Guide to filtering web content (http and https) with pfsense 2.3
-
"To stop users from bypassing your proxy setup a new firewall lan rule and block port 80 and 443
IPv4 TCP * * * 80 - 443 * none.
SaveSet your system to automatically detect settings (for windows it is in internet options connections lan settings).
You also have to set up the proxy setting for each program that cant connect (firefox, graphics drive software, vlc etc)
If you have programs that cannot connect and have no proxy setting you need to setup a firewall aliases
Firewall/Aliases/IP
and add the destination server ip (use wire shark to help find the blocked Ips or in your firewall block rule enable Log packets that are handled by this rule, use http://ip-lookup.net/index.php to check what it is and add to the Aliases. If it is part of a domain add the domain)
now create a new firewall lan rule
IPv4 TCP * * * passAliases 80- 443 * pass rule.Save"
Not sure where to setup/configure above firewall lan rule.
-
Thank you for the guide - i got everything working as expected. However, I need to enable content filter on a 2nd interface (Guest). What sort of config addition is needed to enable content filtering on the 2nd additional interface.
-
In the Part 3 you refer to *.local in proxy.pac file as well as unbound configuration.
if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "192.168.1.0", "255.255.255.0")) return "DIRECT";
When user sets up pfSense the domain defaults to "localdomain" in System/General Setup and there is explicit sentence about not using .local as a domain name:
Do not use 'local' as a domain name. It will cause local hosts running mDNS (avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS.
Do we need to modify the domain to "local" in System/General Setup or should we replace ".local" with ".localdomain"?
-
Use a domain like this
pfsense.thisismydomain.localDo not use
pfsense.local.localThe PAC does not need changing
-
Hi,
I am using the method mentioned here, through unbound. Is there a way i can let few static IP's skip the youtube safe settings in the unbound. I tried asking about segregating those ip's but then i have to use bind which i dont know about. If there is a way to skip the DMZ (i have lan, opt1, opt2 and dmz), that would help also, as i can put those static IP's on DMZ
I think it was mentioned somewhere to use port 5353 and use DNS forwader in conjunction with Unbound, but i cant find any tutorial for it. Also, i cant find any way to split the DNS i dont know if that would help. All I want is some computers can visit youtube and dont get blocked for videos. Even pfsense tutorials get blocked by it.
Any ideas as to where to look for or what to look for would help,
thanks for the great tutorial.Molykule
-
Beautiful guide!
I decided to move from ipcop to pfsense just to filter some https, I followed this guide (with the updates). Everything seems to work fine before some users start complaining mainly android apps not working (play store, snapchat, whatsapp..etc) I managed to locate the blocked (using firewall log) then create a bypass rule with the IP or Port for the whole network, however other clients start having similar issues as if those apps working on different IPs for certain devices (all android)
I read this topic 4 times, reinstall from zero three times without any improvement towards this issue which begins after applying the proxy with wpad.
I appreciate any advice even if an easier approach to filter some unwanted https sites.
Thank you. -
On the android phone (wireless setting) try setting the proxy settings manually, instead of auto or none.
-
On the android phone (wireless setting) try setting the proxy settings manually, instead of auto or none.
Finally, with manual proxy settings I have a stable communication with android devices.
You are the MAN!
-
Update Youtube safe mode
Click add under Host overrides
Host = www
Domain = youtube.com
IP = 216.239.38.120
Description = youtube
Save
NOTE: Safe search for youtube is not as advanced as google safe search, which results in a lot of safe content be filtered out.How can we get this working with mobile devices Android and iOS that use the youtube mobile app or m.youtube.com?
I can't express how useful this guide been for me.
For the record I found the below is working for youtube mobile app safe search:
Host = youtube Domain = googleapis.com IP = 216.239.38.120 Description = youtube app1
Host = youtubei Domain = googleapis.com IP = 216.239.38.120 Description = youtube app2
and maybe..
Host = www Domain = youtube-nocookie.com IP = 216.239.38.120 Description = youtube nocookie
in addition to what's mentioned in Reply#60 for mobile browsers.
-
Thanks huuur, that should help others.
Though it would be good if youtube was better at filtering videos.
-
Update
You can try setting up MITM by setting the SSL/MITM Mode to splice all, that way you do not need to create a certificate for each device on the network. (you still need to create a main certificate though).
-
Update
You can try setting up MITM by setting the SSL/MITM Mode to splice all, that way you do not need to create a certificate for each device on the network. (you still need to create a main certificate though).
That works fine for me also setting Client proxy settings manually:
Proxy address/PORT= SQUID_IP 3128And that only! Indeed if i specify different proxy settings for http/https in (client win10=> Internet Settings=>Lan settings=>Advanced=>
- http=SQUID_IP 3128
- https=SQUID_IP 3129
It does not work, as in the contrary I'd excpect…. ::)
Geek can you explain why? -
Does automatically detect settings work?
-
Does automatically detect settings work?
Ehmm sorry, could you explain me better what you mean? As I stated I do not use WPAD, I configure proxy manually on client see picture…
Thanks.
PS. Sorry to answer late
-
if you have the transparent proxy working then you do not need to define the proxy server.
-
If I use it in transparent mode, https does not work!
Better sometimes it works, sometimes it does not! (http works always!)If anyone managed to get http+https in splice all + transparent mode work please let me know… ;)
-
I just enabled it mitm, added a cert, set it to splice all and its working.
-
The guide is update but confusing. Can you please clean up the guide and have it step by step. Its somewhat hard to follow if you are not familiar with wpad and related firewall rules.
Thanks for the guide.
-
hi techbee, yeah after discovering a few new things the guide is a little messy now.
The transparent proxy with MITM (splice all) vs wpad should really be divided into two different choices. When I made the guide I did not know that all you need to get transparent proxy for https working is set splice all and create a cert for the router. So in fact you can now choose either using a wpad or the transparent proxy MITM or both.
when i get time I will try an clean it up a bit.
-
The transparent proxy with MITM (splice all) vs wpad should really be divided into two different choices. When I made the guide I did not know that all you need to get transparent proxy for https working is set splice all and create a cert for the router. So in fact you can now choose either using a wpad or the transparent proxy MITM or both.
Indeed I do not think MITM and splice all can work toghether, as stated on squid documentation MITM is associated to the "bump" directive that is something complety different from splice directive.
With MITM (bump) squid is able to decrypt traffic (and analyse it) meanwhile with splice all you can do is just "web filtering".
Summarizing
Directive Advantages/features Disadvantage
Splice (all) No needs of certificate installation on Clients + webfiltering No traffic analysis i.e no AntiVirus
Bump (MITM) Traffic analysis i.enoYES AntiVirus + webfiltering Needs to install certs on clientsPlease take a look here and let me know if I missed something. Thanks
http://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions
http://marek.helion.pl/install/squid.html