone and synching every hour so that it has a record of all Active Directory objects.  I also had it import all users in Active Directory by specifying the Active Directory DNS server IP, giving it an admin user credentials to bind to LDAP and import Active Directory users / groups.  To do this, I specified the TOP of my Active Directory tree rather than importing just a single OU (although you CAN go that route if you like).  I did this by specifying the LDAP / Active Directory tree context as:  "dc=domain-name,dc=domain-suffix".  So if your Active Directory domain name is "mycompany.local" then I specified "dc=mycompany,dc=local".  

I left the default policy in place and set it to LOGGING ONLY so it's not blocking, just logging everything (for now) and added one additional user for un-authenticated users.  I named the user "IPUser" and set the subnet to the local subnet of the office where NXFilter is installed.  To do this, add the user named "IPUser" without quotes under "config --> user".  After adding, EDIT the user and add your local SUBNET range (i.e. 192.168.1.1-192.168.1.254).  This will prevent people from having to SIGN IN to the NXFILTER system in order to browse / be logged.

Additionally, for the Active Directory to track by userid, I added the NXLOGON.EXE with the IP address of the server running NXFilter specified in the user's login scripts (i.e. copy NXLOGON.EXE from the NXFilter folders to Netlogon share and add a line to login scripts of:  \\servername\netlogon\nxlogon.exe 192.168.1.15).

The last thing that I did was update the DHCP scope for PC's on the network so that they were getting a DNS address of the server running NXFilter.  The result of my installation is a silent monitoring of all sites that everyone goes to with a full report able to be pulled for 60 days I think...this length is configurable.  In the report, users are identified by PC and by USERNAME because they ran the NXLOGON.EXE process.  If users do NOT run the NXLOGON.EXE process, then they show up in the report with their correct IP address and a username listed as "IPUser"

I hope this helps you!

[Jinhee]

hi Joseph,

This is very nice tutoral for AD setup.
However it might be easier using GPO for nxlogon.exe setup.
With GPO you don't need to edit every user profile.

Thanks,

Jinhee

[Aliaksei Tsialipka]

Please help me
SETUP:
1) I have created an user IPUser( under Config>User)
2) I gave to that user a range of: 10.15.0.1-10.15.3.255 / 10.15.31.1-10.15.31-255
3) I created a BlockSocial group with distinct policy. Not default policy. Added IPUser to that group.
4) Re-started nXFilter
5) My ip is 10.15.31.49

PROBLEM:
- nxFilter shows DNS requests. but they are like this :anon-user 10.15.31.49 anon-grp.
That means my nxFilter does not apply IPUser settings and policies.

[Jinhee]

Most likely, you didn't enable authentication on Config > Setup.

[Aliaksei Tsialipka]

RE: Jinhee
Thank you so much. It works. Thanks a lot for doing this DNS tool for free. We appreciate it.

IS there any way to change anon-user settings? just to avoid this login page in browser.
Basically I want to have my WORK and FREE-TIME policy applied across the network..
but avoiding this login page IF possible

[Jinhee]

If you want not to show login-page to your users use AD integration or single sign-on. Or you can install NxUpdate and NxClient for that. Everything's on our tutorial.