Setting Up Filtered Public WiFi

Advanced 45-60 minutes

Enterprise-grade guide for religious institutions to deploy secure, filtered WiFi for communities, including hardware selection, DNS filtering, bandwidth management, and monitoring.

Prerequisites:

  • Basic networking knowledge or IT support available
  • Budget for enterprise equipment ($500-$5000+)
  • Administrative access to network infrastructure
  • Clear filtering policy and acceptable use guidelines

Why This Guide Exists

Religious institutions - synagogues, churches, mosques, yeshivas, and community centers - increasingly provide WiFi for members. However, unfiltered public WiFi exposes visitors (including children) to inappropriate content and creates liability. This guide helps you deploy professional-grade filtered WiFi that protects your community while providing necessary internet access.

Important: This is an advanced technical guide. If your institution doesn't have IT expertise, consider hiring a network consultant for initial setup. Once configured, maintenance is straightforward.

🎯 Planning Your Network

Network Architecture Options

Option 1: Single Public Network

Best for: Small institutions (under 50 users)

  • One SSID for all visitors
  • Same filtering for everyone
  • Simple to manage
  • Lower cost

Cons: Less flexibility, staff have same restrictions as guests

Option 2: Multi-Tier Network (Recommended)

Best for: Medium to large institutions

  • Guest Network: Heavily filtered, password or no password
  • Staff Network: Moderate filtering, requires credentials
  • Admin Network: Minimal filtering, IT staff only

Pros: Flexibility, appropriate access levels

Option 3: Captive Portal with Authentication

Best for: Large institutions, educational facilities

  • Users see login page before internet access
  • Can require acceptance of acceptable use policy
  • Track who is using network (accountability)
  • Different filtering per user type

Cons: More complex, higher cost

Coverage Planning

  • Small (under 2,000 sq ft): 1-2 access points
  • Medium (2,000-5,000 sq ft): 2-4 access points
  • Large (5,000-10,000 sq ft): 4-8 access points
  • Very large (10,000+ sq ft): Professional site survey recommended

🛒 Hardware Recommendations & Budget

Budget Tier ($500-$1,000) - Small Institution

Router/Firewall:

  • Ubiquiti EdgeRouter X ($60) - Basic but capable
  • TP-Link ER605 ($60) - Good for beginners

Access Points:

  • TP-Link EAP225 ($60 each x 2) - Reliable, good range
  • Ubiquiti UniFi AC Lite ($79 each x 2) - Better management

Filtering:

  • Use free DNS filtering (OpenDNS Home, CleanBrowsing) - $0

Total: $500-$700

Mid-Range Tier ($1,500-$3,000) - Medium Institution (Recommended)

Router/Firewall:

  • Ubiquiti UniFi Dream Machine ($379) - All-in-one, easy management
  • Firewalla Gold ($468) - Great UI, family-friendly

Access Points:

  • Ubiquiti UniFi AC Pro ($149 each x 3-4) - Excellent performance

Filtering:

  • NextDNS Pro ($20/year) - Custom filtering, detailed logs
  • OR CleanBrowsing Pro ($60/year) - Great for institutions

Total: $1,500-$2,500

Enterprise Tier ($5,000-$15,000+) - Large Institution

Router/Firewall with Content Filtering:

  • Fortinet FortiGate 60F ($1,500 + $500/year subscription) - Industry standard
  • Sophos XG Firewall ($1,200 + $600/year) - Excellent reporting
  • WatchGuard Firebox ($1,800 + $700/year) - Good for education

Access Points:

  • Ubiquiti UniFi WiFi 6 Pro ($179 each x 6-10)
  • Aruba Instant On AP22 ($169 each x 6-10)

Management:

  • UniFi Cloud Key ($199) - Centralized management
  • OR cloud-based management (included with many systems)

Total: $5,000-$15,000+ (depending on size)

Professional Installation: Budget $500-$2,000 for professional installation and configuration if you don't have in-house IT expertise.

🌐 Filtering Approaches

Approach 1: DNS Filtering (Easiest, Recommended for Most)

Configure your router to use filtering DNS servers. All devices automatically protected.

Best DNS Services for Institutions:

  • OpenDNS (Cisco Umbrella): Free basic, $20-50/year for reporting
    • Pros: Reliable, established, 65+ filtering categories
    • Cons: Free tier has limited customization
  • CleanBrowsing: Free basic, $5-15/month for custom
    • Pros: Designed for families/institutions, excellent support
    • Cons: Smaller company, less name recognition
  • NextDNS: Free 300k queries/month, then $2/month
    • Pros: Highly customizable, detailed analytics, modern
    • Cons: Requires more technical setup

See our DNS Filtering Guide and OpenDNS Tutorial for detailed setup.

Approach 2: Firewall-Based Filtering (More Control)

Enterprise firewalls with built-in content filtering (FortiGate, Sophos, WatchGuard).

Advantages:

  • Cannot be bypassed by changing DNS
  • Deep packet inspection (sees encrypted traffic patterns)
  • Application control (block specific apps like TikTok)
  • Detailed reporting by user, category, and time
  • Bandwidth management per user/category

Disadvantages:

  • Higher cost ($1,500-$5,000+ plus annual subscriptions)
  • Requires technical expertise to configure
  • Ongoing maintenance and updates

Approach 3: Hybrid (DNS + Firewall Rules)

Use DNS filtering as primary, add firewall rules to block VPNs and bypass methods.

⚙️ Configuration Best Practices

Network Segmentation

  • VLAN 10: Guest network (heavily filtered, isolated from internal resources)
  • VLAN 20: Staff network (moderate filtering, access to printers/servers)
  • VLAN 30: Admin network (minimal filtering, full access)
  • VLAN 40: IoT devices (security cameras, smart devices - isolated)

Bandwidth Management (QoS)

  • High priority: VoIP, video conferencing (for staff)
  • Medium priority: Web browsing, email
  • Low priority: Streaming video, file downloads
  • Set per-user limits: 5-10 Mbps per guest to prevent one user consuming all bandwidth

WiFi Configuration

  • SSID naming: "[Institution Name] - Guest" (clear and identifiable)
  • Security: WPA3 (or WPA2 if devices don't support WPA3)
  • Password: Strong but shareable (post publicly or rotate weekly)
  • Band steering: Enable (pushes capable devices to 5GHz for less congestion)
  • Client isolation: Enable on guest network (prevent guests from seeing each other)

Firewall Rules

  • Block known VPN services (to prevent filter bypass)
  • Block Tor exit nodes
  • Block proxy sites and anonymizers
  • Block peer-to-peer file sharing
  • Allow necessary services (email, web, video conferencing)

📊 Monitoring & Reporting

What to Monitor

  • Bandwidth usage: Who's consuming the most? (identify issues)
  • Blocked attempts: What categories are being blocked most?
  • Top websites: What are people accessing?
  • Number of users: Track peak times for capacity planning
  • Incidents: Attempts to bypass filtering or access prohibited content

Reporting Tools

  • OpenDNS Dashboard: Shows blocked requests, top domains, categories
  • UniFi Controller: Real-time and historical network usage
  • Firewall reports: FortiGate/Sophos have extensive built-in reports
  • NextDNS Analytics: Beautiful, detailed query logs

Privacy Considerations

  • Most DNS services log domains, not full URLs (can't see specific pages)
  • HTTPS encrypts content, but domain is visible
  • Be transparent: Post privacy policy explaining monitoring level
  • Consider: Do you need to identify users, or just monitor aggregate traffic?

📋 Implementation Checklist

Pre-Implementation

  • ☐ Define filtering policy and acceptable use guidelines
  • ☐ Get approval from leadership/board
  • ☐ Determine budget
  • ☐ Select hardware based on size and budget
  • ☐ Decide: Professional installation or DIY?
  • ☐ Choose filtering service (DNS or firewall-based)

Installation

  • ☐ Install and configure router/firewall
  • ☐ Set up DNS filtering or firewall content filtering
  • ☐ Install and position access points
  • ☐ Create separate SSIDs for guest/staff/admin (if applicable)
  • ☐ Configure VLANs and network segmentation
  • ☐ Set up bandwidth management (QoS)
  • ☐ Enable firewall rules to block VPNs and proxies

Testing

  • ☐ Test filtering with known inappropriate sites (should be blocked)
  • ☐ Test legitimate sites (should work)
  • ☐ Check WiFi coverage in all areas
  • ☐ Test bandwidth under load (simulate many users)
  • ☐ Verify guest network cannot access internal resources
  • ☐ Test on multiple device types (iOS, Android, laptop)

Documentation

  • ☐ Document network configuration (IP ranges, VLANs, passwords)
  • ☐ Create acceptable use policy poster/handout
  • ☐ Train staff on how to share WiFi password
  • ☐ Create troubleshooting guide for common issues
  • ☐ Establish contact for IT support

Launch

  • ☐ Announce new WiFi availability
  • ☐ Post acceptable use policy visibly
  • ☐ Monitor closely for first week
  • ☐ Collect feedback and adjust as needed

⚠️ Common Issues & Solutions

Issue: Filtering is being bypassed

Causes: Users changing DNS settings, using VPNs, or proxy sites

Solutions:

  • Block port 53 (DNS) outbound except to your chosen DNS servers
  • Block common VPN ports (1194, 1723, 4500, 500)
  • Use firewall-based filtering instead of DNS-only
  • Block known VPN/proxy domains

Issue: Legitimate sites are blocked

Causes: Overly aggressive filtering, miscategorized sites

Solutions:

  • Create whitelist for commonly needed sites
  • Review and adjust filtering categories (e.g., maybe "social media" is too broad)
  • Report miscategorized sites to DNS provider
  • Provide "request unblock" process for users

Issue: WiFi is slow

Causes: Too many users, bandwidth limits, poor coverage

Solutions:

  • Implement per-user bandwidth limits (prevent one user hogging)
  • Upgrade internet connection if consistently saturated
  • Add more access points to distribute load
  • Use 5GHz band for capable devices
  • Block bandwidth-heavy activities (video streaming, torrenting)

Issue: Can't manage network remotely

Causes: No cloud management, firewall blocks remote access

Solutions:

  • Use cloud-managed equipment (UniFi, Meraki)
  • Set up secure VPN for remote access
  • Enable remote management in firewall (with strong authentication)

📜 Sample Acceptable Use Policy

[Institution Name] Guest WiFi - Acceptable Use Policy

We provide complimentary filtered internet access for our community. By using this network, you agree to:

Acceptable Uses:

  • Email and communication
  • Educational research and learning
  • Work-related activities
  • Appropriate social media and entertainment

Prohibited Uses:

  • Accessing inappropriate, illegal, or offensive content
  • Attempting to bypass content filtering or security
  • Illegal file sharing or copyright violation
  • Hacking, port scanning, or network attacks
  • Excessive bandwidth consumption that impacts others
  • Commercial activities without permission

Monitoring & Privacy:

We monitor network traffic for security and compliance. Domain names visited are logged but specific page content is not visible due to HTTPS encryption. We do not sell or share your data.

No Expectation of Privacy:

This is a shared public network. Do not transmit sensitive information without using additional security measures (VPN, HTTPS).

Enforcement:

Violations may result in immediate disconnection from the network and/or referral to appropriate authorities.

Questions? Contact: [IT Contact]