New to PFsense - Transparency mode
-
Sir,
Are you using pfsense right now? Do you access the website that has a button or link of facebook when you set in pfsense to block the facebook? Check www.eyp.ph and www.fabtech.com.ph if you can access this websites when you set in pfsense to block the facebook. We want to access this even the page has a button or link to facebook or socila media network site.
precious
-
I have no need to block Facebook so I don't, even though I don't use it. So I can't easily test that, sorry.
Steve
-
Sir,
How about blocking the torrent download like utorrent and equivalent? Is pfsense capable of doing this?
Precious So
-
You can do that using Layer7 filtering. http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Layer_7. Or you can block whatever ports the torrent client is using however most clients will attempt to work around that. It's very difficult to block torrent traffic completely as the client software is designed deliberately to get around it. You can block most torrent traffic using these methods though.
If you are wanting to create a very restricted environment for users you should start from the other end. Block everything and then only allow what you want.Steve
-
Sir,
How about skype? How to block it?
-
Sir,
I have a attached a network diagram. Is this possible?
Thank you
![network diagram02.jpg](/public/imported_attachments/1/network diagram02.jpg)
![network diagram02.jpg_thumb](/public/imported_attachments/1/network diagram02.jpg_thumb) -
There are many threads about blocking Skype. E.g. with Snort: http://forum.pfsense.org/index.php/topic,53584.0.html
You can build your network as in the diagram but why do you have two pfSense boxes?
Steve
-
Sir,
In order one can use as transparency mode and the other for non transparency mode.
Is this possible? Is there be a problem for this setup?
-
The non-trasparent pfSense box must have a different subnet on each side. E.g. 192.168.0.* on the WAN side and 192.168.100.* on the LAN side. However I still don't see why you need two boxes. :-\
Steve
-
Sir,
The diagram what I present to you is not a good practice?
I want to use the pfsense for the purpose to serve as a internet or the pfsense is the giving an internet connection to the user and in the same time I can block the website the are using like the social media(facebook, tweeter and etc)., instant messenger, torrent and etc. for the users and I want also to control whose user will I block or gave a full access for the website or url.
Below are my concern:
-> documentation or manual for setting up pfsense
-> if I already finished set-up the box how can I block the https://www.facebook.com and https://www.twitter.com?
-> setting up port forwarding. is it the same in configuring in link-sys router?
-> Is the i7 processor with 8gb ram will enough for the around 60 users?Sorry for these questions. I'm just new to pfsense and I just want to know everything before I deploy to our office network.
Thank you in advance for your response.
Precious
-
There is no need to have two pfSense boxes. Run a single box in non-transparent mode (the default) and run the web proxy, Squid, on it. Squid will run as a transparent proxy.
Port forwarding is the similar to any soho router like the Linksys.
If your modem can run in bridge mode such that the pfSense WAN address is you real public IP that makes things a lot easier.
An i7 with 8GB or RAM is almost certainly more power than your need. What is your WAN connection speed?
Steve
-
Sir,
Please correct me if i'm wrong in my understanding. I run a single box pfsense and install the squid package and run it on transparency mode? I'm I correct in my understanding?
I can make my modem run in bridge mode and I will configure the pfsense box wan the public ipaddress of wan or internet
My wan speed is upto 5mbps the minimum is 1mbps.
Precious
-
Yes you're correct.
Almost any new hardware will be fine for a 5Mbps connection regardless of how many people you have behind it (within reason!). An i7 with 8GB is far far far more powerful than you need. Something like an Atom D2500 and 2-4GB will easily suffice. :)Steve
-
Sir,
Thanks for the response.
How about NIC? Is there a recommended specification of NIC to run the pfsense smoothly?
Precious
-
Always choose Intel NICs where possible. Broadcom NICs are considered 2nd best. Do not get very new hardware as it may not be supported, the Intel i210 is not for example.
Steve
-
Sir,
Is configuring pfsense is it like configuring a soho router like linksys and d-link? but it only has more functionality?
-
In many ways it is very similar. However as you say because it has far more capability than most SOHO routers it must be more complex. Getting up and running is relatively easy and as long as you don't try to do everything at once adding extra features is not difficult. Just read up on it first.
Steve
-
Sir,
Thanks for the response.
I'm sorry also if I have so many question regarding the pfsense. I just want to make I will know very before I configure it and use it.
Do you know a website that can help to get started in pfsense? Or any documentation or video to follow? Basically I want to pfsense serve as a server for the internet that can block a websites.
Precious
-
No problem. :)
To do that you should install pfSense as your network router.
Install the Squid web proxy package and get that working.
Install either the Squidguard or Dansguardian package to filter web content.By far the best source of pfSense information is the official book. A new book is due out shortly that will cover 2.0.x and 2.1 in more detail.
There is a lot of pages in the docs wiki that cover installation and Squid etc.
There's a lot of good step-by-step guiges at this site: http://pfsensesetup.com/ I don't believe that is related in any way to the dev team or any official source. Seems mostly correct though. :)Steve
-
Sir,
I'm confuse with the squid web proxy and squidguard? Is it 2 different package to install?
-
Sir,
Just to add to my previous post.
What is the difference of the squid web proxy and squidguard? What is the purpose of each?
What is the title of the book and the author?
-
Squid is a web proxy server: http://www.squid-cache.org
Squidguard is an addon for Squid to allow URL filtering: http://www.squidguard.org
Dansguardian is an alternative to Squidguard that has more flexibility and options: http://dansguardian.orgThe book is called 'pfSense: The Definitive Guide' it's written by the project developers and is available from Amazon: http://www.amazon.com/gp/product/0979034280?ie=UTF8&tag=pfsense-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=0979034280
Steve
-
Sir,
Should I install the squid and squidguard? Which better to use between the squidguard and dansguardian?
-
Sir,
Please see below if my understanding is correct about the squid, squidguard and dansguardian
Squid
- its a proxy server that help to cache a website for a certain network
- help or improves internet browsing speed for the clients using the caching capability of squid
Squidguard
- its a add-on of squid
- use for blocking a website base on url only
- you can configure here for the exception on blocking a website or user who will you allow for the certain website
Dansguardian
- its a different or separate package from squid
- it can block a website using content filtering meaning it will check the whole website if will access it or block it.
These are my question
-> Is the statement above correct? Do I miss something? Kindly correct me or add if there is wrong about it and missing.
-> Is it a good practice(as a pfsense user) or is it a common practice to install the squid, squidguard and dansguardian?
-> What is squid3? Is it the same with squid?Thank you in advance
-
Dansguardian still requires a proxy to operate so it is also in addition to Squid. The advantage of Dansguardian (as far as I know!) is that you have things like keywords and phrase matching. This means that even a new website that is not on blacklists can be blocked.
There are two Squid packages 2.x and 3.x. Squid3 offers more features but is considered less stable, well tested, than older Squid 2 series.
I am not an expert in these things. I have run Dansguardian in the past but not with pfSense. There are a number of threads here on the forum and many, many other web pages discussing Dansguardian vs Squidguard. For example: http://www.theninjageek.co.za/blog/2013/07/02/pfsense-squid3-and-dansguardian-a-better-alternative-to-squidguard/
Steve
-
If you use dansguardian, stick with squid and not squid3 unless it has a feature you absolutely need.
The combo of dansguardian + squid3 was sort of painful for me.
-
Sir,
Are you suggesting to install dansguardian and squid? And these two are the best combination for control the accessing the websites?
-
No - What I'm suggesting is that IF you install dansguardian, squid might be less trouble than squid3. Thats all I'm saying.
dansguardian does work OK to limit access to porn and things like that. It doesn't help limit anything in HTTPS though.
Also, really smart kids will figure out that they can search images and see the images without actually going to a porn site.NOTHING works 100%
At best you can make it annoying to browse porn. Very difficult to stop it completely.
-
Sir,
Now i.understand what are you trying to say. Which.is better? Squidguard or dansguardian? -
I don't know - I've never ran squidguard. I'm sure lots of people have opinions on that issue.
You can ALSO control access to certain sites by using either OpenDNS or DynDNS.
Both of those will allow you to open an account and set up blocking preferences.Then you can have pfsense get its DNS from OpenDNS or DynDNS and you can have everything on your network get its DNS fro pfsense DNS forwarder. This work very well also either by its self or in combination with either dansguardian of squidguard.
Where are you located? I'd pick DNS service closest to you if you do that.
-
I'm from philippines
-
I REALLY miss that place :-[
Gotta get there again soon.Anyway - I'd use OpenDNS - They have 2 servers near(ish) to you.
DynDNS only has 1 sort of close. -
Sir,
I'm trying to configure the pfsense for web proxy cache and content filtering using squid 3 and dansguardian. Base on my web search one of the instruction is to configure in the firewall to redirect all the http request or port 80 to 8080. When I following there instruction I'm getting an error of SSL error and I cannot access the pfsense webconfiguration.
Below is the link what I follow for the configuration.
http://www.theninjageek.co.za/blog/2013/07/02/pfsense-squid3-and-dansguardian-a-better-alternative-to-squidguard/Kindly assist me with this.
Thank you
-
You can direct all of port 80 in and that will work, but not port 443. OK?
-
If you put in a firewall rule that redirects all traffic on port 80 that may include traffic for the webgui. Either change the port the webgui listens on or add a rule above the squid rule to allow traffic to the webgui without redirection.
Steve
-
I'm confuse. Is it necessary or mandatory to redirect the port? What us the purpose of doing it?
-
Redirecting port 80 is necessary in that configuration. It captures http requests from clients behind pfSense and sends them to Squid/Dansguardian.
Steve
-
Sir,
I was trying to follow the instruction on the link I gave in the last post. I'm getting a trouble accessing the pfsense webconfig. Now I'm really confuse and don't know what to do. Kindly assist me with this.
Thank you in advance.
-
Try this.
at the command line:
pfctl -d
Now - Access your pfsense web menu. Correct the rule that locked you out. When you are sure you have fixed the rule that caused the lock-out, then:
pfctl -e
You can always do this if you make a mistake and lock yourself out of the web interface.
-
Sir/Madam!
I am new in pfsense.
Please, advice me which activities are allowed in this forum.