Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need to create a rule to block certain sites during the weekdays and allow them during the weekend

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 509 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nexnexlevel
      last edited by

      Greetings Experts,

      I am looking to create a rule to block access to certain websites on a schedule and/or manually enable/disable access when needed.

      For instance:
      Need to be able to block access to certain gaming sites during schoolweek and only allow access during weekends but would also like to be able to manually enable rule when kids get grounded. I have one who likes to get out of bed at 3am to play and then walk around cranky and grouchy all day for lack of sleep. If he has physical access, he WILL access the sites so they need to be blocked to prevent access.

      This was a simple matter with the old Netgear router but with pfSense it seems to be buried.

      Does this ask make sense or do you need me to provide more info?

      Also, how does one use the "object group" concept to add the IP's of several sites (or the multiple IP's of one site) to a single firewall rule instead of one rule one IP? The IP's are not in the same subnet and cannot be summarized.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • J
        jeremym
        last edited by

        I personally block per device using a schedule and firewall rules. Meaning I have all their IP addresses for all their devices setup in allow rules and then i have one rule that is a deny rule. So once the allow rule expires then the firewall goes on down the list to find something that matches the traffic and hits the deny rule. It seems to be working out well for me except its allowing existing connections to stay active after the pass rule deactivates. New connections are denied though.

        To make sure my devices have the same IP every time, I have my DHCP server to assign an IP based upon MAC address if provided. So that covers iPhones, iPads, and other things that dont allow for manual IP address configuration.

        To block certain sites though thats a bit difficult. SquidGuard may be your friend there. I havent looked much into SquidGuard but a lot of sites use HTTPS. Google and youtube are great examples of sites that are going encrypted. You cant, at least the last time i checked, use a Squid proxy server passively (catching all traffic by default and filtering) when using SSL. If you want it to block sites that are using SSL then your devices must have an SSL certificate installed on each device provided by whatever server is filtering it (assuming your squidguard server on pfsense). That can get kinda complicated.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You can use schedules in squidguard.

          You can prevent access to https sites without SSL MITM but you can't give the users a pretty denied page. The connections just break. This is peek/splice and works by looking at the SNI in the initial connection.

          https://www.youtube.com/watch?v=xm_wEezrWf4

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.