Is this possible? A web filter triggering some other stuff
-
Hi,
Disclaimer: i'm not a top level networking expert so please be kind :-)
I've got an idea and before starting research and resurrect my pfsense based firewall, i need to know if this is possible because i have this really cool idea in mind so bear with me for a minute:
SCENARIO:
A pfsense firewall with a web filter, this web filter has some kind of list of websites. This firewall has also configured a VPN with a VPN service provider of some sort.
SITUATION:
A client on the network that comes from any interface (could be another router connected, an access point, a switch wathever) tries to connect to a web site listed on the web filter. What i want is a redirect to a webpage that says anything like "Hey dude this website ain't good bro what you want to do?" If the user says "Nevermind i wanna go there because I'm brave af" the firewall allows the access but (and here is the core of the question) would it be possible to "route" all the traffic through the vpn ONLY when visiting such websites listed on the web-filter? So if the user goes back on another website that is not on the webfilter list nothing happens and he traffic is not "routed" trough the external VPN service.
I really don't know if this is possible or i'm talking bullshit, but if this is possible, we can do it with PfSense? Would it be very difficult?
Thank you very much for you time answering the question.
Regards
-
@BlueStarry said in Is this possible? A web filter triggering some other stuff:
if this is possible, we can do it with PfSense? Would it be very difficult?
Yes, it's probably possible. Yes, it would be difficult. Not an easy setup.
Proxy everything though Squid so you can actually filter by URL rather than IP.
Configure custom Squid ACLs for 'bad' sites.
Set a custom outgoing WAN IP for the bad sites using the VPN IP.
Captive portal maybe for the acknowledgement page? That doesn't really tie in with Squid well though.
A lot of that is not directly configurable in the GUI, it would require customer pass though code to Squid.
Steve
-
all possible
use pfblockerNG and a custom block page
the part where the user can klick nevermind is a total other page ...
maybe possible but not out of the box. a blocked page is blocked untill its whitelistednevermind squid u do not want to break https traffic ;) use pfblocker based on DNS
the rest is network stuff on your LAN side (AccesPoints ) or on the VPN side
hope it helped
-
I thank you all kindy for your support, it is really appreciated i must say.
I undestand that this is very difficult.
Would be any easier to do the "routing" trough the vpn "transparently" without any acknowledgement from the user?IE: listed website --> trough VPN, good website --> normal traffic, no portals no nothing.
What do you guys think?
thanks
-
I don't get it
Maybe lack of sleep and or sugarA blacklist is a blacklist. (porn)
If u want a client not to get in touch with the whole blacklist you have to bypass itI m thinking someone is trying to bypass pfB by ip (client)
If u do it by VPN don't enable pfB on that interface
Hope I got it all right
-
I'm not sure how you could route traffic to the VPN gateway using pfBlocker. For small sites with a single IP or a few IPs you might be able to use it create an alias but for anything using a CDN it would be patchy at best.
Steve
-
Hello kind gentlemens,
i'll try to explain better:
There are certain areas of the interwebs that are better surfed with external VPN service. i want to automate this behaviour, and the discrimination would be a list of websites based on a webfilter.Hope this clarifies better.
My best and cheerful regards.
-
I'm thinking it would just be easier to use 2 computers - 1 to always connect to the internet thru a VPN to surf to "certain areas of the interwebs" and another computer to use to NOT do any of that kind of stuff. Easy... got an extra computer?
:)
Jeff
-
i still dont get it.
but to be pragmatic
- enable a website filter DNS based like pfBlockerNG
- use a custom information page when a site is blocked
- customize this page as u like (send mail ---> put site on a whitelist after the next reload whatever)
- configure a bypass for sites you want to reach only via VPN
- configure thaht bypass to get routed through the VPN gateway
nice project have fun ! /me out
-
@noplan said in Is this possible? A web filter triggering some other stuff:
configure a bypass for sites you want to reach only via VPN
That's the difficult bit. In Squid you can match the URL against an ACL and use a different outbound interfaces.
In pfBlocker, if you use DNS-BL, there is no alias to use in a policy routing firewall rule. If you use the fqdn directly in an alias it will catch, if you're lucky, some of the traffic for almost all sites you might want to match like Netflix for example.
You can only use an alias pulled from a list that hopes to contains all IPs for that site. You can pull that via AS number for example but that relies on the AS being up to date which they often are not.Steve
-
Isn't there post around here pretty new about bypassing pfB for a specific IP
If that works that should do the trick
The other thing what Noone told us
What's the mission of pfB in this case
blocking porn? -
Like by-passing DNS-BL? Or by-passing the firewall rules?
Either is possible. Neither will route traffic to a different gateway based on URL.
Creating aliases by AS number is the only way I've seen that get close. That can work well for blocking since if you block 90% of Facebook the remaining 10% isn't much use. But for passing and/or routing it's less effective since 10% missing does not make for a good experience!
Steve
-
not gettin deeper into by-passin DNSBL i thought this is what he @BlueStarry was askin for combined with a custom blocked website information page and tipped with a VPN routing i personally dont understand what for
you are right routing based on a url ..... ;)
and yeah content filtering is pretty anoying job if you are not above 128 GB RAM fpr the filters only ;)
-
Yeah this is not a road I would ever choose to go down!
