Need help - Boy Scout Camp Setup

  • Forum Members,

    I am seeking your assistance in setting up pfsense for a Boy Scout camp. What I would like to do is:

    • Install and configure Squid – what are the best settings (I guess this is open to interpretation)
    o 80G Hard Drive
    o 2560M Memory
    • Block streaming services e.g. Netflix, Hulu, Youtube, etc.. Others?
    • Block video from playing in facebook (not necessarily block facebook though)
    • Block all access to Windows Update
    • Block all access to Apple updates
    • Block all access to download apps from Android and Apple devices
    • Block all access to Chrome updates and Google store
    • Eventually block porn/torrents/controversial non-Scout/children friendly sites (can be done in conjunction with the above mentioned or turned into a separate project and/or thread)

    You may be wondering, why do I want to block so much, well, the answer is simple. We have a satellite connection with a maximum cap of 20G of transfer per month.

    Basically, I just want the users/Scouts to be able to browse the web to complete their Merit Badge requirements and allow parents the ability to VPN to their corporate networks to get “some” work done.

    Also, I would like to somehow track users traffic download/upload data e.g. Billy  (via IP/hostname/Mac, etc.?) downloaded/uploaded XXG of data. Is there something easy that can be configured for this reporting metric?

    One more, we do have a Point-of-Sale machine in camp that process credit cards of which requires access to the internet. How do I provide priority to that computer of all others?

    Thank you all in advance for your assistance!


  • 20GB is not going to go far (how many users?)
    For web filtering start off here
    Forcing the use of google and bing safemode and blocking the rest is going to help you a lot here.

    Enable squid cache to help save a little bit on data. Windows updates, well they normally cache, but with only 20GB you will have to be carefull.

    Might be best to setup like a user login with a data quoter (20GB/number of users) that way it is up to the users on what to spend there download limit on. So if they want to watch YouTube safemode they can but they will only be able to watch a few vids before they reach their data limit.

    If you have like 30 users on 20GB a month your looking at about 20 to 25 MB per user per day which is not a lot.

    For that amount of data maybe it is best to just let staff use it to download the content for the scouts (like videos or guides etcs).

  • Your need is pretty clear and obvious: due to satellite cost, you will have to control and reduce ever thing to the strict minimum  still offering some basic service.

    If I had to achieve this, I would start, as you do, with proxy, still keeping n mind that such goal is quite tricky.

    Let's make it clear: 20 Gb is not that much.

    Design rules:

    • everything must go through proxy (which BTW, reduce protocol to HTTP/HTTPS but as almost everything uses HTTP nowadays, it covers a large area of your needs.
    • as control is a must for every (HTTP) thing, transparent proxy is not an option.
    • On the other hand, you don't want to configure each and every device manually. You could publish some "network settings" but this is going to be painful. WPAD is a better option, even if it doesn't cover 100% of web browsers.
    • Linked to this, be sure that FW will not authorize any protocol from LAN to WAN (this can be fine-tuned later but as a principle, everything will go through HTTP proxy.
    • pfSense will act as DNS resolver (and cache) and because proxy is used, end-users will never need to resolve anything

    Then comes proxy configuration:

    • be sure to configure disk caching  8)
    • at Squidguard level, configuring blacklist will help a lot. Not allowing some sites category will save some bandwidth  ;D ;D :-X
    • this will also help you to configure domains like windowsupdate to be blocked.
    • in order to not allow video flow, you will have to block mime type

    This looks promising isn't it?  8)
    Unfortunately, this is far to be perfect. Because HTTPS is widely used, it will not benefit from cache and content will not be filtered.
    SSL-Bump (although I really don't like it) might be the right direction to investigate.

    some additional inputs:

    Nice challenge :-)

  • LAYER 8 Netgate

    It is far easier to allow PoS, VPN and allow access to a particular (scout) site than it is to block just things that are hosted all over the world, on CDNs, etc.

    •  Block video from playing in facebook (not necessarily block facebook though)

    Good luck with that since facebook is pretty much all HTTPS. Might as well try to allow whatsapp but block whatsapp messages containing curse words.

    I believe what you are trying to do is pretty much impossible and you would be better spending your time blocking everything and passing only what they need access to.

Log in to reply