Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block All WEB SITES Except https://web.whatsapp.com

    General pfSense Questions
    5
    8
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      am.steen
      last edited by am.steen

      I am new to pfsense So my question may be simple.
      I installed pfSense Community Edition on server and it works good
      But my boss asked me to change settings to block All WEB SITES Except https://web.whatsapp.com.
      I googled and find these videos:
      https://www.youtube.com/watch?v=yScnDnrNkhM
      https://www.youtube.com/watch?v=_4zlUUase4s
      I try both but they block all traffic including web.whatsapp.com

      4532624b-c6ab-4f9f-9660-b6ee6e06f4e9-image.png
      dc0be928-5a50-4e51-a893-84438a959e77-image.png

      Please help

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @am.steen
        last edited by

        @am-steen
        Look at what Aliases tells you.

        The very first Note is very important (should be marked with orange even red).

        81939f7e-c1e4-4938-8898-87a8b67d7877-image.png

        And guess what, whatsapp.com is ..... yo knew it, facebook.
        facebook has zillions of IP addresses. Not just 'one'. And they change constantly.
        So you can get an IP from the host name, and use that.
        Even if the alias's host name to IP function would return every IP (CNAME, whatever) it would be already invalid moments later.
        Why , Let's say : if you worked for facebook, wouldn't you be looking for a way so no one can block you, or even determine what access is needed to contact them ? You would do everything so your clients (who bring in the trillions of revenue) can reach your sites / services.

        Even blocking everybody (the whole Internet) but passing the ASN (they have own) will do what you want, but other facebook services like their web site, Messenger etc will also be available.

        Blocking, or passing the big players is .... hard.

        I guess there are lists available out there that list every facebook IP/network. Their usage is shuffled around constantly.

        @am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

        But my boss asked me to change settings to block All WEB SITES Except https://web.whatsapp.com.

        He's was probably joking ... see with what you come up, with.
        If he wasn't : really ? What is the goal ? Why ?
        When your network users are limited like that, they will do what I and surely do : they stop using it right away.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee
          last edited by

          Squid could do it with the get requests doesn’t need to look at IP addresses it doesn’t care

          Make sure to upvote

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @JonathanLee
            last edited by mcury

            @JonathanLee said in Block All WEB SITES Except https://web.whatsapp.com:

            Squid could do it with the get requests doesn’t need to look at IP addresses it doesn’t care

            What about the redirections ?

            You would need to know all of them, and keep updating them because they keep changing all the time.

            I would need to do some testing, but there is a possibility as follows:

            Create an alias using pfBlockerNG with the following AS:
            AS32934, AS132676, AS32934

            Create a firewall rule that allows 80/443/5222 TCP to the alias created above.
            Create a second rule blocking everything else from this host to the Internet (assuming DNS to pfSense is already permitted).

            Use Unbound to redirect everything else in this AS, such as facebook.com and Instagram.com to 0.0.0.0, remember to use access-control-view.

            Example to block these sites for 192.168.1.69 IP address.

            server:
            access-control-view: 192.168.1.69/32 blocksites
            
            view:
            name: "blocksites"
            local-zone: "facebook.com" static
            local-zone: "instagram.com" static
            

            Then test it.. It will probably work, but external redirections could still be a problem.
            As I said it, it needs testing.

            dead on arrival, nowhere to be found.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Yes I would try to do this using AS numbers. It's most likely to actually work IMO.

              1 Reply Last reply Reply Quote 0
              • A
                am.steen @Gertjan
                last edited by

                @Gertjan
                First of all thanks for your response

                In fact this sever lies at area that lake of internet connection so we use limited expensive bandwidth 4G connection for tis site, we have to limit usage for WhatsApp messages only.

                as I say new to pfsense, my problem is different you say it is difficult to block web.whatsapp.com while I block all traffic and need to allow web.whatsapp.com
                only, not to block it.

                note: I do not know how to open logs

                Any suggestions ??

                M GertjanG 2 Replies Last reply Reply Quote 0
                • M
                  mcury @am.steen
                  last edited by mcury

                  @am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

                  Any suggestions ??

                  Info:

                  Text Message (Regardless of the length) 10 KB (Per Text)
                  ++++++++++++++
                  I downloaded a 16 seconds audio message and checked it size:
                  16 seconds audio message:
                  size: 36,4 KB (37.297 bytes)
                  size in disk: 40,0 KB (40.960 bytes)
                  ++++++++++++++
                  Whatsapp voice call data usage (based on my research):
                  a one-minute voice call will use around 400KB to 1MB, so lets considere 1MB (worst case).
                  ++++++++++++++

                  Based on the info above, your major problem would be vídeo calls and file transfers.

                  According to the Whatsapp FAQ: https://faq.whatsapp.com/846009687015768/?helpref=platform_switcher&cms_platform=windows-desktop&cms_id=846009687015768&draft=false
                  Voice calls will use UDP and TCP ports 3478, 3480, and 3484, which we didn't open, so that should already be blocked.

                  Next step would be to test, what is working and what isn't, with the suggested configuration, test everything.

                  dead on arrival, nowhere to be found.

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @am.steen
                    last edited by

                    @am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

                    note: I do not know how to open logs

                    Goto Status > System Logs

                    pfBlocker, a nice short cut is hiding in plain site :

                    3e1fbf6c-1210-41a4-bb06-fb168dc5a8b3-image.png

                    Or Firewall > pfBlockerNG > Log Browser and pick your file in de second pull down box.

                    For the no-mouse solution : console or SSH, menu option 8 and then

                    cd /var/log
                    

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.