New to PFsense - Transparency mode



  • Hi.

    I'm new to pfsense. What is transparency mode? When to enable it? Is there a difference on physical configuration when you enable and disable.

    Your will be greatly appreciated

    Thank you.


  • Netgate Administrator



  • Sir,

    Thanks

    What is the difference of these 2? My main purpose of using pfsense is the webfiltering or limit the user of the internet or deny access some website

    precious


  • Netgate Administrator

    For web filtering you want to use Squid and Squidguard in transparent mode as described in the second link.
    Setting up a 'transparent firewall', with WAN and LAN bridged, can be tricky to setup and is only for specific scenarios.

    Steve



  • hi

    I will do as per instructed on the link.

    I want to know when to disable and enable the transparency mode?

    Thank you


  • Netgate Administrator

    If you use transparent mode Squid will intercept any http traffic on port 80 and proxy it. Clients behind pfSense will not be immediately aware it's happening and no client side setup is required.
    In non-transparent mode the Squid proxy listens on a different port and clients must be configured to use the proxy. You can block normal outgoing requests on port 80 such that clients are forced to use the proxy if necessary.

    Steve



  • Thanks for the assistance

    May next question is if I use transparency mode. Will it block the https://www.facebook.com? I tried other software like untangle it cannot block the https://www.facebook.com.


  • Netgate Administrator

    Generally speaking it's much more difficult to block https traffic, it should be it's encrypted. You can force users to use your proxy and then do 'man in the middle' ssl filtering. There is a package up of Squid 3.3.4 that can do this, I'm not sure how complete it is yet: http://forum.pfsense.org/index.php/topic,62256.0.html

    Alternatively you can try blocking facebook completely with firewall rules. There are a number of posts on the forum describing this.

    Steve



  • Steve,

    Thank you again on responding my query.

    Please see attached file for the network diagram. This a diagram what I will do when setting up a pfsense. Is this correct?

    ![network diagram.jpg](/public/imported_attachments/1/network diagram.jpg)
    ![network diagram.jpg_thumb](/public/imported_attachments/1/network diagram.jpg_thumb)


  • Netgate Administrator

    Yes, that looks correct.

    Steve



  • Sir,

    With this network diagram the pfsense pc should have 2 network card. One is for the internet and one for the local are network.

    Please verify if this is correct.

    Can you suggest where can I read or find a tutorial that is suit for the newbie like me about pfsense? I'm trying searching in the google but i cannot find any good tutorial. I even try searching in you tube.

    precious


  • Netgate Administrator

    Yes, two network interfaces, that's correct.
    This site has a lot of good information including a walk through of the initial setup: http://pfsensesetup.com/pfsense-setup-part-one/
    It's not connected to the official pfSense site at all as far as I know.

    Steve



  • Steve,

    How long have you been using pfsense? How is the performance? The reliability?

    Precious


  • Netgate Administrator

    I started out using Smoothwall then moved to IPCop. Then I went back to SOHO router that was a lot cheaper to run (the IPCop box I was using was ancient!) but soon realised I wanted more control and started looking at the options out there. I had experimented with m0n0wall before and liked it so gave pfSense a go and have never looked back. I guess I've been using pfSense exclusively for about 3-4 years.
    The performance has never been a problem for me. As long as you have sized the hardware correctly it won't be a problem.
    The reliability has been excellent, the most reliable routing solution I've used, my experience is limited though. This does depend a lot on the hardware it's running on however. I'm using re-purposed Watchguard boxes which are designed to run 24/7 in a hot rack.

    Steve



  • Sir,

    Are you using pfsense right now? Do you access the website that has a button or link of facebook when you set in pfsense to block the facebook? Check www.eyp.ph and www.fabtech.com.ph if you can access this websites when you set in pfsense to block the facebook. We want to access this even the page has a button or link to facebook or socila media network site.

    precious


  • Netgate Administrator

    I have no need to block Facebook so I don't, even though I don't use it. So I can't easily test that, sorry.

    Steve



  • Sir,

    How about blocking the torrent download like utorrent and equivalent? Is pfsense capable of doing this?

    Precious So


  • Netgate Administrator

    You can do that using Layer7 filtering. http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Layer_7. Or you can block whatever ports the torrent client is using however most clients will attempt to work around that. It's very difficult to block torrent traffic completely as the client software is designed deliberately to get around it. You can block most torrent traffic using these methods though.
    If you are wanting to create a very restricted environment for users you should start from the other end. Block everything and then only allow what you want.

    Steve



  • Sir,

    How about skype? How to block it?



  • Sir,

    I have a attached a network diagram. Is this possible?

    Thank you

    ![network diagram02.jpg](/public/imported_attachments/1/network diagram02.jpg)
    ![network diagram02.jpg_thumb](/public/imported_attachments/1/network diagram02.jpg_thumb)


  • Netgate Administrator

    There are many threads about blocking Skype. E.g. with Snort: http://forum.pfsense.org/index.php/topic,53584.0.html

    You can build your network as in the diagram but why do you have two pfSense boxes?

    Steve



  • Sir,

    In order one can use as transparency mode and the other for non transparency mode.

    Is this possible? Is there be a problem for this setup?


  • Netgate Administrator

    The non-trasparent pfSense box must have a different subnet on each side. E.g. 192.168.0.* on the WAN side and 192.168.100.* on the LAN side. However I still don't see why you need two boxes.  :-\

    Steve



  • Sir,

    The diagram what I present to you is not a good practice?

    I want to use the pfsense for the purpose to serve as a internet or the pfsense is the giving an internet connection to the user and in the same time I can block the website the are using like the social media(facebook, tweeter and etc)., instant messenger, torrent and etc. for the users and I want also to control whose user will I block or gave a full access for the website or url.

    Below are my concern:
    -> documentation or manual for setting up pfsense
    -> if I already finished set-up the box how can I block the https://www.facebook.com and https://www.twitter.com?
    -> setting up port forwarding. is it the same in configuring in link-sys router?
    -> Is the i7 processor with 8gb ram will enough for the around 60 users?

    Sorry for these questions. I'm just new to pfsense and I just want to know everything before I deploy to our office network.

    Thank you in advance for your response.

    Precious


  • Netgate Administrator

    There is no need to have two pfSense boxes. Run a single box in non-transparent mode (the default) and run the web proxy, Squid, on it. Squid will run as a transparent proxy.

    Port forwarding is the similar to any soho router like the Linksys.

    If your modem can run in bridge mode such that the pfSense WAN address is you real public IP that makes things a lot easier.

    An i7 with 8GB or RAM is almost certainly more power than your need. What is your WAN connection speed?

    Steve



  • Sir,

    Please correct me if i'm wrong in my understanding. I run a single box pfsense and install the squid package and run it on transparency mode? I'm I correct in my understanding?

    I can make my modem run in bridge mode and I will configure the pfsense box wan the public ipaddress of wan or internet

    My wan speed is upto 5mbps the minimum is 1mbps.

    Precious


  • Netgate Administrator

    Yes you're correct.
    Almost any new hardware will be fine for a 5Mbps connection regardless of how many people you have behind it (within reason!). An i7 with 8GB is far far far more powerful than you need. Something like an Atom D2500 and 2-4GB will easily suffice.  :)

    Steve



  • Sir,

    Thanks for the response.

    How about NIC? Is there a recommended specification of NIC to run the pfsense smoothly?

    Precious


  • Netgate Administrator

    Always choose Intel NICs where possible. Broadcom NICs are considered 2nd best. Do not get very new hardware as it may not be supported, the Intel i210 is not for example.

    Steve



  • Sir,

    Is configuring pfsense is it like configuring a soho router like linksys and d-link? but it only has more functionality?


  • Netgate Administrator

    In many ways it is very similar. However as you say because it has far more capability than most SOHO routers it must be more complex. Getting up and running is relatively easy and as long as you don't try to do everything at once adding extra features is not difficult. Just read up on it first.

    Steve



  • Sir,

    Thanks for the response.

    I'm sorry also if I have so many question regarding the pfsense. I just want to make I will know very before I configure it and use it.

    Do you know a website that can help to get started in pfsense? Or any documentation or video to follow? Basically I want to pfsense serve as a server for the internet that can block a websites.

    Precious


  • Netgate Administrator

    No problem.  :)
    To do that you should install pfSense as your network router.
    Install the Squid web proxy package and get that working.
    Install either the Squidguard or Dansguardian package to filter web content.

    By far the best source of pfSense information is the official book. A new book is due out shortly that will cover 2.0.x and 2.1 in more detail.
    There is a lot of pages in the docs wiki that cover installation and Squid etc.
    There's a lot of good step-by-step guiges at this site: http://pfsensesetup.com/ I don't believe that is related in any way to the dev team or any official source. Seems mostly correct though.  :)

    Steve



  • Sir,

    I'm confuse with the squid web proxy and squidguard? Is it 2 different package to install?



  • Sir,

    Just to add to my previous post.

    What is the difference of the squid web proxy and squidguard? What is the purpose of each?

    What is the title of the book and the author?


  • Netgate Administrator

    Squid is a web proxy server: http://www.squid-cache.org
    Squidguard is an addon for Squid to allow URL filtering: http://www.squidguard.org
    Dansguardian is an alternative to Squidguard that has more flexibility and options: http://dansguardian.org

    The book is called 'pfSense: The Definitive Guide' it's written by the project developers and is available from Amazon: http://www.amazon.com/gp/product/0979034280?ie=UTF8&tag=pfsense-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=0979034280

    Steve



  • Sir,

    Should I install the squid and squidguard? Which better to use between the squidguard and dansguardian?



  • Sir,

    Please see below if my understanding is correct about the squid, squidguard and dansguardian

    Squid

    • its a proxy server that help to cache a website for a certain network
    • help or improves internet browsing speed for the clients using the caching capability of squid

    Squidguard

    • its a add-on of squid
    • use for blocking a website base on url only
    • you can configure here for the exception on blocking a website or user who will you allow for the certain website

    Dansguardian

    • its a different or separate package from squid
    • it can block a website using content filtering meaning it will check the whole website if will access it or block it.

    These are my question
    -> Is the statement above correct? Do I miss something? Kindly correct me or add if there is wrong about it and missing.
    -> Is it a good practice(as a pfsense user) or is it a common practice to install the squid, squidguard and dansguardian?
    -> What is squid3? Is it the same with squid?

    Thank you in advance


  • Netgate Administrator

    Dansguardian still requires a proxy to operate so it is also in addition to Squid. The advantage of Dansguardian (as far as I know!) is that you have things like keywords and phrase matching. This means that even a new website that is not on blacklists can be blocked.

    There are two Squid packages 2.x and 3.x. Squid3 offers more features but is considered less stable, well tested, than older Squid 2 series.

    I am not an expert in these things. I have run Dansguardian in the past but not with pfSense. There are a number of threads here on the forum and many, many other web pages discussing Dansguardian vs Squidguard. For example: http://www.theninjageek.co.za/blog/2013/07/02/pfsense-squid3-and-dansguardian-a-better-alternative-to-squidguard/

    Steve



  • If you use dansguardian, stick with squid and not squid3 unless it has a feature you absolutely need.

    The combo of dansguardian + squid3 was sort of painful for me.