We have a 'non-work related media' policy in place in our offices. This is effectively to ban facebook, youtube etc.

As another poster said, it's not always about the time lost to these sites, it's also about maximising available resources such as bandwidth.

You can put all the policies in place that you like but you won't always catch someone streaming a radio station or playing a youtube video in a spare tab. The problem is that generally people think that one video, one small radio stream etc won't cause any problems.

After realising that the policy alone wouldn't be enough, we started blocking sites on our transparent squid proxy. Eventually we scrapepd that all together for two reasons. 1) The overhead and reliability of Squid VS. the speed benefits of a web cache wasn't worth it and 2) The blocks could be bypassed by adding https:// to the site which bypasses squid. We could have recompiled squid with SSL support but we didn't want to be performing a man-in-the-middle attack.

Since we were already using openDNS, we decided to make use of their blocking which blocks at the DNS level. This means that it will block all ports, whether it be standard web 80 or https 443. Since that point we've started running an internal bind9 caching DNS server (because our DNS lookups take 500-1000ms, bad location). This is an extremely evective and easy way to block sites although won't prevent people who know exact IPs from accessing a site.

I'm cautious to setup any URL filtering and such like in our Draytek router because I assume it means the router will be running some form of internal web proxy to manage that. I'm curious if this will have any speed impact or reliability issues.

Just to add to the mix - here's how we block facebook:

1) Subscribe to the OpenDNS service (free) and register the site IP address with them (assuming its fixed).
2) Set router's DNS server entries to point to the OpenDNS servers.
3) Set router's DHCP DNS address likewise.
4) Set firewall rules to only allow DNS (port 53) queries to OpenDNS server. addresses (in case users try to bypass OpenDNS.
5) Use OpenDNS DNS blocking features to disallow DNS queries to social networking sites.

Not 100% water-tight but good enough for most requirements.

OpenDNS is very good but it doesn't stop access if the user enters the ip address rather than the fqdn url.

You can tell the Vigor to block browsing by IP address, I think.

1.) Under Object Settings create a Keyword Object called Facebook with the word as facebook.

2.) Under Object Settings create a new Keyword Group called Facebook and add the Facebook keyword to it.

3.) Under CSM>URL Content Filter Profile create a new profile with the below settings:-
Profile Name - Facebook
Priority - Both : Block
Check Enable URL Access Control
Check Prevent web access from IP address
Click edit and add the Facebook Keyword Group

4.) Under Firewall > Filter Setup create a new rule called Block Facebook with the below settings:-
Direction - LAN>WAN
Source IP - Any
Destination IP - Any
Service Type - Any
Filter - Pass if no further match
URL Content Filter - Facebook

That should block access to facebook even if your users are clever enough to enter the IP address of facebook instead of the URL (http://69.63.184.142/).
I have just tested this and it seems to work, any problems post back and I'll see if I can help.
There will still be ways around this such as using external proxies or tunneling but you can block this also with the 2820 (Object Setting>Misc Object) although I haven't tested this aspect.

My instructions above cover blocking facebook by both fqdn and ip address.

Mordorf wrote: OpenDNS is very good but it doesn't stop access if the user enters the ip address rather than the fqdn url.

Agreed - hence not 'water-tight' but good enough for our level of users.