Is this possible? A web filter triggering some other stuff

  • Hi,

    Disclaimer: i'm not a top level networking expert so please be kind :-)

    I've got an idea and before starting research and resurrect my pfsense based firewall, i need to know if this is possible because i have this really cool idea in mind so bear with me for a minute:


    A pfsense firewall with a web filter, this web filter has some kind of list of websites. This firewall has also configured a VPN with a VPN service provider of some sort.


    A client on the network that comes from any interface (could be another router connected, an access point, a switch wathever) tries to connect to a web site listed on the web filter. What i want is a redirect to a webpage that says anything like "Hey dude this website ain't good bro what you want to do?" If the user says "Nevermind i wanna go there because I'm brave af" the firewall allows the access but (and here is the core of the question) would it be possible to "route" all the traffic through the vpn ONLY when visiting such websites listed on the web-filter? So if the user goes back on another website that is not on the webfilter list nothing happens and he traffic is not "routed" trough the external VPN service.

    I really don't know if this is possible or i'm talking bullshit, but if this is possible, we can do it with PfSense? Would it be very difficult?

    Thank you very much for you time answering the question.


  • Netgate Administrator

    @BlueStarry said in Is this possible? A web filter triggering some other stuff:

    if this is possible, we can do it with PfSense? Would it be very difficult?

    Yes, it's probably possible. Yes, it would be difficult. Not an easy setup.

    Proxy everything though Squid so you can actually filter by URL rather than IP.

    Configure custom Squid ACLs for 'bad' sites.

    Set a custom outgoing WAN IP for the bad sites using the VPN IP.

    Captive portal maybe for the acknowledgement page? That doesn't really tie in with Squid well though.

    A lot of that is not directly configurable in the GUI, it would require customer pass though code to Squid.


  • all possible

    use pfblockerNG and a custom block page

    the part where the user can klick nevermind is a total other page ...
    maybe possible but not out of the box. a blocked page is blocked untill its whitelisted

    nevermind squid u do not want to break https traffic ;) use pfblocker based on DNS

    the rest is network stuff on your LAN side (AccesPoints ) or on the VPN side

    hope it helped

  • I thank you all kindy for your support, it is really appreciated i must say.
    I undestand that this is very difficult.
    Would be any easier to do the "routing" trough the vpn "transparently" without any acknowledgement from the user?

    IE: listed website --> trough VPN, good website --> normal traffic, no portals no nothing.

    What do you guys think?


  • I don't get it
    Maybe lack of sleep and or sugar

    A blacklist is a blacklist. (porn)
    If u want a client not to get in touch with the whole blacklist you have to bypass it

    I m thinking someone is trying to bypass pfB by ip (client)

    If u do it by VPN don't enable pfB on that interface

    Hope I got it all right

  • Netgate Administrator

    I'm not sure how you could route traffic to the VPN gateway using pfBlocker. For small sites with a single IP or a few IPs you might be able to use it create an alias but for anything using a CDN it would be patchy at best.


  • Hello kind gentlemens,
    i'll try to explain better:
    There are certain areas of the interwebs that are better surfed with external VPN service. i want to automate this behaviour, and the discrimination would be a list of websites based on a webfilter.

    Hope this clarifies better.

    My best and cheerful regards.

  • I'm thinking it would just be easier to use 2 computers - 1 to always connect to the internet thru a VPN to surf to "certain areas of the interwebs" and another computer to use to NOT do any of that kind of stuff. Easy... got an extra computer?



  • i still dont get it.

    but to be pragmatic

    1. enable a website filter DNS based like pfBlockerNG
    2. use a custom information page when a site is blocked
    3. customize this page as u like (send mail ---> put site on a whitelist after the next reload whatever)
    4. configure a bypass for sites you want to reach only via VPN
    5. configure thaht bypass to get routed through the VPN gateway

    nice project have fun ! /me out

  • Netgate Administrator

    @noplan said in Is this possible? A web filter triggering some other stuff:

    configure a bypass for sites you want to reach only via VPN

    That's the difficult bit. In Squid you can match the URL against an ACL and use a different outbound interfaces.

    In pfBlocker, if you use DNS-BL, there is no alias to use in a policy routing firewall rule. If you use the fqdn directly in an alias it will catch, if you're lucky, some of the traffic for almost all sites you might want to match like Netflix for example.
    You can only use an alias pulled from a list that hopes to contains all IPs for that site. You can pull that via AS number for example but that relies on the AS being up to date which they often are not.


  • @stephenw10

    Isn't there post around here pretty new about bypassing pfB for a specific IP

    If that works that should do the trick

    The other thing what Noone told us
    What's the mission of pfB in this case
    blocking porn?

  • Netgate Administrator

    Like by-passing DNS-BL? Or by-passing the firewall rules?

    Either is possible. Neither will route traffic to a different gateway based on URL.

    Creating aliases by AS number is the only way I've seen that get close. That can work well for blocking since if you block 90% of Facebook the remaining 10% isn't much use. But for passing and/or routing it's less effective since 10% missing does not make for a good experience! 😉


  • not gettin deeper into by-passin DNSBL i thought this is what he @BlueStarry was askin for combined with a custom blocked website information page and tipped with a VPN routing i personally dont understand what for

    you are right routing based on a url ..... ;)

    and yeah content filtering is pretty anoying job if you are not above 128 GB RAM fpr the filters only ;)

  • Netgate Administrator

    Yeah this is not a road I would ever choose to go down!

Log in to reply