How to allow to open all the blocklist for a single IP in pfsense



  • Hello users,

    i have doubt regarding pfsense settings.

    i have blocked websites like facebook and youtube in my pfsense so that no one in my office can access them. Is there anyway that i can allow only specific systems or ip address to access these blocked websites and disallow for other systems or ip address ?



  • How did you block access in the first place?  Squidguard (SG)? Are you on transparent proxy mode?

    You can do:

    1. In SG, you can create a specific group under "Groups ACL" and allow access to one or more IP addresses you specify.  You can define custom URL categories/lists which the IPs have access to.

    2. Bypass the proxy completely by inputting the target IP address on the "Bypass proxy for these source IPs" list under Proxy Server.  Doing this bypasses squid altogether, so I do not recommend it as a primary option.

    Also, double check that your URL blocklists are not easily bypassed by using https… use firewall rules to control https traffic from your LAN hosts.



  • i have blocked it via DNS forwarders .  i have also tried the steps you have said , but not working. if i dont block it via dns forwarders , it doesnt at all block the access for those websites.



  • @ugendar:

    i have blocked it via DNS forwarders.

    How? Did you create DNS forwarder entries for ALL the IP addresses facebook.com currently maps to? (At my location, facebook.com maps to at least 69.171.237.16, 69.171.234.21, 66.220.152.16, 66.220.149.88, 69.171.247.21)

    Did you reboot the client or wait for old entries in the client DNS cache to time out?

    @ugendar:

    i have also tried the steps you have said , but not working.

    Have you reset firewall states after changing the rule(s)? See Diagnostics -> States, click on Reset States

    As noted above, facebook.com is a challenge because it typically maps to a number of distinct IP addresses.



  • You can set a domain override for facebook.com pointing to a non-sense IP.
    (I usually set it the an unused ip in the local subnet when i "block" a domain like this).

    However with such a setup it's not possible to change the behaviour for one/multiple specific IPs.

    You might want to look into a "proper" solution to block domains.
    (eg. squid guard).


Log in to reply