Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to best secure a guest network

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    7 Posts 3 Posters 733 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Got a request to secure a computer lab at a K12 institution and a Guest Network.
      Normally Im a "deploy an agent on the endpoint" kind of engineer but i obviously can't do this for Guests. How I handled this in the past is to use a proxy on the Guest to limit the sites i dont want people to go [porn,guns,religion,etc..]
      Here's the problem.....A pfSense is in use. I generally dont use pfsense for any content filtering because it simply cant do it effectively. Ive been toying with Squid on my private time trying to make it work before i consider deploying it but its honestly a headache. In Transparent mode.
      Can anyone think of creative uses that i can use to secure a Guest Network? Maybe pfBlocker?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @michmoor
        last edited by

        @michmoor pfBlocker's DNSBL can block sites via DNS by feed. Note the UT1 "adult" list is large...over 1 GB disk space to extract it. Also note to use DNS blocking effectively you have to block DOH and third party DNS servers as well. This is a bit on the overly complex side but is pretty complete:
        https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf

        By default DNSBL shows a "block" page which means any HTTPS won't match the cert/name.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        M 2 Replies Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @SteveITS
          last edited by

          @SteveITS UT1 list i had issues extracting that on my personal fw at home. Defintely dont want to do it here. DoH will be the challenge and yes your pdf seems complete. Thanks for that. I'll let this thread know how its going along. Figured i will spend Saturday implementing.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @SteveITS
            last edited by

            @SteveITS So i decided to take the smart(maybe lazy) way out. OpenDNS. Created a free account. URL Filtering by category. Set those to block. Point guest network to use those DNS servers. Im done.

            You know I would really pay close to a king's ransom if there was some built-in subscriber-based url filtering service in my pfsense+. Just saying...Dreaming out loud

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            RobbieTTR 1 Reply Last reply Reply Quote 0
            • RobbieTTR
              RobbieTT @michmoor
              last edited by

              @michmoor Only works that way if clients honour the DNS setting. Otherwise you will need to redirect DNS requests to your ideal path, then comes the issue of DoH, VPNs and, to a lesser degree DoT. Probably should mention HTTP/3 (encompassing QUIC) too.

              Frankly I let the guest network have the least external restrictions (aside from illegal stuff) and log all their details for the 'not me gov' response if needed down the line.

              Fun and games with this kind of stuff.

              ☕️

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @RobbieTT
                last edited by michmoor

                @RobbieTT said in How to best secure a guest network:

                Only works that way if clients honour the DNS setting.

                Yep but in my mind its the best i can do. For clients that dont use DoH or DoT then the dns blocking works. For those clients who dont, they dont. @SteveITS provided a very comprehensive way of blocking DoH but at the end of the day this is a Guest Network. Dont think the juice is worth the squeeze as the expression goes.

                @RobbieTT said in How to best secure a guest network:

                Frankly I let the guest network have the least external restrictions (aside from illegal stuff)

                How exactly do you prevent "illegal stuff" if you can't prevent them from getting to those sites if they are not respecting the provided DHCP DNS server settings?

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                RobbieTTR 1 Reply Last reply Reply Quote 0
                • RobbieTTR
                  RobbieTT @michmoor
                  last edited by

                  @michmoor said in How to best secure a guest network:

                  How exactly do you prevent "illegal stuff" if you can't prevent them from getting to those sites if they are not respecting the provided DHCP DNS server settings?

                  I do my level best to stop the horrors of child abuse, starting with a filtered DNS provider, down to filtering at the router. I know that the determined criminal could get around these things but at least I can demonstrate that I did all I could to prevent it and that I keep full usage logs so the police could try and find them, should they ever arrive at the door with a warrant.

                  ☕️

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.