Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SquidGuard - different VLANs, config help - block traffic on only ONE VLAN

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nachtfalke
      last edited by

      Hi,

      I am using pfsense 2.0 with squid 2.7 (transparent mode) and squidguard.
      I have 6 different VLANs and I would like to block all sites on VLAN30 (172.17.180.0/22) except some domains (e.g. adobe.com kaspersky.com).

      In "Target Categories" I created my filter with name "allowed_sites", entered the URLs, domains I would like later to allow and saved it.
      Then I went to "Group ACL" and used as target "allowed_sites" with "pass" and "Default access [all]" with "deny"

      But now my problem is, that I have to enter all IP subnets in "Client (Source)" I would NOT like to block.Isn't it possible to enter the IPs I want the filter to apply to ?

      1.) Who could explain me how to setup this "easy" filter?
      2.) Where is the difference between "Common ACL" and "Groups ACL" ? When should I use the one and when the other?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The clients field in the ACL can match a whole subnet, x.x.x.x/22, and the action on there should be to pass the allowed sites category and deny the others.

        Anyone that does not match the ACL will only be affected by the default ACL setting, which you could make pass on both the allowed sites and default.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Does this mean:

          In "Common ACL" tab I have to allow "any"
          And in the "Groups ACL" tab I have to chose my target sites to allow and any other "deny". Client (Source) shoul then be the entire VLAN e.g 192.168.8.0/22, right ?

          Other question:

          Not to allow IP addresses in URL
          

          Does this mean that squidguard is doing a DNS lookup and check if the IP contains to a domain I had blocked or does this mean that ther will never be any connection when there is an IP in the URL?
          Not sure if any of my security suites is using only IP addresses instead of domain names.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @Nachtfalke:

            Does this mean:

            In "Common ACL" tab I have to allow "any"
            And in the "Groups ACL" tab I have to chose my target sites to allow and any other "deny". Client (Source) shoul then be the entire VLAN e.g 192.168.8.0/22, right ?

            Sounds right

            @Nachtfalke:

            Other question:

            Not to allow IP addresses in URL
            

            Does this mean that squidguard is doing a DNS lookup and check if the IP contains to a domain I had blocked or does this mean that ther will never be any connection when there is an IP in the URL?
            Not sure if any of my security suites is using only IP addresses instead of domain names.

            No, that means if someone types in http://69.63.181.12/ they can't go there, instead of getting the site that is there (facebook.com) - it's one way of bypassing domain-based protections.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              Great! Thanks.

              I will give it a try tomorrow at work.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.