Hello all

I have a 2820n and wanted to allow employees to use Facebook (and similar sites) before work, at lunchtime, and after work but block those sites during working hours. Reading the forums it seems a few people want to do the same. I struggled for a long time to get it set up but with advice from Draytek I have got it cracked. You need to do the following:

1) In Applications / Schedule set up the times you want to block the sites. Enable schedule 1. Put in a date before today. Put the start time (e.g. 8:00) and duration (e.g. 4:00 to block 8am to 12pm). Set Action to "Force On" then choose the weekdays it should operate. I set schedule 1 to the above and schedule 2 in the same way but from 13:00 for 4:00 duration.

2) In Objects setting / Keyword Objects add a word per item (e.g. I have facebook as 1, youtube as 2, hotmail aas 3, ebay as 4 etc.)

3) In Objects setting / Keyword Group, set up a group and add all those keywords you added in step 2 to the group and call it say ("work block
")

4) In CSM / URL Content Filter Profile click on 1 to set up the first profile. Call it anything e.g. "block stuff". Set priority to Both:Block tick Enable URL Access Control and Prevent web access from IP address. Then click Edit underneath Group/Object Selections and add your keyword group "work block") to it.

5) In Firewall / Filter setup click on default data filter and add Rule 2 to it. Tick Enable the filter rule. Call it something "block in work hours" in Index in Schedule Setup put 1 in the first box and 2 in the second (this makes this rule kick in during those schedules). Direction is LAN > WAN. Leave Source IP, Destination IP and Servicet type as Any. Set Filter as Pass Immediately. Then in the drop down box for URL Content Filter, chosse "block stuff" that you created in step 4. Leave the IMP2P and Web content filters as None (once the URL filtering works you can go back to set up those filters in a similar way and then add them later)

The above should then work. It didn't initially for me so i went into Firewall / General setup and found that while i had been playing i had put a URL content filter in the general setup (that was working all the time rather than just to schedules). So i reset URL Content Filter to None and it worked perfectly.

Once that is all set up it became easy to do the same for Web Content Filter as well as the URL filter.

I hope this helps others who want to do this.

regards

nick

Thanks for that it was a bit of a mind bender!

Paul -

There's just one problem with your method: The Draytek firewall doesn't block already established connections. So if an employee logged onto Facebook at 07:59 they could continue using it beyond 08:00 until the connection times out and they have to establish a new one.

The length of time it takes a connection to time out is dependant on the service (using your example an employee wouldn't be able to change or refresh their Facebook page, but Facebook chat would still work, and so would any Flash-based games they were playing).

For some services it's a relatively short timeout, other's it's long (IM is a particular problem with Yahoo Messenger able to continue to work through the firewall for several hours).

You should configure rules to 'force on' and 'force off' for the schedule. I.e. 4 scheduled periods.

I would personally not

Leave Source IP, Destination IP and Service type as Any

most likely you know the source IP Address range and could setup an IP Group Object for it. You also probably only want to give them web access via port 80 and therefore you could set the service type.

The draytek has always blocked established connections for me? Maybe it's the way I set it up?

Oh, almost forgot, and most users have mobile broadband on there phones these days so they do not even need to bother using the network ... then you have to install mobile phone jammers :twisted:

qwibbles wrote: The draytek has always blocked established connections for me? Maybe it's the way I set it up?

What router are you using?

I've only experience of the 2820 series (and from the poor quality of the firmware i'll never willingly have experience of any other Draytek) and it definitely doesn't cut through established connections.

I found this very useful - thanks. The manual is quite shocking in this area, and a pretty poor translation, which doesn't reflect well on draytek and SEG.

Would be interested if someone finds a solution to the problem where it won't cut off existing users when the schedule kicks on