Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    running pfsensei n a school

    General pfSense Questions
    5
    5
    92
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adisonverlice
      last edited by

      hi.
      I would like to be able to run pfsensei n a school district.
      hardware is not a big issue, nore is getting the software.
      my big issue is web filtering.
      what would be the viable way to do the web filtering?
      some sources say PFBlockr NG, but i'm not sure.
      others say squid guard, but again, I'm not sure.
      I will use suricata for IDS/IPS.
      thanks in advance

      GertjanG M S 3 Replies Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by

        I personally love Squid and Squidguard run it all day, again you would have to create a url blacklist and it is very complex to configure requires certificates, and special splice lists lots of settings, it is like a swiss army knife.

        However for something that is running on a school I would recommend pfblocker it has more support base, and you can get that running faster.

        Go with what the mainstream is using pfblocking, that way you get issues resolved faster.

        Make sure to upvote

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @adisonverlice
          last edited by

          @adisonverlice said in running pfsensei n a school:

          others say squid guard, but again, I'm not sure.
          I will use suricata for IDS/IPS.

          Ask yourself this question :

          With your own device, like a phone, or PC, you connect to your won bank.
          You and your bank, when connected, have a common interest : that your connection between your device and the bank's web server is secured.
          You already know : you use https, and this means : traffic leaving your PC (or phone) and going to the bank, and traffic coming back from the bank is accessible by no one.

          Now, your question : the traffic leaves your device, and flows through other devices, like access points, switches, the quiepment of your ISP, other 'Internet' routres, up untill the bank, or any other site.
          Your pfSense is somewhere in the middle of this chain.
          With me so far ?

          You want to do IDS/IPS. Ok, nice, the packets flowing trough pfSense have packet headers, that contain destination and source IP, ports and some flags, counters and so on.
          And a data payload, the actual data that is send to the server. This data is encrypted using TLS as you, and everybody else is using https.

          Your goal : decrypting the payload, and do some "IDS/IPS." on it, as you can't use the encrypted data : it's just a random stream of bits.

          Afaik, even the 3 letter agencies can't do this. So neither can you, whatever device you use. This isn't pfSense's fault. It's us, you and me. We wanted inviolable securty, and we have it.
          There are no exceptions.

          So, then how to do IDS/IPS ?

          You remember the browser settings ? ALL the browser and network settings , Especially the ones you've never used before, and you always wandered : where are these for ?

          It start with these :

          056baf13-4315-4f80-9cf2-41f64ab7636c-image.png

          When you set up a proxy on your device, your PC, phone, etc, you give it the IP or host name of the proxy. This proxy will be pfSense.
          From then on, your PC (phone) will contact the proxy = pfSense and ask it to do the actual request for it.
          This means that you, from no on, have to trust the proxy, as it sees ALL your traffic = the payload.
          This proxy setup has to be done for every device that uses the pfSense network - has to be done for every device that you want to 'filter'.

          I already see it coming : this is a school, nobody is going to modify their device's settings so the proxy can get used. And when they leave the school, settings have to be undo, and so on. They will refuse - or simply don't understand why they should do so, refuse even more when they understand why they should do so. Who likes to be spied upon ?

          I'm pretty sure @JonathanLee can tell you way more about this subject, he is actually using it.
          He started doing so a year or two before, he's on it 24/24h, he isn't still done with the setup, but he got pretty far ^^
          ( I don't, it's just not worth it )

          Be ware that their are many sites out there that will "know" that the traffic is proxied, so they will refuse the connection. This exception list is huge, and has to be handled manually.

          So, final words : I don't say it can't be done.
          It can.
          What is often happens is : people get pfSense because : "Oh, pfSense can do IDS/IPS".
          But its like getting a Boeing 737 MAX and think that you now can fly. You can't. Flying needs to be learned, the old fashioned way. No short cuts. It means : you have to go to school again ...

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @adisonverlice
            last edited by

            @adisonverlice
            The most common way of doing any web filtering is on the endpoint.
            If you increased your budget and get a firewall that can do categorization filtering such as Fortigate or Palo then yes do it on the firewall but considering Squid is labeled a depreciated package and there are no paid lists to use with it to do filtering, you need to do this on the endpoint. With Squid you are wasting a lot of time and energy.

            Additionally, the documentation is clear
            https://docs.netgate.com/pfsense/en/latest/recipes/block-websites.html

            The best way to ensure these sites are not accessible is using an external proxy or content filtering capable of blocking by category.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @adisonverlice
              last edited by

              @adisonverlice pfBlocker can use DNS block lists. You will need to prevent devices from using any other DNS, meaning, block DoH/DoT as well as port 53 outbound.

              Suricata can work and we often use it for our clients, but I find that most outbound traffic is encrypted which Suricata can't see into. So if you're not hosting web servers or similar it may not help much.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.