How to set up different content filtering for different networks using PFSense.
-
Hello!!,
I am new to PFSense. We recently purchased a PFSense device and would like to configure it to the following network requirements:
REQUIREMENTS:
- We have about 20 computers (10 on the 1st Floor, and 10 on the 2nd Floor).
- The computers on the 1st Floor will have access to the internet (with some filtering controlled by PFSense)
- The computers on the 2nd Floor will NOT have access to any site on the Internet, but only to some that will be allowed. For example: access only to GMAIL.com, BBC.com, and CNN.com.
My question is whether PFSense can do this, and if so, how do we need to configure it in order to achieve this goal?
Thank you for your help.
Any recommendation or advice is greatly appreciated.
Sincerely,
SORBEDOCS.
-
If simple NAT internat access, then (for example) add allow firewall rules for 2 floor:
Allow TCP proto | src IP = '2 floor IP's' port = any | dest IP = 'GMAIL.com, BBC.com, and CNN.com ip's ranges' port = 80
Allow TCP proto | src IP = '2 floor IP's' port = any | dest IP = 'GMAIL.com, BBC.com, and CNN.com ip's ranges' port = 443
Deny TCP proto | src IP = '2 floor IP's' port = any | dest IP = any port = 80
Deny TCP proto | src IP = '2 floor IP's' port = any | dest IP = any port = 443
And good idea use aliasesOR
Use proxy Squid + squidGuard -
DVSERG,
Thank you for your response.
I am wondering:
If I decide to use NAT internet access,
- can the "2 floor IPs" be changed to a network block (say 192.168.15.0)??, and
- can the part that comes after the "dest IP =" be changed to a filename?? That is, this file will keep a list of all the websites that are allowed to the 2nd floor.
Thank you for your help.
Sincerely,
SORBEDOCS
-
- can the "2 floor IPs" be changed to a network block (say 192.168.15.0)??, and
- can the part that comes after the "dest IP =" be changed to a filename?? That is, this file will keep a list of all the websites that are allowed to the 2nd floor.
- Yes, 192.168.15.0/24 for example
- No, dest IP cant be filename, but possible use aliases