• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Block All WEB SITES Except https://web.whatsapp.com

General pfSense Questions
5
8
2.0k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    am.steen
    last edited by am.steen Feb 19, 2025, 10:32 PM Feb 19, 2025, 10:22 PM

    I am new to pfsense So my question may be simple.
    I installed pfSense Community Edition on server and it works good
    But my boss asked me to change settings to block All WEB SITES Except https://web.whatsapp.com.
    I googled and find these videos:
    https://www.youtube.com/watch?v=yScnDnrNkhM
    https://www.youtube.com/watch?v=_4zlUUase4s
    I try both but they block all traffic including web.whatsapp.com

    login-to-view
    login-to-view

    Please help

    G 1 Reply Last reply Feb 20, 2025, 9:15 AM Reply Quote 0
    • G
      Gertjan @am.steen
      last edited by Feb 20, 2025, 9:15 AM

      @am-steen
      Look at what Aliases tells you.

      The very first Note is very important (should be marked with orange even red).

      login-to-view

      And guess what, whatsapp.com is ..... yo knew it, facebook.
      facebook has zillions of IP addresses. Not just 'one'. And they change constantly.
      So you can get an IP from the host name, and use that.
      Even if the alias's host name to IP function would return every IP (CNAME, whatever) it would be already invalid moments later.
      Why , Let's say : if you worked for facebook, wouldn't you be looking for a way so no one can block you, or even determine what access is needed to contact them ? You would do everything so your clients (who bring in the trillions of revenue) can reach your sites / services.

      Even blocking everybody (the whole Internet) but passing the ASN (they have own) will do what you want, but other facebook services like their web site, Messenger etc will also be available.

      Blocking, or passing the big players is .... hard.

      I guess there are lists available out there that list every facebook IP/network. Their usage is shuffled around constantly.

      @am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

      But my boss asked me to change settings to block All WEB SITES Except https://web.whatsapp.com.

      He's was probably joking ... see with what you come up, with.
      If he wasn't : really ? What is the goal ? Why ?
      When your network users are limited like that, they will do what I and surely do : they stop using it right away.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      A 1 Reply Last reply Feb 20, 2025, 3:30 PM Reply Quote 0
      • J
        JonathanLee
        last edited by Feb 20, 2025, 2:14 PM

        Squid could do it with the get requests doesn’t need to look at IP addresses it doesn’t care

        Make sure to upvote

        M 1 Reply Last reply Feb 20, 2025, 2:35 PM Reply Quote 0
        • M
          mcury @JonathanLee
          last edited by mcury Feb 21, 2025, 2:28 PM Feb 20, 2025, 2:35 PM

          @JonathanLee said in Block All WEB SITES Except https://web.whatsapp.com:

          Squid could do it with the get requests doesn’t need to look at IP addresses it doesn’t care

          What about the redirections ?

          You would need to know all of them, and keep updating them because they keep changing all the time.

          I would need to do some testing, but there is a possibility as follows:

          Create an alias using pfBlockerNG with the following AS:
          AS32934, AS132676, AS32934

          Create a firewall rule that allows 80/443/5222 TCP to the alias created above.
          Create a second rule blocking everything else from this host to the Internet (assuming DNS to pfSense is already permitted).

          Use Unbound to redirect everything else in this AS, such as facebook.com and Instagram.com to 0.0.0.0, remember to use access-control-view.

          Example to block these sites for 192.168.1.69 IP address.

          server:
          access-control-view: 192.168.1.69/32 blocksites
          
          view:
          name: "blocksites"
          local-zone: "facebook.com" static
          local-zone: "instagram.com" static
          

          Then test it.. It will probably work, but external redirections could still be a problem.
          As I said it, it needs testing.

          dead on arrival, nowhere to be found.

          1 Reply Last reply Reply Quote 0
          • S
            stephenw10 Netgate Administrator
            last edited by Feb 20, 2025, 3:28 PM

            Yes I would try to do this using AS numbers. It's most likely to actually work IMO.

            1 Reply Last reply Reply Quote 0
            • A
              am.steen @Gertjan
              last edited by Feb 20, 2025, 3:30 PM

              @Gertjan
              First of all thanks for your response

              In fact this sever lies at area that lake of internet connection so we use limited expensive bandwidth 4G connection for tis site, we have to limit usage for WhatsApp messages only.

              as I say new to pfsense, my problem is different you say it is difficult to block web.whatsapp.com while I block all traffic and need to allow web.whatsapp.com
              only, not to block it.

              note: I do not know how to open logs

              Any suggestions ??

              M G 2 Replies Last reply Feb 21, 2025, 2:47 PM Reply Quote 0
              • M
                mcury @am.steen
                last edited by mcury Feb 21, 2025, 2:47 PM Feb 21, 2025, 2:47 PM

                @am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

                Any suggestions ??

                Info:

                Text Message (Regardless of the length) 10 KB (Per Text)
                ++++++++++++++
                I downloaded a 16 seconds audio message and checked it size:
                16 seconds audio message:
                size: 36,4 KB (37.297 bytes)
                size in disk: 40,0 KB (40.960 bytes)
                ++++++++++++++
                Whatsapp voice call data usage (based on my research):
                a one-minute voice call will use around 400KB to 1MB, so lets considere 1MB (worst case).
                ++++++++++++++

                Based on the info above, your major problem would be vídeo calls and file transfers.

                According to the Whatsapp FAQ: https://faq.whatsapp.com/846009687015768/?helpref=platform_switcher&cms_platform=windows-desktop&cms_id=846009687015768&draft=false
                Voice calls will use UDP and TCP ports 3478, 3480, and 3484, which we didn't open, so that should already be blocked.

                Next step would be to test, what is working and what isn't, with the suggested configuration, test everything.

                dead on arrival, nowhere to be found.

                1 Reply Last reply Reply Quote 0
                • G
                  Gertjan @am.steen
                  last edited by Feb 21, 2025, 2:51 PM

                  @am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

                  note: I do not know how to open logs

                  Goto Status > System Logs

                  pfBlocker, a nice short cut is hiding in plain site :

                  login-to-view

                  Or Firewall > pfBlockerNG > Log Browser and pick your file in de second pull down box.

                  For the no-mouse solution : console or SSH, menu option 8 and then

                  cd /var/log
                  

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  5 out of 8
                  • First post
                    5/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.