Guide to filtering web content (http and https) with pfsense 2.3

jbourn1907

Sorry I'm new in pfsense.

I have an internal DNS server windows server 2008. How can I blocked internal computers to direct access to http. I want to filter it through pfsense firewall. Can you give me some screen shots or sample of rules and where can I put this?

I want all computers to go first in pfsense proxy before connecting to internet. I already configure transparent proxy.

Thanks for the help.

aGeekhere

"How can I blocked internal computers to direct access to http"
read the part in the guide about blocking port 80 and 443 and instead of using pfsense as your DNS server use your internal one, (for more help on this issue ask in the Cache/Proxy forum).

"If I configure a VPN, I assume this will all still work? i.e. the filtering is done post decryption?….I'm not using the wpad portion of this, so I've ignore d what it says about VPNs in there..."
If the transparent proxy has issue with the vpn you may need to bypass it.

genesislubrigas

thanks for this tutorial.  i am not using dns resolver but bind.  can you also show how to configure bind.

aGeekhere

Have not used bind, but after a quick google try http://blog.muhammadattique.com/configuring-bind-dns-server-on-pfsense-firewall/

If it does not help ask in the main forum

nib01

"To stop users from bypassing your proxy setup a new firewall lan rule and block port 80 and 443
IPv4 TCP * * * 80 - 443 * none.
Save

Set your system to automatically detect settings (for windows it is in internet options connections lan settings).

You also have to set up the proxy setting for each program that cant connect (firefox, graphics drive software, vlc etc)

If you have programs that cannot connect and have no proxy setting you need to setup a firewall aliases
 Firewall/Aliases/IP
and add the destination server ip (use wire shark to help find the blocked Ips or in your firewall block rule enable Log packets that are handled by this rule, use http://ip-lookup.net/index.php to check what it is and add to the Aliases. If it is part of a domain add the domain)
now create a new firewall lan rule
IPv4 TCP * * * passAliases 80- 443 * pass rule.

Save"

Not sure where to setup/configure above firewall lan rule.

rsnsmh

Thank you for the guide - i got everything working as expected. However, I need to enable content filter on a 2nd interface (Guest). What sort of config addition is needed to enable content filtering on the 2nd additional interface.

bole5

In the Part 3 you refer to *.local in proxy.pac file as well as unbound configuration.

    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

When user sets up pfSense the domain defaults to "localdomain" in System/General Setup and there is explicit sentence about not using .local as a domain name:

Do not use 'local' as a domain name. It will cause local hosts running mDNS (avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS.

Do we need to modify the domain to "local" in System/General Setup or should we replace ".local" with ".localdomain"?

aGeekhere

Use a domain like this
pfsense.thisismydomain.local

Do not use
pfsense.local.local

The PAC does not need changing

molykule

Hi,

I am using the method mentioned here, through unbound. Is there a way i can let few static IP's skip the youtube safe settings in the unbound. I tried asking about segregating those ip's but then i have to use bind which i dont know about. If there is a way to skip the DMZ (i have lan, opt1, opt2 and dmz), that would help also, as i can put those static IP's on DMZ
I think it was mentioned somewhere to use port 5353 and use DNS forwader in conjunction with Unbound, but i cant find any tutorial for it. Also, i cant find any way to split the DNS i dont know if that would help. All I want is some computers can visit youtube and dont get blocked for videos. Even pfsense tutorials get blocked by it.
Any ideas as to where to look for or what to look for would help,
thanks for the great tutorial.

Molykule

huuur

Beautiful guide!
I decided to move from ipcop to pfsense just to filter some https, I followed this guide (with the updates). Everything seems to work fine before some users start complaining mainly android apps not working (play store, snapchat, whatsapp..etc) I managed to locate the blocked (using firewall log) then create a bypass rule with the IP or Port for the whole network, however other clients start having similar issues as if those apps working on different IPs for certain devices (all android)
I read this topic 4 times, reinstall from zero three times without any improvement towards this issue which begins after applying the proxy with wpad.
I appreciate any advice even if an easier approach to filter some unwanted https sites.
Thank you.

aGeekhere

On the android phone (wireless setting) try setting the proxy settings manually, instead of auto or none.

huuur

@aGeekHere:

On the android phone (wireless setting) try setting the proxy settings manually, instead of auto or none.

Finally, with manual proxy settings I have a stable communication with android devices.

You are the MAN!

huuur

@maverik1:

@aGeekHere:

Update Youtube safe mode
Click add under Host overrides
Host = www
Domain = youtube.com
IP =  216.239.38.120
Description = youtube
Save
NOTE: Safe search for youtube is not as advanced as google safe search, which results in a lot of safe content be filtered out.

How can we get this working with mobile devices Android and iOS that use the youtube mobile app or m.youtube.com?

I can't express how useful this guide been for me.

For the record I found the below is working for youtube mobile app safe search:

Host = youtube
Domain = googleapis.com
IP =  216.239.38.120
Description = youtube app1

Host = youtubei
Domain = googleapis.com
IP =  216.239.38.120
Description = youtube app2

and maybe..

Host = www
Domain = youtube-nocookie.com
IP =  216.239.38.120
Description = youtube nocookie

in addition to what's mentioned in Reply#60 for mobile browsers.

aGeekhere

Thanks huuur, that should help others.

Though it would be good if youtube was better at filtering videos.

aGeekhere

Update

You can try setting up MITM by setting the SSL/MITM Mode to splice all, that way you do not need to create a certificate for each device on the network. (you still need to create a main certificate though).

vielfede

@aGeekHere:

Update

You can try setting up MITM by setting the SSL/MITM Mode to splice all, that way you do not need to create a certificate for each device on the network. (you still need to create a main certificate though).

That works fine for me also setting Client proxy settings manually:
Proxy address/PORT= SQUID_IP 3128

And that only! Indeed if i specify different proxy settings for http/https in (client win10=> Internet Settings=>Lan settings=>Advanced=>

• http=SQUID_IP 3128
• https=SQUID_IP 3129

It does not work, as in the contrary I'd excpect….  ::)
Geek can you explain why?

aGeekhere

Does automatically detect settings work?

vielfede

@aGeekHere:

Does automatically detect settings work?

Ehmm sorry, could you explain me better what you mean? As I stated I do not use WPAD, I configure proxy manually on client see picture…

Thanks.
PS. Sorry to answer late

aGeekhere

if you have the transparent proxy working then you do not need to define the proxy server.

vielfede

If I use it in transparent mode, https does not work!
Better sometimes it works, sometimes it does not! (http works always!)

If anyone managed to get http+https in splice all + transparent mode work please let me know… ;)