Question about blocking sites like Facebook with pfsense?
Hey everyone looking to switch my router to pfsense but had a question regarding its ability to block sites like facebook.com for my employees.
Right now my netgear router can block sites by URL but the problem is it just shows a huge red page that says BLOCKED BY NETGEAR FIREWALL which really makes it obvious.
With pfsense I have 2 questions if I can block sites:
- Can I customize the page that comes up when something is blocked
- Can I choose to not have it do anything? Like have it basically just time out or act the way it does as if the user went to a completely wrong address? I guess worst case if not, if it can do option 1 above then I could just use the internet explorer time out page.
There are at least three (+1) ways that come to mind to block access to specific domains:
1. You could configure the dns forwarder to return an ip address to 'somewhere else' (either non-existent, or a web server in your own network).
2. You could get the packet filter (the mighty 'pf') to do its thing: block, or reset the client's connection, or bounce the request off to somewhere else
3. You could install the add-on packages for squid and squidguard. This is by far the most flexible option since it allows you to decide which users get to see what, and can be used for multiple black/whitelists. But these are quite big packages, and may be overkill if you really only want to block access to a handful of website.
These methods are combinable; e.g. make the dns forwarder return a fake ip address, and then apply a packet filter rule to that address.
And since all them can also redirect to another webserver, they allow you to serve the user's browser a response of your own making. That can be on the pfsense box itself, or on some other webserver you have on your lan.
Additionally: pfsense can do layer 7 packet inspection and block/pass/re-queue based on that. Unlike the three methods mentioned above, this is not trivial to set up.
OpenDNS can do something like what you have requested. You can use OpenDNS as your DNS server and configure it to block various categories of web sites. If I recall correctly, its possible to do some configuration of how the user is notified their access attempt has been blocked. More details are at http://www.opendns.com
You could configure pfSense to be the name server for your LAN, use OpenDNS as name server and add firewall rules to block access from LAN to other name servers.