Would you still get Untangle for Home usage?

[thetx]

I think no home should be without Untangle and echo what the others have said. The best $50 / year you'll ever spend.

For Ads, set yourself up a pihole server. It's free and I've yet to see anything work as good. It also has some blocking options as well via DNS queries. It runs on next to nothing. I have one on a raspberry pi and another in a debian container so I can reboot one or the other without affecting the network.

Do you find adding a pihole blocks ads better than the adblocker feature of Untangle?

[sky-knight]

Do you find adding a pihole blocks ads better than the adblocker feature of Untangle?

Yes, PiHole is better than AdBlocker, but it's NOT better than the Web Advertisements category in Web Filter. It does however provide an easier interface to enable ads on specific things so they keep working. So choose your poison.

[propellherhead333]

Do you find adding a pihole blocks ads better than the adblocker feature of Untangle?

Yes. But I still use adblocker and webfilter to supplement and block in different ways for different reasons. I have all the ad categories checked off in the untangle apps and today they blocked 25 ads. pi-hole blocked 7324 as of this post today. Disclaimer though, things may be getting blocked before they hit the untangle apps.

[Valvaris]

I had Untangle with Adblocker ON and SSL Inspection and sadly it did nothing to prevent Ads... - Think that the App needs an update or a cool way to add blocklists like in Pi-Hole

Web-Content Filter is super nice and a great feature but highly relies on SSL-Inspection to work as intended - Tested with https://www.sophostest.com/ - Without SSL Inspection all of that goes thru... -.-

Best regards
Val.

[Armshouse]

Web-Content Filter is super nice and a great feature but highly relies on SSL-Inspection to work as intended - Tested with https://www.sophostest.com/ - Without SSL Inspection all of that goes thru... -.-.

Funny... I just tried this site and sure enough, without SSL Inspector it all passes. However, I edited the URL to visit the non-https version on a category I do have blocked and Untangle didn't scream - the Sophos endpoint protection on my laptop did though... Maybe it's more as they say: This test site contains pages classified by SophosLabs for the purpose of testing our web security and control products. With the emphasis on our?

Screenshot 2020-06-06 at 20.23.20.png

[Sam Graf]

Web-Content Filter is super nice and a great feature but highly relies on SSL-Inspection to work as intended - Tested with https://www.sophostest.com/ - Without SSL Inspection all of that goes thru... -.-

Best regards
Val.

Without doing any extensive testing, Web Filter does nothing with SSL Inspector enabled.

I realize that I'm not on the same page as knowledgable members here, but if Web Filter depends on SSL Inspector to see domains in HTTPS traffic, then the SNI and certificate features of Web Filter are all but meaningless. Web Filter must know the TLD at least to convert it to a category and check it against the enabled filters. So again, if, as some here argue, Web Filter is blind to domains in HTTPS requests, then the SNI and certificate features contribute little, if anything.

That said, testing against the Sophos test site doesn't establish things one way or another, since SSL Inspector makes no difference under the adult category, at least.

[Valvaris]

Hello @Sam Graf,

I did multiple tests with Webfilter and SSL Inspection does not effect Webfilter "I think" is wrong. Maybe I am wrong as well but why do I have a different result then?! My DNS is Untangle and my DNS Traffic is going forcefully to it as well. Thanks to the Portforward rule from the community. The other part that can effect DNS Traffic is DoH that can go over Port 853!

The reason is not only Adult Content but critical things like "Call Home" and multiple category's even the Eicar Test file had issues. I had better results with SSL Inspection on then without on multiple sites. I just referenced "Sophos Test Site" coz it is easy to reconstruct for all.

@Armshouse that is true but Untangle does a great job blocking ^^ I only had issues with SSL Inspector off...

Best regards
Val.

[Sam Graf]

Maybe I am wrong as well but why do I have a different result then?!

I think that’s an excellent question and point. We have a handful of views on how Web Filter works, or should work, we have inconsistent results as we do our individual tests, and it’s all very confusing.

My own opinion is the community needs to figure out a way to rigorously test Web Filter with repeatable results among different users/system configurations. For instance, I’m not sure Web Filter relies on DNS. I think it relies on a plaintext version of the URL and then looks it up in its own resource. But do I know that for sure? I don’t.

Lots of good questions here.

[sky-knight]

Web Filter monitors TCP sessions that terminate on 80 or 443. It's really not that complicated. It gathers what information it can, and filters with it. SSL Inspector (if configured correctly) provides more information.

That is all... There is no more, or no less to understand.

I do not find the use of SSL Inspector as worth the effort. Web Filter still works even if the client does DNS over TLS, because it doesn't need nor care about the DNS request the client made. All it cares about, is the HTTP/HTTPs sessions the browser makes to access the resource in question.

3rd party testing sites, such as the Sophos site linked here have a high frequency of building intentionally built to make the product they belong to look better than it actually is. And because the site is harmless, there's no reason for other vendors to mark said site as "malware" or whatever... so you can't use them to test against reliably.

[Sam Graf]

That is all... There is no more, or no less to understand.

I’m not disagreeing with you, but the disparity in results, even among the testers in this topic, is yet to be understood, it seems to me.