Guide to filtering web content (http and https) with pfsense 2.3
-
In the Part 3 you refer to *.local in proxy.pac file as well as unbound configuration.
if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "192.168.1.0", "255.255.255.0")) return "DIRECT";When user sets up pfSense the domain defaults to "localdomain" in System/General Setup and there is explicit sentence about not using .local as a domain name:
Do not use 'local' as a domain name. It will cause local hosts running mDNS (avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS.Do we need to modify the domain to "local" in System/General Setup or should we replace ".local" with ".localdomain"?
-
Use a domain like this
pfsense.thisismydomain.localDo not use
pfsense.local.localThe PAC does not need changing
-
Hi,
I am using the method mentioned here, through unbound. Is there a way i can let few static IP's skip the youtube safe settings in the unbound. I tried asking about segregating those ip's but then i have to use bind which i dont know about. If there is a way to skip the DMZ (i have lan, opt1, opt2 and dmz), that would help also, as i can put those static IP's on DMZ
I think it was mentioned somewhere to use port 5353 and use DNS forwader in conjunction with Unbound, but i cant find any tutorial for it. Also, i cant find any way to split the DNS i dont know if that would help. All I want is some computers can visit youtube and dont get blocked for videos. Even pfsense tutorials get blocked by it.
Any ideas as to where to look for or what to look for would help,
thanks for the great tutorial.Molykule
-
Beautiful guide!
I decided to move from ipcop to pfsense just to filter some https, I followed this guide (with the updates). Everything seems to work fine before some users start complaining mainly android apps not working (play store, snapchat, whatsapp..etc) I managed to locate the blocked (using firewall log) then create a bypass rule with the IP or Port for the whole network, however other clients start having similar issues as if those apps working on different IPs for certain devices (all android)
I read this topic 4 times, reinstall from zero three times without any improvement towards this issue which begins after applying the proxy with wpad.
I appreciate any advice even if an easier approach to filter some unwanted https sites.
Thank you. -
On the android phone (wireless setting) try setting the proxy settings manually, instead of auto or none.
-
On the android phone (wireless setting) try setting the proxy settings manually, instead of auto or none.
Finally, with manual proxy settings I have a stable communication with android devices.
You are the MAN!
-
Update Youtube safe mode
Click add under Host overrides
Host = www
Domain = youtube.com
IP = 216.239.38.120
Description = youtube
Save
NOTE: Safe search for youtube is not as advanced as google safe search, which results in a lot of safe content be filtered out.How can we get this working with mobile devices Android and iOS that use the youtube mobile app or m.youtube.com?
I can't express how useful this guide been for me.
For the record I found the below is working for youtube mobile app safe search:
Host = youtube Domain = googleapis.com IP = 216.239.38.120 Description = youtube app1Host = youtubei Domain = googleapis.com IP = 216.239.38.120 Description = youtube app2and maybe..
Host = www Domain = youtube-nocookie.com IP = 216.239.38.120 Description = youtube nocookiein addition to what's mentioned in Reply#60 for mobile browsers.
-
Thanks huuur, that should help others.
Though it would be good if youtube was better at filtering videos.
-
Update
You can try setting up MITM by setting the SSL/MITM Mode to splice all, that way you do not need to create a certificate for each device on the network. (you still need to create a main certificate though).
-
Update
You can try setting up MITM by setting the SSL/MITM Mode to splice all, that way you do not need to create a certificate for each device on the network. (you still need to create a main certificate though).
That works fine for me also setting Client proxy settings manually:
Proxy address/PORT= SQUID_IP 3128And that only! Indeed if i specify different proxy settings for http/https in (client win10=> Internet Settings=>Lan settings=>Advanced=>
- http=SQUID_IP 3128
- https=SQUID_IP 3129
It does not work, as in the contrary I'd excpect…. ::)
Geek can you explain why? -
Does automatically detect settings work?
-
Does automatically detect settings work?
Ehmm sorry, could you explain me better what you mean? As I stated I do not use WPAD, I configure proxy manually on client see picture…
Thanks.
PS. Sorry to answer late
-
if you have the transparent proxy working then you do not need to define the proxy server.
-
If I use it in transparent mode, https does not work!
Better sometimes it works, sometimes it does not! (http works always!)If anyone managed to get http+https in splice all + transparent mode work please let me know… ;)
-
I just enabled it mitm, added a cert, set it to splice all and its working.
-
The guide is update but confusing. Can you please clean up the guide and have it step by step. Its somewhat hard to follow if you are not familiar with wpad and related firewall rules.
Thanks for the guide.
-
hi techbee, yeah after discovering a few new things the guide is a little messy now.
The transparent proxy with MITM (splice all) vs wpad should really be divided into two different choices. When I made the guide I did not know that all you need to get transparent proxy for https working is set splice all and create a cert for the router. So in fact you can now choose either using a wpad or the transparent proxy MITM or both.
when i get time I will try an clean it up a bit.
-
The transparent proxy with MITM (splice all) vs wpad should really be divided into two different choices. When I made the guide I did not know that all you need to get transparent proxy for https working is set splice all and create a cert for the router. So in fact you can now choose either using a wpad or the transparent proxy MITM or both.
Indeed I do not think MITM and splice all can work toghether, as stated on squid documentation MITM is associated to the "bump" directive that is something complety different from splice directive.
With MITM (bump) squid is able to decrypt traffic (and analyse it) meanwhile with splice all you can do is just "web filtering".
Summarizing
Directive Advantages/features Disadvantage
Splice (all) No needs of certificate installation on Clients + webfiltering No traffic analysis i.e no AntiVirus
Bump (MITM) Traffic analysis i.enoYES AntiVirus + webfiltering Needs to install certs on clientsPlease take a look here and let me know if I missed something. Thanks
http://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions
http://marek.helion.pl/install/squid.html -
The transparent proxy with MITM (splice all) vs wpad should really be divided into two different choices. When I made the guide I did not know that all you need to get transparent proxy for https working is set splice all and create a cert for the router. So in fact you can now choose either using a wpad or the transparent proxy MITM or both.
Indeed I do not think MITM and splice all can work toghether, as stated on squid documentation MITM is associated to the "bump" directive that is something complety different from splice directive.
With MITM (bump) squid is able to decrypt traffic (and analyse it) meanwhile with splice all you can do is just "web filtering".
Summarizing
Directive Advantages/features Disadvantage
Splice (all) No needs of certificate installation on Clients + webfiltering No traffic analysis i.e no AntiVirus
Bump (MITM) Traffic analysis i.e no AntiVirus + webfiltering Needs to install certs on clientsPlease take a look here and let me know if I missed something. Thanks
http://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions
http://marek.helion.pl/install/squid.htmlShouldn't the second one not have the word "no"..
-