Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question about blocking sites like Facebook with pfsense?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AvadaKedava
      last edited by

      Hey everyone looking to switch my router to pfsense but had a question regarding its ability to block sites like facebook.com for my employees.

      Right now my netgear router can block sites by URL but the problem is it just shows a huge red page that says BLOCKED BY NETGEAR FIREWALL which really makes it obvious.

      With pfsense I have 2 questions if I can block sites:

      1. Can I customize the page that comes up when something is blocked
      2. Can I choose to not have it do anything?  Like have it basically just time out or act the way it does as if the user went to a completely wrong address?  I guess worst case if not, if it can do option 1 above then I could just use the internet explorer time out page.

      Thanks everyone!

      1 Reply Last reply Reply Quote 0
      • C
        cyp
        last edited by

        There are at least three (+1) ways that come to mind to block access to specific domains:

        1. You could configure the dns forwarder to return an ip address to 'somewhere else' (either non-existent, or a web server in your own network).
        2. You could get the packet filter (the mighty 'pf') to do its thing: block, or reset the client's connection, or bounce the request  off to somewhere else
        3. You could install the add-on packages for squid and squidguard. This is by far the most flexible option since it allows you to decide which users get to see what, and can be used for multiple black/whitelists. But these are quite big packages, and may be overkill if you really only want to block access to a handful of website.

        These methods are combinable; e.g. make the dns forwarder return a fake ip address, and then apply a packet filter rule to that address.
        And since all them can also redirect to another webserver, they allow you to serve the user's browser a response of your own making. That can be on the pfsense box itself, or on some other webserver you have on your lan.

        Additionally: pfsense can do layer 7 packet inspection and block/pass/re-queue based on that. Unlike the three methods mentioned above, this is not trivial to set up.

        1 Reply Last reply Reply Quote 0
        • W
          wallabybob
          last edited by

          OpenDNS can do something like what you have requested. You can use OpenDNS as your DNS server and configure it to block various categories of web sites. If I recall correctly, its possible to do some configuration of how the user is notified their access attempt has been blocked. More details are at http://www.opendns.com

          You could configure pfSense to be the name server for your LAN, use OpenDNS as name server and add firewall rules to block access from LAN to other name servers.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.