pfSense web filter and antivirus in existing LAN infrastracture

  • Hi everybody...I have a problem and I can't find a solution. In my office I have 2 internet service provider, 1 zyxell USG310 firewall and 1 Cisco switch. I have to do the web filtering for all the pc connected in LAN through the Cisco. The firewall zyxell USG310 has preinstalled the web filter software but I don't want to renew the license. In my firewall zyxell all the rules are loaded (NAT, load balancing etc) and all the PC connected in LAN through the switch are configured with the IP of the firewall as gateway. In this basic scenario all the traffic pass through the firewall that manages the communications. Now I have the necessity to filter the web pages visited from the client in my LAN with an external tool. I thought about using pfsense only for web filtering in transparent mode and antivirus but I can't change the gateway in my office client PCs because my firewall have to command all the request that comes from the client PC's. Can I interpose pf sense between the switch and the firewall so that all client requests pass first to pfsense which filters web pages and then arrives at the firewall without masking the ip of the client requesting the web page? What's the best solution? I attach an image with my actual office infrastracture...thank's everybody, Andrea.

  • Netgate Administrator

    You can't run Squid transparently on a bridged firewall so you can't put it in between the switch and Zyxel and maintain the same layer 2.

    However you shouldn't need to. When you configure Squid in transparent mode in pfSense it adds port forwards to the LAN side interface to redirect all incoming traffic on port 80 (and 443) to the Squid process running on local host.
    You can replicate that to Squid running on a different host easily enough. Just add port forwards in the Zyxel to forward traffic from the LAN side clients to the pfSense IP running Squid.

    Some things to consider:
    You may not want to forward all http/s traffic as you will need to reach the Zyxel interface and possibly upstream routers etc and that's probably better to do without using the proxy.
    If you can you should put the Squid box on a different subnet to the LAN clients otherwise you will have an asymmetric routing situation with reply traffic going back dirrectly to clients. No idea how the Zyxel would react to that but it should block the out of state TCP traffic be default.
    If you are running only Squid on that box pfSense may not be the best solution there. Though it is very easy to setup.


Log in to reply