Unofficial E2guardian package for pfSense

pfsensation · May 3, 2018, 7:33 PM

Hi my friend

pfsensation thank you so much lighsquid is Okey

I have one last problem

E2guardian how firewall rules should be PFSense does not work properly when restarting the machine

Try changing that to source "Lan net" and destination to the IP of the firewall. Make sure you have services such as DNS resolver correctly configured.

Also I wouldn't recommend removing the anti lockout rule or the default rules, it could help you a lot of you're new to networking… If you really want to force all traffic through the proxy, just make a rule on top of the rest. Remember the order of the rule goes from top to bottom.

landforces · May 4, 2018, 11:04 AM

Hi
is not the correct rule rule2 picture? I'm asking because some sources are different
for example, the expression here is in the form of rules everywhere for Lan net

https://www.youtube.com/channel/UCMjE1d9qiuLr7ldeIUM7AvA?spfreload=5

I really want to do how are your rules? you share

marcelloc · May 4, 2018, 12:44 PM

If you select the transparent mode, rules will be loaded by the package on pf automatically.

If you want to know what rules you need to allow e2guardian in non transparent mode, then it's easy. Just allow your lan net to e2guardian port. Default port on package is 8080.
In transparent mode it uses a second port for SSL interception 8081.

The video you post is based on e2guardian v4 and has a lot of config errors. On pfSense 2.4, you do not need squid package to get e2guardian up and running.

landforces · May 4, 2018, 2:20 PM

hi Marcello

I use it in transparent mode

I have created these rules and I am new to

f you make a nice installation videos more of you

marcelloc · May 8, 2018, 1:21 AM

Good news for those that are still on 2.3.x.

I could get e2guardian5 up and running on 2.3.5 test vm too and updated the amd64 repo.

Important note:

As I have this running in production only on 2.4 boxes, test it first on labs.

pfsensation · May 7, 2018, 10:52 PM

@marcelloc:

Good news for those that are still on 2.3.x.

I could get e2guardian5 up and running on 2.3.5 test vm too and updated the amd64 repo.

Important note:

As I do not have this running in production only on 2.4 boxes, test it first on labs.

Or… People should just upgrade to 2.4. It brings about a lot of fixes... :P

kenrutt · May 10, 2018, 1:58 AM

Thanks Marcello for making that last update avalable for E2gurdian 5. Things started working again.
One question I would have, is the "Content List" working? Everything else seems to be working
except the "Content List"

susamlicubuk · May 12, 2018, 4:01 PM

Hello Marcello
I could not run MultiWan
LAN1 to wan1 and LAN2 to WAN2 firewall rules do not work

for example with squid we could do multiwan with the following Advanced Features-Custom Options (Before Auth)
acl LAN1 src 192.168.1.0/24
tcp_outgoing_address (wan1ip) LAN1
acl LAN1 src 192.168.2.0/24
tcp_outgoing_address (wan2ip) LAN2
I added it to squidparent.conf but it does not work

marcelloc · May 12, 2018, 4:14 PM

Did you reloaded squid parent after config changes?

The squid daemon package installs is the same of squid package, so if you selected automatic parent config and add squid config to squid parent conf file it should work.

susamlicubuk · May 12, 2018, 4:40 PM

I tried the same settings did not work
but transparent as e2Guardian active (hhtp and https)
squid non transparent

ravegen · May 13, 2018, 11:27 PM

While doing pkg add -f https://e-sac.websiteseguro.com/e2g/e2guardian-5.0.2_7.txz, it failed to install.

It says, pkg: Missing dependency 'openssl'

How do we resolve this error ?

marcelloc · May 14, 2018, 12:12 AM

@ravegen:

While doing pkg add -f https://e-sac.websiteseguro.com/e2g/e2guardian-5.0.2_7.txz, it failed to install.

It says, pkg: Missing dependency 'openssl'

How do we resolve this error ?

Follow instructions on the first post.
Add the repo and then install from gui

ravegen · May 14, 2018, 12:44 AM

@marcelloc:

@ravegen:

While doing pkg add -f https://e-sac.websiteseguro.com/e2g/e2guardian-5.0.2_7.txz, it failed to install.

It says, pkg: Missing dependency 'openssl'

How do we resolve this error ?

Follow instructions on the first post.
Add the repo and then install from gui

Do we need to configure WPAD, DNS and DHCP Options ?

PS: Do you have any tutorial on how to configure E2Guardian for http and https filtering like the ones in youtube for squid and squidguard for reference ? Thanks

marcelloc · May 14, 2018, 1:16 AM

@ravegen:

Do we need to configure WPAD, DNS and DHCP Options ?

Only if you want or have a lot of sites on non standard web ports lie 8080,8081, etc..

The transparent proxy on e2guardian works really nice.

@ravegen:

PS: Do you have any tutorial on how to configure E2Guardian for http and https filtering like the ones in youtube for squid and squidguard for reference ? Thanks

I have this video on youtube with basic setup instructions. The audio is in portuguese but following the images and a youtube translated cc, I guess you can configure it.

https://www.youtube.com/watch?v=tao1tiXFefk

ravegen · May 14, 2018, 1:18 AM

I don't see any firewall rules setup on the video ? Is there a need to create firewall rule to redirect traffic to 8080 and 8081 ?

marcelloc · May 14, 2018, 1:58 AM

@ravegen:

I don't see any firewall rules setup on the video ? Is there a need to create firewall rule to redirect traffic to 8080 and 8081 ?

The package creates automatically for transparent proxy options.

Select the same options I set on the video and take a look on realtime tab.

ravegen · May 14, 2018, 2:08 AM

ok thanks Marcelloc

ravegen · May 14, 2018, 2:35 AM

Marcelloc, what auth plugins ip address ?

Why are some options have (on) and some are (off) ?
What does on and off means there ?

Also I checked on console e2guardian -version, it only show '–enable-sslmitm' and not '--enable-sslmitm=yes', does that mean e2guardian installation does not support SSL traffic interception ?

Running in debug mode…
e2guardian 5.1.0

Built with: '--localstatedir=/var' '--with-logdir=/var/log' '--with-piddir=/var/run' '--with-zlib=/usr' '--enable-fancydm' '--disable-clamd' '--disable-commandline' '--with-dgdebug=on' '--enable-dnsauth' '--disable-email' '--enable-icap' '--disable-kavd' '--enable-ntlm' '--enable-sslmitm' '--enable-trickledm' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CXX=c++' 'CXXFLAGS=-pipe -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -g -fstack-protector -fno-strict-aliasing -DLIBICONV_PLUG -std=c++11' 'LDFLAGS= -lssl -lcrypto -fstack-protector' 'LIBS=' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG' 'CC=cc' 'CFLAGS=-pipe -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -g -fstack-protector -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf'

marcelloc · May 14, 2018, 2:49 AM

@ravegen:

Marcelloc, what auth plugins ip address ?

Check groups based on clients IP address.

@ravegen:

Why are some options have (on) and some are (off) ?
What does on and off means there ?

on and off are the default config options. Check all (on) options to use setup defaults. Most are selected automatically on package install. Any option you select, will be enabled on config files.

@ravegen:

Also I checked on console e2guardian -version, it only show '–enable-sslmitm' and not '--enable-sslmitm=yes', does that mean e2guardian installation does not support SSL traffic interception ?

It has traffic interception compiled. Select the CA under daemon tab to enable check certificate sites (splice all feature on squid) and Filter SSL under group options to intercept the connection with MTIM(requires the CA installed on clients browser to work correctly)

ravegen · May 14, 2018, 3:35 AM

Marcelloc, is it fine to create the INTERNAL CA using pfsense system/certificate manager/CAs OR should it be done thru console as you have said here https://github.com/e2guardian/e2guardian/wiki/MITM–-Filtering-HTTPS, Generating the necessary SSL certs.