Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    What’s the most effective way to filter content?

    Firewalling
    4
    8
    264
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wijet last edited by Wijet

      As the title states, I am wondering what would be my best route to go to Filter content? namely mainstream VPN services, social media, YouTube.

      Would openDNS work to block VPN?

      I do have squid installed, and setup, IS it possible to block VPN THAT way? Although I haven’t had much luck with squid.

      Are there better options for pfsense?

      I know I’m asking a loaded question here. Thanks in advance

      x2rl 1 Reply Last reply Reply Quote 0
      • x2rl
        x2rl @Wijet last edited by

        @Wijet said in What’s the most effective way to filter content?:

        As the title states, I am wondering what would be my best route to go to Filter content? namely mainstream VPN services, social media, YouTube.

        Would openDNS work to block VPN?

        I do have squid installed, and setup, IS it possible to block VPN THAT way? Although I haven’t had much luck with squid.

        Are there better options for pfsense?

        I know I’m asking a loaded question here. Thanks in advance

        Did you set up man-in-middle with squid? huge pain in the arse.

        Blocklists etc ?

        1 Reply Last reply Reply Quote 0
        • KOM
          KOM last edited by KOM

          @Wijet Only squid + squidguard will do all that you need, and even then you're entirely dependent on accurate blocklists. For example, do you know of any blocklists that contain entries for all the commercial VPNs on Earth? I don't.

          @X2LR "Did you set up man-in-middle with squid? huge pain in the arse."

          Not really, unless you insist on full SSL interception which is not required for URL filtering. Just use Splice All and you don't have to install a cert on every client.

          Personally, I use squid in explicit mode + squidguard, and use WPAD to help my users find it automatically. No certs required, no SSL interception and I can still filter URLs.

          x2rl 1 Reply Last reply Reply Quote 1
          • x2rl
            x2rl @KOM last edited by

            @KOM said in What’s the most effective way to filter content?:

            Splice

            Splice huh ill have to look that up.

            Does it work fine Kom?

            1 Reply Last reply Reply Quote 0
            • KOM
              KOM last edited by

              Just watch their video. It explains everything. And yes, it allows me to filter HTTPS URLs without having to install certs everywhere. You only need client certs if you want to see their encrypted traffic and not just the destination URL.

              Squid, SquidGuard, and Lightsquid on pfSense 2.4

              https://www.youtube.com/watch?v=xm_wEezrWf4

              x2rl 1 Reply Last reply Reply Quote 0
              • x2rl
                x2rl @KOM last edited by

                @KOM said in What’s the most effective way to filter content?:

                Just watch their video. It explains everything. And yes, it allows me to filter HTTPS URLs without having to install certs everywhere. You only need client certs if you want to see their encrypted traffic and not just the destination URL.

                Squid, SquidGuard, and Lightsquid on pfSense 2.4

                https://www.youtube.com/watch?v=xm_wEezrWf4

                didn't even know they did videos :O! Thanks

                1 Reply Last reply Reply Quote 0
                • M
                  mcury last edited by mcury

                  Android devices have problems with splice all and transparent squid, some apps doesn't work.
                  When you connect to a wifi being filtered by squid transparent, it shows no internet connectivity.
                  Tested using samsung galaxy s10.

                  I believe that I found a way:

                  Noticed that when my phone connects to the wifi, it tries to reach: http://connectivitycheck.gstatic.com/generate_204 - 216.58.222.99.

                  and
                  http://clients3.google.com/generate_204 - 172.217.162.174

                  I was getting code: TCP_MISS/204 for both of these addresses

                  As this is a dynamic IP and it is always changing, I've put all their CIDR: 216.58.192.0/19 and 172.217.0.0/16 at the bypass for destination IP at the transparent proxy settings, and now everything seems to be working fine.

                  Tested using chrome, and it's blocking porn:

                  TCP_MISS/301 http://www.xvideos.com/ - 192.168.255.249
                  TCP_MISS/302 http://185.88.181.10/ - 185.88.181.10
                  TCP_MISS/301 http://www.xvideos.com/ - 192.168.255.2

                  SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD

                  1 Reply Last reply Reply Quote 0
                  • W
                    Wijet last edited by

                    Hi, I did manage to find a pretty secure system, for anybody willing to spend the $. On a trial with it right now, works perfectly for us so far... Adamnet.works

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post