Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to allow to open all the blocklist for a single IP in pfsense

    General pfSense Questions
    4
    5
    9.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      ugendar
      last edited by

      Hello users,

      i have doubt regarding pfsense settings.

      i have blocked websites like facebook and youtube in my pfsense so that no one in my office can access them. Is there anyway that i can allow only specific systems or ip address to access these blocked websites and disallow for other systems or ip address ?

      1 Reply Last reply Reply Quote 0
      • J
        josekym
        last edited by

        How did you block access in the first place?  Squidguard (SG)? Are you on transparent proxy mode?

        You can do:

        1. In SG, you can create a specific group under "Groups ACL" and allow access to one or more IP addresses you specify.  You can define custom URL categories/lists which the IPs have access to.

        2. Bypass the proxy completely by inputting the target IP address on the "Bypass proxy for these source IPs" list under Proxy Server.  Doing this bypasses squid altogether, so I do not recommend it as a primary option.

        Also, double check that your URL blocklists are not easily bypassed by using https… use firewall rules to control https traffic from your LAN hosts.

        1 Reply Last reply Reply Quote 0
        • U
          ugendar
          last edited by

          i have blocked it via DNS forwarders .  i have also tried the steps you have said , but not working. if i dont block it via dns forwarders , it doesnt at all block the access for those websites.

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            @ugendar:

            i have blocked it via DNS forwarders.

            How? Did you create DNS forwarder entries for ALL the IP addresses facebook.com currently maps to? (At my location, facebook.com maps to at least 69.171.237.16, 69.171.234.21, 66.220.152.16, 66.220.149.88, 69.171.247.21)

            Did you reboot the client or wait for old entries in the client DNS cache to time out?

            @ugendar:

            i have also tried the steps you have said , but not working.

            Have you reset firewall states after changing the rule(s)? See Diagnostics -> States, click on Reset States

            As noted above, facebook.com is a challenge because it typically maps to a number of distinct IP addresses.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              You can set a domain override for facebook.com pointing to a non-sense IP.
              (I usually set it the an unused ip in the local subnet when i "block" a domain like this).

              However with such a setup it's not possible to change the behaviour for one/multiple specific IPs.

              You might want to look into a "proper" solution to block domains.
              (eg. squid guard).

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.