Web Content Filter on a Thomson Router

Parental Control - Web Content Filter
On a Thomson TG587n or TG585v7 Router

If you need help with telnet commands, see this first telnet.html

Objective

Add a web filter / parental control to a home network with the following feature.
a) Free from any charge.
b) Password protected from unauthorised changes.
c) Have no performance impact on web browsing.
d) Ability to turn content filter off by authorised users.

Method

1) Create a free OpenDNS account and set the web content filter to what you need.
2) Go to www.dnsomatic.com and use settings there to update your opendns account with the routers IP.
3) Set the router to use opendns as the only dns resolver.
4) Set the router to update dnsomatic with it's IP address using the routers dynamic dns feature
5) Change all the routers passwords to prevent unauthorised changes.
6) Use the routers firewall to block all other DNS resolvers.
7) Create a telnet script to quickly switch between opendns (filter on) and ISP's dns (filter off).

1) Create a free www.opendns.com account
After creating an account you have these web content filter options.

2) www.dnsomatic.com (Not required if you have a static IP)
Need to login with your opendns username and password. Then click on "add a service" and select "opendns".

3) Set the router to use OpenDNS

Telnet Command	Comments
dns server route list	List all DNS resolvers set in the router. ( optional )
dns server route flush	Clear
dns server route add dns=208.67.222.222 metric=5 intf=Internet	See note (1) below regarding "intf=Internet"
dns server route add dns=208.67.220.220 metric=10 intf=Internet	See note (1) below regarding "intf=Internet"
dhcp client ifdetach intf=Internet	See note below regarding "intf=Internet"
dhcp client rqoptions delete intf=Internet option=domain-name-servers	Stop the router from getting the ISP's DNS resolver via DHCP
dhcp client ifattach intf=Internet	See note (1) below regarding "intf=Internet"
dns server route list	List all DNS resolvers set in the router. (just checking)
saveall	Make the change permanent.

For more details go to the telnet page

4) Update OpenDNS using Dynamic DNS (Not require if you have a staic IP)

Telnet Command	Comments
dyndns service list	View existing settings -- It's the "custom" section we'll be changing
dyndns service modify name=custom server=updates.dnsomatic.com updateinterval=10800	Change service provider to dnsomatic.com updateinterval is 3 hours. (10800 seconds)
saveall	Make the change permanent.

Go to www.dnsomatic.com , sign in with your OpenDNS username / password.
While there, enable update opendns.

Go to the routers web interface Toolbox > Dynamic DNS > Configure :-
Tick "Enabled"
Interface -- Internet -- See Note (1)
Username -- Opendns username
Password -- Opendns password
Service -- custom
Host -- enter your opendns network label or enter the catch all -- all.dnsomatic.com
Click "Apply"

Check the routers event log to confirm "dynamic dns host has been updated".

5) Make it secure
Change the routers password and disable the factory reset button to stop anyone from making unauthorised changes.

Telnet Command	Comments
user config name=SuperUser password=mypassword	Must be an existing username ie "SuperUser" or "Administrator"
user config name=Administrator password=mypassword
saveall	Don't forget this!

Exit the telnet session and check you can login to the router with the new password before disabling the reset button.
Only disable the reset button if you are sure you will not forget the new password.
Failure to do this may leave you locked out of the router permanently.
If in doubt do not disable the factory reset button --- just skip this command.

Telnet Command	Comments
system config resetbutton=disabled	Disable the factory reset button
saveall	Don't forget this

6) Create a firewall rule to block access to all other DNS resolvers

This prevents any computer on the network from using it's own DNS settings to bypass the opendns web filter.

Login to the routers web user interface and go to Toolbox > Firewall > Configure > Create a new Security Level >
Enter a name
Under "Clone from existing Security Levels:" select "standard"
Click "Apply"
A new firewall settings page will come up, click "Add".

Now fill in the new rule definition:-

Name: -- Block DNS
Enable: -- tick
Source Interface: -- lan
Source Address: -- Any
User-Defined: -- leave blank
Destination Interface: -- wan
Destination Address: -- Any
User-Defined: -- leave blank
Service: -- dns
Action: -- Deny

Go back to Firewall > Configure and ensure the new firewall security level is selected.

That's it, now test it!
Go to www.opendns.com and check your IP address is being updated.

Telnet scripting to quickly switch DNS resolvers (ie turn on and off web content filter)

Download filter_on_off.zip

Contents of "filter_on_off.zip":
1) Readme.txt (instructions )
2) dns.zip (password protected zip file containing three telnet scripts -- password = npr) This protects the routers password from unauthorised users.
3) tst10.exe (freeware telnet scripting tool)
4) autodns.bat (batch file to set automatic dns from ISP)
5) opendns.bat (batch file to set opendns)
6) check.bat (batch file to check which dns resolver is set)

Possible gotcha
If running a software firewall, tst10.exe needs outbound permission to the router on port 22.
I haven't tested this with windows "User account control" enabled, may need to run the batch files by right clicking and select "Run asadministrator".

Note (1) :
The "intf=Internet" part of the above commands may need to be changed depending on the routers firmware.
ie "intf=Internet" should be correct for standard firmware.
O2 supplied routers may need "intf=Internet" replacing with :-
For O2 supplied routers on a LLU connections replace with "intf=O2_ADSL2plus" or in some cases "intf=RoutedEthoA"
For O2 supplied routers on the Access service replace with "intf=O2_ADSL"
Hint - You can check which one to use for the WAN interface by looking at the results from the "dns server route list" command.
See the screen capture below, in this case it's "intf=O2_ADSL2plus".

Telnet Project for Thomson Routers

Telnet commands for a Thomson router

Multiple SSID -- (TG587n only)

Web Access Control Schedule (TOD) -- (TG587n only)

Web content filter

Telnet scripting

Enable WDS on a TG585v7 / TG587n

Connect Two Thomson Routers Together

Basic DMZ on a Thomson Router

Advanced DMZ on a Thomson TG587n

Forward all ports to a specific LAN IP

IP QoS

Wake on LAN from Internet

Xbox and PS3 on a Thomson router

Remote Access to a Thomson Router

Home Page

footer