google wifi - log websites visited

[jijo_robert]

I would like to log all websites visited. I have google wifi mesh. Has anyone have any suggestion?
 
I was thinking about getting a low cost router to make as proxy between modem and google wifi. - any thoughts appreciate your help

 

[wkearney99]

You can log DNS lookups, that's a first step way to monitor traffic.

Going the next step, using a proxy, gets a lot more complicated.  Due mainly to the use of HTTPS for security.  In the past you could just proxy everything on port 80 using HTTP protocols.  But with HTTPS you need to set up a man-in-the-middle trust.  That generally requires running the proxy software on something with more resources than a "low cost router".
 
What's the use-case scenario?

 

[ano]

If its for children, you can get parental controls. I use a "Next Generation Firewall (NGF)" which does the decryption and re-encryption for virus/intrusion prevention purposes, and its very resource intensive.  By placing encryption certificates on PC/Macs it can be done, but there are many considerations.  Because of the encryption Apple uses on devices, I have never gotten fully to work with Apple phones, even with added certificates on the devices.  For all these reasons, doing it at the browser level is your best bet. 

 

[jijo_robert]

 use cases - 
1. Blocking websites for all users
2. Blocking websites for certain users (nice to have based on device name)
3. Blocking internet access on certain times
4. Log all urls visited
 
@coconut what NGF are using? I was thinking about raspberry pi with opensource or low cost router such as https://www.walmart.com/ip/Linksys-N600-Dual-Band-WiFi-Router-Black-Internet-Router-2500/834225459?athbdg=L1600 and flash it
 
My current setup
Modem -->  google wifi mesh
 
Desired setup (Firewall or router to support above use cases)
Modem --> firewall or router --> google wifi mesh

 

[wkearney99]

You don't mention what kind of modem or uplink tech (dsl, cable, etc).  It matters as you want to minimize the NAT layers, as many apps don't take well to being layered behind more than one NAT.  Adding a proxy will only make that worse.  Make sure your 'modem' will handle being in bridge mode not routing.
 
Likewise what's your uplink speed?  If you've got a fast link then you'll need a likewise fast computer to handle the traffic.  Even a pi4 is not going to give you wire-speed handling if you've got a fast uplink.  Just because a device has a gigE port doesn't mean it can pass at wire speeds. Otherwise you'd be choking your connections and needlessly paying for a fast uplink.
 
If you already have wifi mesh gear then you do not need a router than has wifi.  Better to use something like a fanless miniPC running BSD or linux instead.  pfsense runs great on stuff like that.
 
Blocking websites gets even trickier for things like phones or anything with a cellular connection.  Most determine whether a link has connectivity based on web availability.  Start blocking things without understanding this and you'll have devices switching over to cell links way too often, and that opens a whole other set of issues.

Blocking based on device names (their internal IP address) depends on the device being stable and on the DNS/DHCP being properly integrated.  But if you've got savvy users deliberately trying to work around it then it gets more complicated (and thus the reason for needing higher-horsepower equipment).

 

[ano]

 use cases - 
1. Blocking websites for all users
2. Blocking websites for certain users (nice to have based on device name)
3. Blocking internet access on certain times
4. Log all urls visited
 
@coconut what NGF are using? I was thinking about raspberry pi with opensource or low cost router such as https://www.walmart.com/ip/Linksys-N600-Dual-Band-WiFi-Router-Black-Internet-Router-2500/834225459?athbdg=L1600 and flash it
 
My current setup
Modem -->  google wifi mesh
 
Desired setup (Firewall or router to support above use cases)
Modem --> firewall or router --> google wifi mesh

You can do all that, but it's not trivial.  So I have a Fortigate 40F router, which can do this.  About $400 for hardware, and maybe $350/year if you want to subscribe to full scanning access.  For example, a day after the log4j problem was announced, they were already scanning for it.  SonicWall, and other companies make firewalls as well.
 
So, some warning, it will take you a few weeks to months to get this fully set up but it is worth the time.  Some "consumer" level routers claim to have some of these features, but you'll be disappointed.  Go for business-grade.

 

[wkearney99]

So, some warning, it will take you a few weeks to months to get this fully set up but it is worth the time.  Some "consumer" level routers claim to have some of these features, but you'll be disappointed.  Go for business-grade.

 
This.  It's pretty simple to log/block website name lookups. 

It's quite a lot more involved to get into logging/blocking the specific web traffic itself.  More often than not logging/block of the DNS requests is enough.  pi-hole has a great UI for this and runs easily on even a pi3.

Before I'd wander into the very complicated territory of active logging/proxying, I'd look at the simpler method of just checking the history on the browsers themselves. 

If this is a parenting issue then you've got the two-pronged approach of you know you've seen DNS lookups for things... but magically the browser history doesn't show it?  As the meme says " that's a paddlin' "

That's the approach I take with ours.  Monitor what is coming across on the DNS and then "have discussions" about inappropriate use of the internet.  To me, trying to take a 'block everything' approach just encourages misbehavior.  I'd rather know and help guide, than be punitive and end up teaching them to hide things.  But that's me, not everyone chooses to manage their kids the same way.
 

 

[jijo_robert]

the problem with browser history is that it can be deleted. it seems like DNS is not logging all DNS requests, as browsers may have local cache. I will take a look at pfsense or another firewall, was trying to do a low-cost option. thanks

BTW - I have a cable modem.

 

[pete_c]

PFSense is free and runs on BSD.   Personally I have used it for many years now. 
 
Hardware can be any device with two network ports.
 
Popular hardware lately is micro PCs with multiple NIC ports.
 
Search on Amazon for barebone firewalls or PFSense firewalls.
 
Prices start at a bit over $200 and go up from there.