Blocking URL's in Pfsense firewall for specifi range of IP
-
Hi, pls anyone help me, i'm trying to block websites URL for specific IP using Alias and firewall rules, but nothing works.
i create 2 alias
- Blocksites
name: blockwebsite
type: host
IP/FQDN: www.facebook.com - Unauthorusers
name: unauthorize
type: network
Network or FQDN : 192.168.0.10/24
Firewall Rules
Action: block
Interface: WAN
Address Family: IPv4
Protocol: TCP/UPDSource: Single host or alias : unauthorize
ports : any anyDestination: Single host or alias : blocksites
Port: any anyPls check my configuration if anything i forgot or mistaken.
Thanks and advance!
- Blocksites
-
You can't use a host alias like that for a site like facebook. That will be resolved to a single IP when the ruleset is created but facebook is actually a vast number of IPs.
You can try to use an AS number either manually:
https://docs.netgate.com/pfsense/en/latest/firewall/blocking-websites.html#blocking-facebook
Or using pfBlocker to auto update it.Or you could block that using the DNS instead which can be more effective.
Steve
-
I am looking to do the same. Can I block facebook.com for just a specific list of local clients/IP addresses. I would like to do this with native features like DNS Resolvers appose to a plugin.
Is that possible.
-
You can, potentially, add a custom 'view' in unbound so that only a subset of client devices get a bad resolution for *.facebook.com. It's a non-trivial setup but there are some threads here detailing it.
-
Thinking about it, that may not work for me, not sure. The reason I say that is because I currently have "kids" systems reserved in DHCP, their lease gives them a different DNS server "1.1.1.3", all other systems default to PfSense IP which forwards to "1.1.1.1". the .3 is the adult filter from Cloudflare.
I made an attempt using the below set of rules, but it does not seem effective, i.e. the target PC can still access youtube.com. Should the below type of setup be possible, can I effectively block just a few urls for a handful of devices this way. Again I am looking for a simple effective means to manage a url block list for handful of devices on my network. I feel like this should be easy to do in pfSense and if not perhaps a new feature.
-
Yup, you can't block with rules like that. The alias will be resolved to an IP or set of IPs when the ruleset is generated but that will only be a tiny fraction of the potential IPs used by youtube.
You can block by ASN but that will impact far more than just youtube. You pretty much need to filter using DNS to get the sort of functionality you're looking for.
-
Is there any solution leveraging DNS where I can achieve the desired outcome described.
i.e.
By default clients receive pfSense IP (10.X.X.X) as their DNS Server, no other filtering or blocking, PF forwards to 1.1.1.1. (Cloudflare). (Current Setup and Working)
Select clients (KIDS Systems) receive / have their DNS requests sent to 1.1.1.3. (Working Today via DHCP Reservation)
Net-New-Addon - Same Select "KIDS Systems" are blocked from youtube.com but again has to continue leveraging 1.1.1.3 as their DNS server so that Adult content is effectively blocked. (Solution Not Found Yet)
Thanks.
-
You could switch that around so that most systems use 1.1.1.1 directly but kids systems use Unbound in pfSense and are forwarded to 1.1.1.3. Then you can add filtering to unbound for some domains.
Or you could pass kids systems to an external DNS service that allows adding domains to block.
-
Not really crazy about that idea, i have DNS over TLS configured and other local hosts id like to be able to address by hostname easily.
Perhaps there is a plugin solution ??
-
I also found the custom view option you were referencing, which I really like. This would be almost perfect if all clients where using the pfsense box for DNS. I don't suppose there is a way to create a view so that certain clients have their requests forwarded to 1.1.1.1 and others to 1.1.1.3 ? Outside of my current method which is via DHCP. If this does not exist, could this be a potential future product enhancement.
-
I haven't tried that but I believe could. You should be able to set any number of parameters for he client view.
An alternative here might be to also run the DNS forwarder. You have to run it on a different port to avoid a conflict but you can forward requests to that port.
