New to PFsense - Transparency mode
-
Hi.
I'm new to pfsense. What is transparency mode? When to enable it? Is there a difference on physical configuration when you enable and disable.
Your will be greatly appreciated
Thank you.
-
You mean a 'transparent firewall'? http://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used%3F
Or transparent proxy?
http://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_ProxySteve
-
Sir,
Thanks
What is the difference of these 2? My main purpose of using pfsense is the webfiltering or limit the user of the internet or deny access some website
precious
-
For web filtering you want to use Squid and Squidguard in transparent mode as described in the second link.
Setting up a 'transparent firewall', with WAN and LAN bridged, can be tricky to setup and is only for specific scenarios.Steve
-
hi
I will do as per instructed on the link.
I want to know when to disable and enable the transparency mode?
Thank you
-
If you use transparent mode Squid will intercept any http traffic on port 80 and proxy it. Clients behind pfSense will not be immediately aware it's happening and no client side setup is required.
In non-transparent mode the Squid proxy listens on a different port and clients must be configured to use the proxy. You can block normal outgoing requests on port 80 such that clients are forced to use the proxy if necessary.Steve
-
Thanks for the assistance
May next question is if I use transparency mode. Will it block the https://www.facebook.com? I tried other software like untangle it cannot block the https://www.facebook.com.
-
Generally speaking it's much more difficult to block https traffic, it should be it's encrypted. You can force users to use your proxy and then do 'man in the middle' ssl filtering. There is a package up of Squid 3.3.4 that can do this, I'm not sure how complete it is yet: http://forum.pfsense.org/index.php/topic,62256.0.html
Alternatively you can try blocking facebook completely with firewall rules. There are a number of posts on the forum describing this.
Steve
-
Steve,
Thank you again on responding my query.
Please see attached file for the network diagram. This a diagram what I will do when setting up a pfsense. Is this correct?
 -
Yes, that looks correct.
Steve
-
Sir,
With this network diagram the pfsense pc should have 2 network card. One is for the internet and one for the local are network.
Please verify if this is correct.
Can you suggest where can I read or find a tutorial that is suit for the newbie like me about pfsense? I'm trying searching in the google but i cannot find any good tutorial. I even try searching in you tube.
precious
-
Yes, two network interfaces, that's correct.
This site has a lot of good information including a walk through of the initial setup: http://pfsensesetup.com/pfsense-setup-part-one/
It's not connected to the official pfSense site at all as far as I know.Steve
-
Steve,
How long have you been using pfsense? How is the performance? The reliability?
Precious
-
I started out using Smoothwall then moved to IPCop. Then I went back to SOHO router that was a lot cheaper to run (the IPCop box I was using was ancient!) but soon realised I wanted more control and started looking at the options out there. I had experimented with m0n0wall before and liked it so gave pfSense a go and have never looked back. I guess I've been using pfSense exclusively for about 3-4 years.
The performance has never been a problem for me. As long as you have sized the hardware correctly it won't be a problem.
The reliability has been excellent, the most reliable routing solution I've used, my experience is limited though. This does depend a lot on the hardware it's running on however. I'm using re-purposed Watchguard boxes which are designed to run 24/7 in a hot rack.Steve
-
Sir,
Are you using pfsense right now? Do you access the website that has a button or link of facebook when you set in pfsense to block the facebook? Check www.eyp.ph and www.fabtech.com.ph if you can access this websites when you set in pfsense to block the facebook. We want to access this even the page has a button or link to facebook or socila media network site.
precious
-
I have no need to block Facebook so I don't, even though I don't use it. So I can't easily test that, sorry.
Steve
-
Sir,
How about blocking the torrent download like utorrent and equivalent? Is pfsense capable of doing this?
Precious So
-
You can do that using Layer7 filtering. http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Layer_7. Or you can block whatever ports the torrent client is using however most clients will attempt to work around that. It's very difficult to block torrent traffic completely as the client software is designed deliberately to get around it. You can block most torrent traffic using these methods though.
If you are wanting to create a very restricted environment for users you should start from the other end. Block everything and then only allow what you want.Steve
-
Sir,
How about skype? How to block it?
-
Sir,
I have a attached a network diagram. Is this possible?
Thank you
