Seems like traffic not going through firewall

astph · May 20, 2019, 6:12 AM

Hi guys!

Just want to ask, We've been using Pfsense for quite sometime already, everything seems to be working as usual, but lately I feel and noticed that the traffic seems not going through our firewall settings, like for example, Youtube is supposed to be blocked, but I can freely access Youtube, aside from Facebook, etc. Can anyone help point me to the right direction on where to look at?

Thanks!

ast

johnpoz · May 21, 2019, 3:08 AM

And how exactly are you trying to block youtube?

astph · May 21, 2019, 3:08 AM

@johnpoz Hi!

Actually' I'm no IT person, just self taught to configure our Pfsense, not sure if I configured it correctly, but this is what I did:

i have firewall setting to block all traffic to youtube.com, youtu.be, googlevideo.com
i assign all dns to use opendns dns, and set opendns to block streaming sites (for this not sure if I configured our modem properly, as we recently just changed our modem, not sure what mode i should set our modem so that our pfsense would pick up the right ip address
i'm also using squid proxy filter, indicated on blacklist the websites that are not allowed.

It used to worked, but lately i can access all these "blocked" site.

Thanks in advance.

Regards,

ast

johnpoz · May 21, 2019, 7:24 AM

you understand your firewall rules are meaningless if your using a proxy ;)

Also you pointing proxy to opendns? So its block lists really all become meaningless now as well ;)

So how about you pick 1 method of blocking and lets work through that.. So firewall rules with aliases - not really going to be workable since youtube is served off a CDN... So while it might sometimes work - in the long run its not really a viable option.

So pick one solution do you want to block with proxy, or do you want to block with dns be it opendns or say pfblocker or your own host overrides.

Proxy for that to work you have to be using explicit if you want https sites to be blocked, transparent will not work for blocking https.

astph · May 21, 2019, 7:32 AM

Hi!

Thanks a lot for pointing those out LOL! Now I know.... anyway, my best option really is to ask your advice I would think :)

I forgot to mention that our ISP here is under Carrier Grade NAT (recently), so because of this, I think the OpenDNS route wont work?

Can I humbly ask for your advice on which is the best route to go with, having said I'm really a newbie on this, eventhough our Pfsense has been running for years already (used to work).

Thanks sir!

ast

johnpoz · May 21, 2019, 7:38 AM

I would go with pfblocker option or just your own local host overrides in pfsense dns (unbound or dnsmasq) depending on which on your using for the domains you don't want to resolve.

Then force all clients behind pfsense to only be able to query pfsense for dns.

As for as opendns working behind CGNAT?? As long as your account is always coming from the same IP (public) to them it should still work.. Only thing I would think is if your sharing public IPs with other customers you could have conflicts with what is filtered, etc.

Or if you going to go the proxy route, then you need to make sure its setup as explicit (all clients need to actually point to proxy) And you need to make sure they can only go out via the proxy..

astph · May 21, 2019, 7:57 AM

Thanks a lot for your advice....will check out pfblocker again, I used to have pfblocker installed in our system, but later on decided to remove it. So, if with pfblocker, do i need to remove all the firewall rules? Or pfblocker can work with the firewall rules?

"Then force all clients behind pfsense to only be able to query pfsense for dns." -- may i ask how can i do this? Is this the same as allowing only my pfsense ip address as dns, and blocking all other port 53 traffic?

Thanks!

ast

johnpoz · May 21, 2019, 8:30 AM

If your not allowing clients to resolve domainx.com then blocking domainx.com via an alias is prob not going to have any effect.. But could block direct IP access, etc.

Keep in mind again that putting in youtube.com into a alias isn't going to be very effective.. Since its hosted off a CDN, etc. And those IPs could change, and client could get different IP then what the alias loaded in... Also there is way more fqdn then just youtube.com - pretty much any country tld could work, etc.. .de, .co.uk etc. etc

Going to be one hell of an alias list trying to block them all ;)

astph · May 22, 2019, 2:14 AM

I'm currently trying out pfblockerng now, just want ask for assistance, where or how can I block a certain website in pfblockerng? Example: Facebook or lets say social media sites in general?

Thanks!

ast