XG-7100 1U - questions about pfSense functionality and set up



  • Hello!

    Our company recently ordered a pfSense XG-7100-1U to replace a (functional, but no longer supported) gnatbox firewall solution we've had in place for years.

    After reading up a bit on general functionality and such we decided pfSense would be a solid choice within our budget and scope. However, we're encountering some obstacles that I thing are probably just misunderstandings in how the configuration is supposed to work.

    So here is what we want to accomplish:

    Priority #1:
    Block all web traffic in/out except for a small whitelist of web-based resources/sites. We operate a warehouse where we do not want to allow regular web browsing, but we do need to reach Fedex/UPS/et cetera in order to process shipments.

    We did attempt to configure squid/squidguard, but it seems to disregard sites like facebook/pinterest. I assume that's related to https/hsts, but I'm unsure of how to deal with that.

    Priority #2:
    Allow a list of devices full access to the internet (office/executive computers that need web browsing for job functions.)

    Priority #3:
    We currently serve a small number of web-based FTP/Web Servers which need to be accessible outside of the firewall. We brought in the NAT settings from our old firewall, but I think we may not have a firm grasp on how the firewall rules within pfsense are designed. Where can I find some examples of a proper pfsense FW/rules configuration? It's likely worth noting that we do have a number of static addresses being used for these resources.

    I think we're missing something because when we did some testing in our production environment over the weekend.... nothing worked as expected. Our biggest functionality issue was that the packages for squid/squid guard did not seem to block requests the way we wanted to. With our current firewall, the appliance automatically blocks any requests for sites not allowed on to be accessed. However squid/squidguard are doing it they seem to be allowing some sites through a general deny all+whitelist.

    Any advice/guidance would be greatly appreciated!


  • Netgate Administrator

    You should be able to do #1with Squid/Squidguard as long as you are doing full ssl intercept or not passing any https traffic which would be unlikely.

    #2 is relatively easy you can have a group of fixed IPs bypass Squid entirely or use a different set of filtering rules.

    FTP servers behind the firewall can usually be done as long as they can be configured to not hand out an internal IP to clients or the connecting clients are clever enough to ignore it if they do.
    https://docs.netgate.com/pfsense/en/latest/nat/ftp-without-a-proxy.html

    Steve



  • Thanks for the FTP info, that should be handy. As well, could you refer me to a resource (preferably with examples) for organizing/creating NAT/firewall rules? Our collective grasp of the needed NAT/Firewall rules are very rudimentary and it would be very helpful!

    In regards to squid/squidguard: are they intended to be used in tandem or independently of one another? They seem to overlap in functionality somewhat, but squid is a dependency for squidguard (hence my confusion, I think.) As for setting up SSL intercept(ion), any recommendations for a straightforward resource on how to do that?

    I appreciate your time!


  • Netgate Administrator

    The best source of information about rules is the book:
    https://docs.netgate.com/pfsense/en/latest/book/firewall/index.html
    https://docs.netgate.com/pfsense/en/latest/book/nat/index.html

    Squid is a caching http/https proxy. Squidguard adds filtering to it. So yes you need Squid installed to use Squidguard.
    By far the best source of info on setting that up is the hangout we did on it:
    https://www.youtube.com/watch?v=xm_wEezrWf4

    Steve


  • LAYER 8 Rebel Alliance

    What you want to do should be easy with only Squid and without SSL interception.
    I have like 100% the same requirements like yours here and have a basic FreeBSD 12-p3 Installation with only Squid. I love my pfSense very much as Edge Firewall, for OpenVPN and so on - but decided to install Squid myself in some VM to have more control and flexibility over the Config file.
    BUT I think this should work with Squid in pfSense, too.

    The FreeBSD default squid.conf is a great starting point to have a basic working configuration, then you just need these few ACLs:

    acl website-blacklist url_regex -i "/usr/local/etc/squid/website-blacklist.acl"
    http_access deny website-blacklist
    
    acl website-nocache dstdomain "/usr/local/etc/squid/website-nocache.acl"
    cache deny website-nocache
    
    acl website-whitelist srcdomain "/usr/local/etc/squid/website-whitelist.acl"
    http_access allow website-whitelist
    acl website-whitelist_rev dstdomain "/usr/local/etc/squid/website-whitelist.acl"
    http_access allow website-whitelist_rev
    
    acl host-whitelist src "/usr/local/etc/squid/host-whitelist.acl"
    http_access allow host-whitelist
    
    http_access deny all
    

    website-blacklist = Stuff no-one can ever reach
    website-nocache = Sites you don't want Squid to cache
    website-whitelist = Websites you want ALL of your clients to have access
    host-whitelist = Hosts with FULL access (but not website-blacklist because it's on the top)
    http_access deny all = And finally deny all other access to this proxy

    You need to make sure to have all ACLs in the right order, maybe this need some adjustment in your pfSense config.

    -Rico



  • Hey Rico! Thanks for your response.

    We may have been doing it wrong (after all, we posted here!) but when we just were using baseline squid with a whitelist/blacklist we were seeing sites like facebook/pinterest (social media, basically) ignore the blacklisting entirely when attempting to browse to them. Do you know what may have caused that to occur?


  • Netgate Administrator

    Were you using full SSL bump? The most common reason for this is only proxying http traffic and almost everything is https there days.

    Steve



  • I believe we started initially with Splice Whitelist, Bump otherwise. So making sure I understand:

    1. No defined white/blacklist within squid itself
    2. Use Splice All within squid (does this affect transparent proxy at all?)
    3. Using squidguard, define acl rules/group acls/target categories

  • Netgate Administrator

    You can see what can be done in that video hangout at this point:
    https://youtu.be/xm_wEezrWf4?t=935

    If you were set to splice whitelist and bump everything else I would expect any https not in the whitelist to fail unless you have installed the Squid CA on all the clients.

    Steve