NxFilter

 

Introduction

 

NxFilter is a free DNS server that allows network control and bandwidth monitoring by logging user requests for websites. It’s a flexible, lightweight program that sits quietly on a network and is transparent to the user, unless you set it up to require a username and password to access your network. Before diving too much into the features of NxFilter, it’s helpful to understand what a DNS server is and what it does.

A DNS server is a Domain Name System server. Basically, when you go to any website, such as google.com, you send out a request to a DNS server. The DNS server then looks to see if it can find the IP address of the server you’re trying to connect to. If it finds it, it returns the IP address of the server. If not, it asks other DNS servers if they know where it is. This process will continue until the IP address is found (you are directed to the website), or it’s not found (you get a “Can’t display this page” error).

On most home networks, you’ll usually see DNS servers provided by either your Internet service provider or companies that provide public DNS servers, such as Google. These DNS servers are normally assigned when you set up your router and are usually automatically provided to client devices through DHCP. The important thing to know as this relates to NxFilter is that a DNS server is the first server a device talks to when looking for a website.

Since NxFilter is a DNS server, it will sit between your network’s devices and the Internet. This allows it capture useful information, such as which devices are trying to connect, what websites they’re trying to go to, and how much data they are trying to pass. It’s even more useful when you assign human names to the devices, and you can see who is doing what on your network.

If you work for a company that provides WiFi access while on the job, then NxFilter probably sounds familiar. In fact, NxFilter is a solution that is designed with enterprise in mind, but today we’ll be discussing it’s role in the home network.

 

  • Features
  • Reliability
  • Ease-of-use
  • Documentation
  • Developer support

Summary

NxFilter is a great tool for monitoring your network, providing bandwidth control, and blocking websites to help protect your kids. It's a DNS server that filters domains. This allows you to see the websites your kids are using, along with other usage statistics. NxFilter can be used in a corporate or home environment. It's free for up to 20 users/devices. The documentation is ok, but the developer support is outstanding through their Google Group forum. Visit NxFilter's website .

4.2
User Rating 5 (1 vote)
Sending

 

 

Features

 

Policies. With NxFilter, it’s possible to assign an individual IP address, a range of IP addresses, or a combination of both of these to a policy. A policy is a group of restrictions that you want to enforce. NxFilter provides the ability to block websites by category. The categories are numerous, and you can add your own if you need to. This means you can make the Internet just a little safer by preventing access to websites that fall under the categories for violence, porn, drugs, etc. NxFilter will also allow you to recategorize websites to your liking. You also have the option of category quotas. If you don’t want your child to spend endless hours on Facebook, you can set a limit on how much time they can spend on social media on any given day. Or if you need to revoke their Internet privileges altogether, you can block the Internet completely. This gives a parent quite a bit of flexibility for filtering the Internet.

Users and groups. Once you have a policy set up, you can create a user. You can assign each user their own policy, or reuse a single policy over and over. If you have a large age gap between your kids, it would probably be easier to manage individual policies. If you want to set across-the-boards restrictions, you can also create a group. A group consists of more than one user. This would be useful if you want to block a specific category for all of your kids, such as porn. You would create a policy that blocks that category, and then assign that policy to your “Kids” group. You could then set age-appropriate content based on user policies. Group policies override user policies.

Safe-search. You can enforce safe-search policies for YouTube, Bing, Yahoo, and Google. Google and Bing can be restricted right from NxFilter, while Yahoo and YouTube will need a proxy agent on the local machine.

Customizable block page. You can create a block page that will appear when your someone attempts to access a restricted website. This is great for kids, because it reminds them that you are monitoring their Internet activity. Customization is done through the use of variables. The syntax and descriptions for the various options are:

  • #{domain} The domain of the website that was blocked.
  • #{reason} The reason why the website is being blocked.
  • #{user} The name of the user.
  • #{group} The name of the user’s group.
  • #{policy} The policy that is causing the website to be blocked.
  • #{category} The category of the blocked website.

HTML is allowed on the block page, so the level of customization can be as rich as the level of your programming skills.

Bandwidth monitoring and control. NxFilter provides a way to control bandwidth, although there is a caveat. You will need a router capable of exporting Netflow version 5 data. If you are a pfSense user, then this can be done. Most home routers will not have this capability, unless you have a DD-WRT router. Even then, it’s hit or miss. If your router is capable, you’ll configure it to send the Netflow data to your NxFilter’s IP address, where it can then be captured for analysis. From there, you can set daily limits on a user’s bandwidth usage, or you can monitor total user bandwidth usage by date. This is a good method to help cable subscribers from going over their data cap each month.

URL blacklists and NxClassifier. An URL blacklist is simply a large database of website domains that have been compiled and broken down into categories, allowing websites to be filtered. NxFilter allows the use of imported URL blacklists (both free or paid). NxFilter included built-in support for the free Shallalist up until NxFilter version 4. If you want an easy-to-use, manageable blacklist, Shallalist is the way to go. However, you will need to download NxFilter version 3.4.9 or below due to a recent change made by the developer. Komodia is another popular blacklist, but it’s an expensive paid option designed for schools and other large organizations. There is good news. NxFilter includes their own URL blacklist, Jahaslist, by default. It uses the built-in NxClassifier to dynamically categorize websites, and then adds them to Jahaslist. If you use this option, you’ll grow your own URL blacklist over time for only the websites you use! Jahaslist used to be a paid option, but is now included in NxFilter version 4 for free, for up to 20 “users”. Users are defined in NxFilter as the number of users logged in or the number of connected devices. If one of them exceeds 20, DNS filtering will stop for each client that is over the limit. So if you have 3 kids and 2 adults in your family, but a large number of computers, iPods, mobile phones, gaming consoles, etc., you could easily go over the limit. You don’t have to monitor all of them in NxFilter though. If you do need more than 20 users, a 50 user license will cost $50 for one year.

Whitelist support. NxFilter also has support for a whitelist. A whitelist is a list of allowable websites, even if they fall into a blocked category. This is great for allowing specific websites that you know are appropriate for your kids without having to unblock an entire category.

Keyword URL filtering. You can also filter out websites based on URL keywords. This is the simplest form of web filtering, but could take a long time to create a useful list and there are no guarantees that the keyword will be used in the URL.

Daily/Weekly Reports. Shows the top network users by domain requests/IP addresses, the most blocked users, and the most blocked domains, among others. Very useful information in chart and pie graph form.

Email alerts. If you choose, you can set up email alerts for policy violations. This will be an automatically generated email with a comprehensive list of blocked websites, as well as any alert categories you have set up. Other information such as license violations will also be included.

Installation

 

Alright, let’s get started with installing NxFilter. Be sure to install NxFilter on a computer that you plan to leave on all the time (if you already use a server on your network this would be a great choice). NxFilter is a very lightweight program, so it won’t consume many resources at all. To begin, you’ll visit NxFilter’s download page . If you want or need Shallalist, be sure to download version 3.4.9 or below. NxFilter requires Java on the machine where it’s installed. It uses the Java libraries, not the browser extension, so there’s little to no security risk and you can log into NxFilter from browsers that don’t support Java, like Microsoft Edge.

The installation is a simple Windows installer, but if you need help or more information, you can view the installation walkthrough here.

If you want to use Shallalist for an easier blacklist option, click the “Go download old” link and select version 3.4.9. Otherwise, click on the latest release. Click “Save” to start the download.

Once the download finishes, click “Run”.

Java is required to run NxFilter. NxFilter does not  require the browser plugin for Java to be enabled. If you don’t have Java installed, you’ll be prompted to download it.

Click the “Free Java Download” button.

If you’re using Microsoft’s Edge browser, disregard the blurb about not being able to use extensions. Click the “Agree and Start Free Download” button. Click “Save” to start the download.

To begin installing Java, click “Install”.

Click the “Do not update browser settings” radio button and click “Next”.

Once Java is installed click the “Close”. A browser window will open and you’ll be redirected to the Java page once more. You can just close the window.

If you needed Java, you’ll have to open the location where you saved NxFilter. Double-click the NxFilter installation file.

Click the “I accept the agreement” radio button, the click “Next”.

Click “Next”.

The “Create a desktop icon” box should be checked by default. Click “Next”.

Click “Install” to begin the NxFilter installation.

Click “Next”.

Uncheck the “Run tutorial.bat” check box (there’s a tutorial link on the admin page of NxFilter). Leave the other box checked so NxFilter will automatically open the necessary firewall ports.

Once you receive this message, press any key. If you are using NxFilter in a VM, make sure you open the ports on the host machine. Now go to your desktop and double-click the NxFilter icon to go to the admin page and begin configuring your DNS server!



Configuring NxFilter

 

NxFilter is easy to set up, but before you begin, you might want to spend some time thinking about how you want to implement it. Take the capabilities of your router into consideration. Does my router use static DHCP mapping or DHCP reservation? If it has neither you’ll need to manually assign each device’s IP address. NxFilter incorporates IP-based user assignments, so you’ll need addresses that do not change.

Since I’m a pfSense user, I break up my network into chunks using static DHCP mapping and assign a group of devices to that chunk. So one kid might have devices assigned to the IP range of 192.168.1.50 – 192.168.1.59, while another will be in the 192.168.1.60 – 192.168.1.69 range. I also have a normal DHCP range set up for IoT and other guest devices that don’t need to be monitored.

Once you decide on your network’s setup, it’s time to configure your router. In this example, we want the DNS server to be automatically assigned to make NxFilter transparent to the user. To do this, we’re going to let the DHCP server assign the DNS server’s IP address. The slideshow below shows how to do this in pfSense 2.3.1.


Slideshow- Tap or click to view

Next go to Services → DHCP Server. Scroll down to the “Servers” section. By letting the DHCP server hand out the DNS addresses, it forces the users to go through the filter (but only when using a device’s automatic IP settings, for kids, this should be sufficient).

Here is where you’ll set the IP address of your NxFilter installation. This list goes by order, so make sure it’s the first one in the list. Also ensure that you have backup DNS servers available in case something happens to your NxFilter machine. Save and apply your changes.

While still logged in to pfSense, if you want to use NxFilter’s bandwidth monitoring, you can set that up now. First you need to install the softflowd package. Go to System → Package Manager.

Search for softflowd or scroll down to it. Click the “Install” button.

After it’s installed, go to softflowd under Services settings. Choose both the LAN and WAN interfaces, set your NxFilter IP address as the host, ensure the port is set to 2055 (should be the default), and ensure Netflow version 5 is selected. You can leave everything else as the default. Save and apply your changes.

To verify Netflow output, you can go to Diagnostics → Command Prompt. Type in softflowctl -c /var/run/softflowd.igb0.ctl.statistics , where igb0 is your WAN adapter as found under the Interfaces / (assign) menu.



Now go to your NxFilter login page. You can access this via the desktop shortcut on the computer where it’s installed or through your LAN by typing in the address http://ipaddress/admin.jsp. The following guide will show you how to configure your DNS filter:


Slideshow- Tap or click to view

Start by going to Config →  Setup.

“Block Redirection IP” should be filled in by default. If not, type in the IP address of your computer where NxFilter is installed. Check the box for “Enable Authentication”. This is a requirement for using NetFlow for bandwidth control. Click “Submit”.

To use bandwidth control, you must fill out the NetFlow section. Enter your router’s IP address, ensure the port is set to 2055, and check the “Run Collector” box. Click the “Submit” button. Now you’ll need to restart the NxFilter service. In the Start Menu search box, type in services.msc  and press the Enter key. Scroll down to NxFilter, right-click, and click “Restart”.

Go to DNS → Setup. Type in the DNS servers provided by your ISP or use Google’s public DNS servers (shown here). Click “Submit”.

Next go to Config → Admin. Change the password from the default admin. Click the “Submit” button.

If you want to receive email alerts, you can set it up here. If you’re using Google two-factor authentication, you’ll need to go to your Google account and get an app-specific password. Click “Submit”.

Choose the categories you want to receive alerts for. Understand that you will already receive alerts for policy violations, such as blocked categories, so there’s no need to select those here.

Under Config →  Allowed IP, you can whitelist or blacklist IP addresses that are allowed to use NxFilter as a DNS server.

NxFilter allows you to customize these pages. In particular, you can set up the Block Page just the way you want it.

Click on the Block Page field and scroll down until you see the lines: #{domain} has been blocked!
#{reason}. You can customize this page using simple HTML tags as shown.

This will give your users, in this case my kids, a clear warning that they are doing something wrong or they need to get help to access a website.

Next go to Policy & Rule → Policy. You can edit the Default policy or create a new policy based the Default template (recommended). I also recommend creating an “Unrestricted” policy for any devices you don’t want filtered. In this example, we’ll just look at the Default policy.

Make sure you check the box for “Enable Filter”. If you need to revoke a user’s access to the network, you can select “Block All”. I recommend leaving “Block Unclassified” unchecked as this is an administrative nightmare (it will block most of the Internet). The options in the red box are more for security. You can decide if you need them.

Scroll down to the Quota section. A quota is a time limit for a category. I use this for streaming services so my kids don’t put us over our ISP’s monthly data cap. You can also set a bandwidth limit (in MB, 3 GB would be 3000 MB). Both the quota and bandwidth limit reset daily. You can decide if you want to enforce safe-search (applies to Google, Bing, Yahoo, and YouTube). Block-time sets a period where Internet access won’t be available to the user. Click the “Submit” button when you’re done.

Keep scrolling down and you’ll see where you can block or quota system categories. Check all that apply. You must click separate “Submit” buttons for each section.

Now that we have a policy in place, let’s add a user. Go to User & Group → User. Type in the name of your user and a description, then click the “Submit” button.

Go down to the user you just created and click the “Edit” button (you may have to scroll over depending on your browser’s zoom settings).

Select the policy you created earlier. You can have separate policies for work-time and free-time (in a home environment, school days and weekends). Unless you want your users to have to log in every time they want to access the Internet, leave the “Password” field blank. Click the “Submit” button. Now you need to add the IP address of the user’s device(s). For a single IP address, just fill in the “Start IP” field. For a range, fill in both. Click the “Add” button.

You’ll notice the IP address you just entered appears below now. You can add more IP addresses if needed. To remove it, just click the “X”.

Now go to NxClassifier → Ruleset. I leave these at the defaults, but they can be edited. NxClassifier uses a points-based system to categorize websites, but sometimes it still gets it wrong. The way it works is by using regular expressions to check for relevant keywords. So the keyword for “porn” would be assigned 1000 points and would instantly hit the limit for assigning that domain to the category “Porn”, whereas “baseball” might count as 200 points in the “Sports” category (in this case more information will be needed to classify the site, else it would end up as “Unclassified”).

Under NxClassifier → Classified, you can manually reclassify websites. Notice the search box, which makes reclassifying a specific website much easier.

Under NxClassifier → Excluded, you’ll see a list of domains that can’t be classified, and have been added to an exclusion list. Not many websites will end up here.

Jahaslist allows you to manually add categorized domains to your URL blacklist (if you use Jahaslist). You can also import someone else’s Jahaslist, or export your own.

If you want to see how NxClassifier will categorize a website, you can go to NxClassifier → Test Run and enter in a domain name. As you can see, YouTube comes up as “Unclassified”. To handle this situation you have a couple of options. You can reclassify it under NxClassifier, or you can create a custom category.

Here we will create a new custom category. To do so, go to Category → Custom. We’ll classify youtube.com as a new category called “Streaming”. Click “Submit”. Now click on the “Edit” button for this category.

To include all subdomains of youtube.com, we’ll input it as *.youtube.com. Click the “Add Domain” button. You’ll now see it appear below.

Now if we go back to our Default policy (or whatever policy you created earlier), you’ll see your new custom category that you can block and quota.

Go to Whitelist → Domain. If you have specific websites that you know you want your users to access, such as school websites, you can add them here. Type in the website’s domain and check the box “Bypass Filtering”. Or to block access, check the “Admin Block” box. This will create a Global policy (applies to all users/groups). If you want the domain to apply to a specific policy, click the “Edit” button for that domain, then choose the specific policy.

Whitelist → Keyword does the same thing, but using keywords instead of domains.

To see activity on your network, go to Logging → Request. This will show every allowed device that is requesting DNS resolution. You can also reclassify websites into different categories here by clicking on the domain address. This will be a large list, but you have a ton of search options to filter it.

Under Logging → Netflow, this is where you can view total bandwidth consumed for a given time period. You have quick options for the last 2, 24, and 48 hours, or you can pick specific dates and times (clicking either “Time” text box will show a popup calendar). Next click “User-Sum”.

You’ll be given a list of your users (users that don’t have any activity won’t show up), and you can easily see who is using the most bandwidth during any given period of time.

Once you have NxFilter working the way you want, you can go to Config → Backup to make a backup of your settings to store somewhere safe in case of a computer failure.



Privacy vs. Security

 

Typically, in a corporate environment, a company that provides its employees with Internet access must also adhere to strict standards for liability reasons. Basically, the company is the owner of the network and can do what they want to monitor and restrict their employees for the good of the company.



It’s a little different in a home environment, because you have to live with your kids. Explain to them why you are monitoring the network, that it’s out of concern, and not because you want to spy on them. Don’t hide the fact that you are monitoring them. Don’t automatically jump to conclusions if you see blocked categories for websites. Visit the website they are trying to access and assess the situation for yourself. Of course, if you nit-pick everything that they do online they will probably see it as being spied on and as an invasion of privacy. Try to give your kids some leeway while at the same time protecting them.

Let NxFilter work for you, and not be a cause of friction between you as a parent and your children.

Final thoughts on NxFilter

 

NxFilter is great piece of software, and it’s easy to use if you have an understanding of basic networking. Even if you don’t, the provided documentation should point you in the right direction. You can launch the NxFilter tutorial right from your NxFilter Dashboard. If you don’t understand the documentation (which is lacking in certain areas, like NxClassifier), you can head over to the forums. Again, you have a link right in the Dashboard. I’ve had success getting answers from the forum on more than one occasion. The developer monitors the forums closely and will provide a prompt response.

For these reasons I’d definitely give NxFilter a shot if you’re in need of a DNS server with filtering capabilities.

Related topics: