As I could not find a solution, I opted for another way to solve this issue:
- I included in the router a command to point www.google.com to the IP to 216.239.38.120 (Cisco: ip host www.google.com 216.239.38.120). This is the IP for the version of the google search with no explicit images of sex.
- I configured the router to be a dns server (Cisco: ip dns server); also the dns servers for this router (Cisco: ip name-server 1.1.1.1 8.8.8.8).
- I configured the dhcp so the dns server for the clients is the router IP.
- In the controller, created a role to assign to the clients, with the next rules:
- One rule to allow www.google.com
- Another rules to block pornography and search-engines
- The last rules to allow traffic.
With this configuration I only allow to use www.google.com to use for searching; the rest are blocked. Fortunately, google has a version for safe search.
P.S: Actually, I permit www.google.com and www.google.es. Both in the router point to the same IP 216.239.38.120.