Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block redirect

    Firewalling
    firewall alias redirect rules
    4
    6
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tbr281
      last edited by

      Hi there, I’m fairly new to pfsense. I set some firewall aliases and rules that work great. My question is if there is a way to redirect to another address or ip when blocked? For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out.. I’d want it to redirect to DuckDuckGo.

      R V 2 Replies Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate @tbr281
        last edited by

        @tbr281 said in Block redirect:

        Hi there, I’m fairly new to pfsense. I set some firewall aliases and rules that work great. My question is if there is a way to redirect to another address or ip when blocked? For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out.. I’d want it to redirect to DuckDuckGo

        Not exactly... You could have those "dirty websites" get a DNS record to a webserver internal to your network that has a redirect to DDG. But that wouldn't stop people from using outside DNS servers... so you'd want a combination of maybe pfBlockerNG and blocking third-party DNS (as well as DoH) but YMMV.

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        T 1 Reply Last reply Reply Quote 0
        • V
          viragomann @tbr281
          last edited by

          @tbr281 said in Block redirect:

          For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out..

          Create reject-rules instead of blocks. This avoids the browser from keep trying to connect until the time out is reached.

          T 1 Reply Last reply Reply Quote 0
          • T
            tbr281 @rcoleman-netgate
            last edited by

            @rcoleman-netgate I do have pfblocker running but some stuff are still getting through…

            1 Reply Last reply Reply Quote 0
            • T
              tbr281 @viragomann
              last edited by

              @viragomann said in Block redirect:

              @tbr281 said in Block redirect:

              For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out..

              Create reject-rules instead of blocks. This avoids the browser from keep trying to connect until the time out is reached.

              Thanks! That fixed that issue. Just wish it would redirect it. I appreciate the heads up though.

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @tbr281
                last edited by

                @tbr281 said in Block redirect:

                Just wish it would redirect it.

                Even "dirty websites" use TLS these days. Easy to recognize, their URL starts with https://

                Without drastic measure on your LAN, that is, all your web visiting devices and pfSense, you can't redirect https://"dirty websites" to https://DuckDuckGo
                Your browser won't allow this.
                The test : is the host name "dirty websites" present in the certificate obtained ? will fail.
                Have a look :

                e2e336b4-a7bf-4b88-ab68-5e617416ed3b-image.png

                That's doesn't look like "dirty websites" : your browser will refuse the connection.

                If it was possible, you would also be able to redirect https://some-bank-acess-you-use to https://some-bank-access-you-use, and because you control some-bank-access-you-use (and your site looks identical to some-bank-acess-you-use), now you get the access credentials.
                And five minutes later you can access https://some-bank-acess-you-use with the credentials you've obtained, and do what you want.
                The thing is, why would you ask if something if possible if you don't want it to be possible ?
                After all, https://"dirty websites", or https://facebook.com or https://some-bank-acess-you-use or https://some-bank-acess-you-use, for your PC, switch, pfsense, upstream routers of your ISP etc, its all the same : a connection to some server over port 443, TCP.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.