New to PFsense - Transparency mode
-
Thanks for the assistance
May next question is if I use transparency mode. Will it block the https://www.facebook.com? I tried other software like untangle it cannot block the https://www.facebook.com.
-
Generally speaking it's much more difficult to block https traffic, it should be it's encrypted. You can force users to use your proxy and then do 'man in the middle' ssl filtering. There is a package up of Squid 3.3.4 that can do this, I'm not sure how complete it is yet: http://forum.pfsense.org/index.php/topic,62256.0.html
Alternatively you can try blocking facebook completely with firewall rules. There are a number of posts on the forum describing this.
Steve
-
Steve,
Thank you again on responding my query.
Please see attached file for the network diagram. This a diagram what I will do when setting up a pfsense. Is this correct?
![network diagram.jpg](/public/imported_attachments/1/network diagram.jpg)
![network diagram.jpg_thumb](/public/imported_attachments/1/network diagram.jpg_thumb) -
Yes, that looks correct.
Steve
-
Sir,
With this network diagram the pfsense pc should have 2 network card. One is for the internet and one for the local are network.
Please verify if this is correct.
Can you suggest where can I read or find a tutorial that is suit for the newbie like me about pfsense? I'm trying searching in the google but i cannot find any good tutorial. I even try searching in you tube.
precious
-
Yes, two network interfaces, that's correct.
This site has a lot of good information including a walk through of the initial setup: http://pfsensesetup.com/pfsense-setup-part-one/
It's not connected to the official pfSense site at all as far as I know.Steve
-
Steve,
How long have you been using pfsense? How is the performance? The reliability?
Precious
-
I started out using Smoothwall then moved to IPCop. Then I went back to SOHO router that was a lot cheaper to run (the IPCop box I was using was ancient!) but soon realised I wanted more control and started looking at the options out there. I had experimented with m0n0wall before and liked it so gave pfSense a go and have never looked back. I guess I've been using pfSense exclusively for about 3-4 years.
The performance has never been a problem for me. As long as you have sized the hardware correctly it won't be a problem.
The reliability has been excellent, the most reliable routing solution I've used, my experience is limited though. This does depend a lot on the hardware it's running on however. I'm using re-purposed Watchguard boxes which are designed to run 24/7 in a hot rack.Steve
-
Sir,
Are you using pfsense right now? Do you access the website that has a button or link of facebook when you set in pfsense to block the facebook? Check www.eyp.ph and www.fabtech.com.ph if you can access this websites when you set in pfsense to block the facebook. We want to access this even the page has a button or link to facebook or socila media network site.
precious
-
I have no need to block Facebook so I don't, even though I don't use it. So I can't easily test that, sorry.
Steve
-
Sir,
How about blocking the torrent download like utorrent and equivalent? Is pfsense capable of doing this?
Precious So
-
You can do that using Layer7 filtering. http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Layer_7. Or you can block whatever ports the torrent client is using however most clients will attempt to work around that. It's very difficult to block torrent traffic completely as the client software is designed deliberately to get around it. You can block most torrent traffic using these methods though.
If you are wanting to create a very restricted environment for users you should start from the other end. Block everything and then only allow what you want.Steve
-
Sir,
How about skype? How to block it?
-
Sir,
I have a attached a network diagram. Is this possible?
Thank you
![network diagram02.jpg](/public/imported_attachments/1/network diagram02.jpg)
![network diagram02.jpg_thumb](/public/imported_attachments/1/network diagram02.jpg_thumb) -
There are many threads about blocking Skype. E.g. with Snort: http://forum.pfsense.org/index.php/topic,53584.0.html
You can build your network as in the diagram but why do you have two pfSense boxes?
Steve
-
Sir,
In order one can use as transparency mode and the other for non transparency mode.
Is this possible? Is there be a problem for this setup?
-
The non-trasparent pfSense box must have a different subnet on each side. E.g. 192.168.0.* on the WAN side and 192.168.100.* on the LAN side. However I still don't see why you need two boxes. :-\
Steve
-
Sir,
The diagram what I present to you is not a good practice?
I want to use the pfsense for the purpose to serve as a internet or the pfsense is the giving an internet connection to the user and in the same time I can block the website the are using like the social media(facebook, tweeter and etc)., instant messenger, torrent and etc. for the users and I want also to control whose user will I block or gave a full access for the website or url.
Below are my concern:
-> documentation or manual for setting up pfsense
-> if I already finished set-up the box how can I block the https://www.facebook.com and https://www.twitter.com?
-> setting up port forwarding. is it the same in configuring in link-sys router?
-> Is the i7 processor with 8gb ram will enough for the around 60 users?Sorry for these questions. I'm just new to pfsense and I just want to know everything before I deploy to our office network.
Thank you in advance for your response.
Precious
-
There is no need to have two pfSense boxes. Run a single box in non-transparent mode (the default) and run the web proxy, Squid, on it. Squid will run as a transparent proxy.
Port forwarding is the similar to any soho router like the Linksys.
If your modem can run in bridge mode such that the pfSense WAN address is you real public IP that makes things a lot easier.
An i7 with 8GB or RAM is almost certainly more power than your need. What is your WAN connection speed?
Steve
-
Sir,
Please correct me if i'm wrong in my understanding. I run a single box pfsense and install the squid package and run it on transparency mode? I'm I correct in my understanding?
I can make my modem run in bridge mode and I will configure the pfsense box wan the public ipaddress of wan or internet
My wan speed is upto 5mbps the minimum is 1mbps.
Precious