How to install/configure contentfilter?

  • Hi all,

    I'm new to pfsense but have some *nix knowledge (yes, I know that pfs is based on BSD which is different from linux). Currently I use a winbox with commercial software as a contentfilter but that is not supported anymore so also no upgrades.
    That's why I searched for an alternative an bumped into pfsense.

    This is what I would like to do:

    • manage PPPoE session (got this working)
    • vpn (not looked at yet)
    • contentfilter with different levels, based on groups/ip's/? where for some, all http traffic is blocked but some exceptions.

    I tried dansguardian, squid & squidguard but didn't find a way to get what I need.
    Can someone put me in the right direction please because I have searched quite a lot without any result.


    EDIT: correction

  • After getting squid authenticating users, dansguardian and squid guard can do it.

    What features you're missing on these packages?

  • Hi marcelloc,

    I didn't find a way to block everything but exceptions for a certain group/user/ip and another level for others (users are authenticated in active directory on another box)
    So I need all 3 packages?
    Because of no experience with these, it's not clear to me which will do the job.

    Back then when I installed the win box it also took me quite some time to get familiar with it since it's so specific but because it was a commercial product, it had a good manual.

  • Dansguardian can do it easily if squid is logging users.

    On site acls, look for **. It blocks all sites. After setting acls, create a group and assign acls you need on it.

    To use LDAP integration, fill LDAP info and use the same group name you have on AD.

  • I have to go now, will try your suggestion probably this evening and post result.
    Thanks A LOT for helping!

  • Hi marcelloc, I had to reinstall pfsense because there was an error on the nic interfaces.
    Up and running again, and installed the 3 packages.
    For some strange reason, the general settings in squid keep changing; interfaces is not checked anymore, the proxy port field is empty, language to Armenian.

    I have enabled & started squidguard, left other general settings untouched.
    In common acl, there is 1 rule (default access [all]) and whether I change that to access deny or allow, nothing changes: I can do a search but most sites are accessible and the first result not - even being a normal site. Same with adults sites, first not accessible and others open fine.
    When blocked, it displays the default denied error.
    Have not installed any blacklists.

    Searching the web didn't make me any wiser yet and the only tutorial on the main page is a dead link.

    Shouldn't the way it's configured now - with just that common acl rule either grant full access or block evertyting?

    EDIT: typo

  • Apparently, dansguardian was not installed (correctly).
    I didn't know that there had to be a seperate entry in the services for it.
    Now I installed on a dedicated system whereas before as a virtual machine.
    Could this be the reason for the issues I had?

  • Are you using squidguard and dansguardian?

    Choose only one to test.

    dansguardian needs squid in front of it

    users -> dansguardian -> squid -> internet

  • @Peter-Z:

    So I need all 3 packages?
    Because of no experience with these, it's not clear to me which will do the job.

    Yes, all 3 are installed and since I didn't get any reaction to that I guessed it was correct  ;D
    Apparently squidguard filters based on URL's whereas dansguardian (?also?) filters based on page content.

    Like I said, I'm new to these packages so learning.

    EDIT: I mostly need filtering based on URL's with different levels of users/groups, can I do this with both DG or SG?

  • @Peter-Z:

    EDIT: I mostly need filtering based on URL's with different levels of users/groups, can I do this with both DG or SG?

    Yes, but not at the same time.

    both will use the same blacklist to assign rules.

    If you need just url filtering, try squidguard first as it's a helper for squid while dansguardian is a daemon that needs squid tcp communication to run.

  • Ok, I will go the squidguard way.

    About users: is it possible to link an ip address to a proxy user?
    I'm doing this now on the winbox so they become assumed users which is working well because we use fixed ip's and it's always the same user per pc.

    EDIT: added info

  • Anyone?
    I have searched a lot but didn't find an answer and this tutorial about squidguard is not available anymore.

  • @Peter-Z:

    About users: is it possible to link an ip address to a proxy user?

    Dansguardian has this feature.

  • This is where I am right now:

    • the system is running with squid & squidguard installed
    • 2 local users
    • not using transparent proxy
    • not using any blacklists yet

    I need 2 different levels of blocking:

    • 1 user all blocked except a few sites
    • the other user all access

    For the limited user:

    1. created an entry in 'Target categories' with the allowed sites in 'Domain List'
    2. created an entry in 'Groups ACL' with the target category from 1) and whitelisted that but denied default access [all]
    3. in 'Common ACL' the target rule for the limited user is set to allow

    This seems to be working well so far for the limited user.
    Is this the right way?

    For the other user which needs no blocking, I tried creating a target rule with * in the domain list but this doesn't seem to be a valid entry.
    How do I give this user all access?

    I will drop the option to link a user to an IP and stick to squidguard for now.

    All help is VERY appreciated.

    EDIT: I have searched A LOT but didn't find what I need. I wonder if there is a basic guide with what I'm looking for, and that I missed it. So if someone can point me to it that would be great. (like I wrote before, the tutorial for squidguard points to a dead link)
    I am willing to write a tutorial about this but of course I have to get to the point of a working setup.

  • 1- create a target acl including your permitted domains
    2- in common acl tab block all and block your target acl
    3- create a group acl allowing all and allowing your target acl, add unlimited usernames or ip's in 'source' section, and make sure this rule is on the top in 'order' section
    4- create a group acl allowing your target acl and blocking all , leave blank the 'source' section and in 'order' section set it at second row under 'unlimited group' rule you created in third step
    5- click apply button in general tab

    if the user is unlimited first rule will take over and he can access all sites, if he is not an unlimited user the second rule will take over and block him according to your allow/block preferences


  • Hi mendilli, thank you for replying with your clear guide!

    Did everything like you suggest and the result is that, regardless of the username, the limitation is linked to the ip-address.
    From the ip-address that is in the source section, I can access all sites with both usernames and from another system, everything is blocked.
    Double and triple checked, started over again but everytime, I get the same result.
    These are the server settings:

    • auth method: local with 2 users, all letters in the names
    • created 1 target category with the domains that are allowed for the limited user and from there on, followed your guide.

    I have checked the logging option but cannot make that much of the squidguard log.

    EDIT: I have whitelisted the target acl in common acl and now it seems to be working, does that make sense?

  • hi peter, ı think ı have made a mistake in number 4.You should enter your lan subnet as ''source' like

    and dont forget that ''–--'' means your 'default access' setting (allow or deny) in common acl section, if you set it to 'deny', any '----' in your acl's will mean 'deny'

    here are my settigs that works

    -I have local user uathentication
    -ın common acl all  categories are allowed
    -one group acl for limited (will be blocked) categories for lan subnet 'source' (ex:
    -one group acl allowing all categories for unlimited users(in source section like 'user1' 'user2' )  at the top in 'order' section'

    so if the user is defined in unlimited group acl the first rule takes over and he gets all access
    if not second rule takes over and filter rules applied for the subnet regardless of username

    NOTE:be sure that clients use proxy (via manuel browser configuraton or wpad)