Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Web filtering (allow only few websites to a group)

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 5 Posters 11.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      V4705
      last edited by

      Hi,
      We need to block all the websites (except for only few) to one division in this office (few people with static ip).

      What's my options with pfSense?

      Many thanks!

      1 Reply Last reply Reply Quote 0
      • D
        dreamslacker
        last edited by

        Squid with Squidguard is probably your best bet.  Alternatively, where the running of Squid has undesired effects, you can use URL aliases and firewall rules to block all port 80/ 443 traffic sourced from the group and bound for the URL alias.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          That's not how URL aliases work.

          Squid+SquidGuard (And maybe Dansguardian?) are the only ways to block/allow sites selectively. It can't be done with firewalls in any meaningful way.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            If you only want to allow access to, say, the companies web servers then you probably know what IPs they are on and can allow access only to those.
            Depends what you mean by 'only a few'.

            Steve

            1 Reply Last reply Reply Quote 0
            • D
              dreamslacker
              last edited by

              @jimp:

              That's not how URL aliases work.

              I was under the impression that URL aliases are used to periodically resolve the IP addresses for firewall rules.  If that is not the case, could you enlighten me on the purpose of the URL aliases?

              Thank you.

              1 Reply Last reply Reply Quote 0
              • V
                V4705
                last edited by

                @jimp:

                That's not how URL aliases work.

                Squid+SquidGuard (And maybe Dansguardian?) are the only ways to block/allow sites selectively. It can't be done with firewalls in any meaningful way.

                Thanks for the answer,
                I tried to setup squid and squidguard but for some reason when I set the proxy configuration in my computer, I can't access any website (don't know if the proxy blocked that or it doesnt even communicate with the proxy…).

                What I did until now:
                installed squid and squidguard addons
                set on squid ("proxy server"):
                interface: lan
                [v] allow users on interface
                log dir: /pfsenselogs/proxy (dunno, just wrote some path…).
                port: 8484 (again, dunno what to choose, just picked one because it didnt offer any default).

                set on squidguard ("proxy filter"):
                target categories -> "category1" -> domain list with 5-6 domains, separate by space.
                common acl -> category1 whitelist, default access deny.
                [v] not to allow ip addresses in url
                redirect mode: int error page
                redirect info: blocked
                general ->
                [v] enable
                apply

                Any help\tip\suggestion to start working with it, will be HIGHLY appreciated.

                Thanks.

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by

                  @V4705:

                  We need to block all the websites (except for only few) to one division in this office (few people with static ip).
                  What's my options with pfSense?

                  It depends on which "few websites" you want to allow.

                  Most webpages load objects from many different domains, sometimes CDNs, in which case white-listing specific domains can be problematic.

                  1 Reply Last reply Reply Quote 0
                  • V
                    V4705
                    last edited by

                    Our own websites and few web-based apps we're paying for (3rd companies).

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      If those web sites are being served from a small number of fixed IPs then simply add those to an alias and use that in a firewall rule.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • V
                        V4705
                        last edited by

                        Thanks for the quick reply,
                        I tried that, unfortunately its not working for those websites.
                        Any tips\guides on how to use Squid\SquidGuard on pfSense?

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.