How to best secure a guest network

michmoor

Got a request to secure a computer lab at a K12 institution and a Guest Network.
Normally Im a "deploy an agent on the endpoint" kind of engineer but i obviously can't do this for Guests. How I handled this in the past is to use a proxy on the Guest to limit the sites i dont want people to go [porn,guns,religion,etc..]
Here's the problem.....A pfSense is in use. I generally dont use pfsense for any content filtering because it simply cant do it effectively. Ive been toying with Squid on my private time trying to make it work before i consider deploying it but its honestly a headache. In Transparent mode.
Can anyone think of creative uses that i can use to secure a Guest Network? Maybe pfBlocker?

SteveITS

@michmoor pfBlocker's DNSBL can block sites via DNS by feed. Note the UT1 "adult" list is large...over 1 GB disk space to extract it. Also note to use DNS blocking effectively you have to block DOH and third party DNS servers as well. This is a bit on the overly complex side but is pretty complete:
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf

By default DNSBL shows a "block" page which means any HTTPS won't match the cert/name.

michmoor

@SteveITS UT1 list i had issues extracting that on my personal fw at home. Defintely dont want to do it here. DoH will be the challenge and yes your pdf seems complete. Thanks for that. I'll let this thread know how its going along. Figured i will spend Saturday implementing.

michmoor

@SteveITS So i decided to take the smart(maybe lazy) way out. OpenDNS. Created a free account. URL Filtering by category. Set those to block. Point guest network to use those DNS servers. Im done.

You know I would really pay close to a king's ransom if there was some built-in subscriber-based url filtering service in my pfsense+. Just saying...Dreaming out loud

RobbieTT

@michmoor Only works that way if clients honour the DNS setting. Otherwise you will need to redirect DNS requests to your ideal path, then comes the issue of DoH, VPNs and, to a lesser degree DoT. Probably should mention HTTP/3 (encompassing QUIC) too.

Frankly I let the guest network have the least external restrictions (aside from illegal stuff) and log all their details for the 'not me gov' response if needed down the line.

Fun and games with this kind of stuff.

️

michmoor

@RobbieTT said in How to best secure a guest network:

Only works that way if clients honour the DNS setting.

Yep but in my mind its the best i can do. For clients that dont use DoH or DoT then the dns blocking works. For those clients who dont, they dont. @SteveITS provided a very comprehensive way of blocking DoH but at the end of the day this is a Guest Network. Dont think the juice is worth the squeeze as the expression goes.

@RobbieTT said in How to best secure a guest network:

Frankly I let the guest network have the least external restrictions (aside from illegal stuff)

How exactly do you prevent "illegal stuff" if you can't prevent them from getting to those sites if they are not respecting the provided DHCP DNS server settings?

RobbieTT

@michmoor said in How to best secure a guest network:

How exactly do you prevent "illegal stuff" if you can't prevent them from getting to those sites if they are not respecting the provided DHCP DNS server settings?

I do my level best to stop the horrors of child abuse, starting with a filtered DNS provider, down to filtering at the router. I know that the determined criminal could get around these things but at least I can demonstrate that I did all I could to prevent it and that I keep full usage logs so the police could try and find them, should they ever arrive at the door with a warrant.

️