PfSense Newbie - 2.1 Snapshot Questions



  • Hello, all!

    I am the newly-hired computer teacher/network admin for a mission school (outside the US), and will be here for another 9 months. I am working on getting the network working smoothly (the last computer teacher didn't really know a whole lot about computers/networking, unfortunately… So the network sorta stagnated and stuff didn't get improved/fixed well). Unfortunately, the server running Untangle stopped working last weekend, and in an effort to get the internet back up and running, I went ahead and reinstalled it with pfSense (since I was not given the login info for the Untangle server... Nor did the last computer teacher/network admin know it).

    Anyway, long story short, I have been trying to get website blocking (using Squid and Squidguard) up and running for the school here. The wireless for the dorm has been down (mixed blessing), so I haven't had to worry about blocking as much, since I am always in the computer lab whenever students are present.

    So far HTTP blocking has been working wonderfully... However, HTTPS blocking hasn't been. I've been reading about and working on this all week, and have yet to be able to block secure websites (due to the version of Squid I'm running).

    pfSense version: 2.0.3
    Squid Version: 2.7.9
    SquidGuard Version: 1.4_4

    So, for most of the week I tried uninstalling and re-installing Squid (2.7.9, as well as the Squid3 and Squid3_dev), which took quite some time due to the super slow internet (a bit better than dial-up), only to find that pfSense 2.0.3 doesn't support Squid3.

    Anyway, I am looking to either upgrade pfSense to 2.1 to support Squid3 and Squid3_dev for HTTPS blocking support, or find some other workaround (within pfSense, as I only have one computer at my disposal (for the time-being) to use as a server) to get HTTPS blocking up.

    So, on to my question: How do snapshots work? Is there any sort of incremental type of snapshot where it is like "Everything implemented at this point is, for the most part, stable" rather than going with the daily snapshots? If not, how stable are the daily snapshots?

    Also, if there is some other workaround (it seemed like there was, but I was never able to figure out what it was... Sounded like I had to set something on each computer so it wouldn't complain about a certificate error with the pfSense server acting as a man-in-the-middle),  could someone point me to some step-by-step instructions on how to set this up? So far I am fairly unfamiliar with pfSense/Squid, and have been unable to find a way of setting this up so far.

    And on a side note, is there any way to make the Squid block page go to an HTTP page rather than an HTTPS page? I don't see the need for a secure connection for a simple block page, and it always throws up a "certificate error" page on the computers whenever they reach it.

    Thanks!
    ElectroPulse



  • The 2.1-RC1 snapshots are built every 8 to 12 hours if there are any changes, so they are a moving target. But you can get some older snapshots at http://snapshots.pfsense.org/ also. The "trick" is to look on GitHub and see what changes have happened recently in the pfsense and pfsense-tools repos. I have a test system that I can upgrade first, to catch snapshots that have accidental bad changes. The snapshots are generally stable, but there have been a couple of hiccups along the way, so you do need to test or make an informed decision.
    I gave up bothering with Squid/SquigGuard… recently. I paid $US20 for the DynDNS "Internet Guide" DNS-based filtering and another $US20 for Dynamic DNS. Use DynDNS as your DNS server and specify the categories of stuff you want to block, and particular sites you want to whitelist and blacklist. Try to resolve a "naughty" name, and it redirects to a block page. OpenDNS has a similar service with more features but much more expensive. I'm sure there are others. By allowing DNS from clients only to the pfSense DSN forwarder, and blocking DNS to anywhere else, clients can't just specify their own favourite DNS server. It has been effective in blocking general "naughty/bad stuff" and saves a lot more than $US40 of time and hassle in setting up other solutions. For that price it doesn't provide reporting or time-based rules - so if you have other rules like blocking Facebook at certain times, or certain client IPs or... then yu still need to implement those yourself.



  • @phil.davis:

    The 2.1-RC1 snapshots are built every 8 to 12 hours if there are any changes, so they are a moving target. But you can get some older snapshots at http://snapshots.pfsense.org/ also. The "trick" is to look on GitHub and see what changes have happened recently in the pfsense and pfsense-tools repos. I have a test system that I can upgrade first, to catch snapshots that have accidental bad changes. The snapshots are generally stable, but there have been a couple of hiccups along the way, so you do need to test or make an informed decision.
    I gave up bothering with Squid/SquigGuard… recently. I paid $US20 for the DynDNS "Internet Guide" DNS-based filtering and another $US20 for Dynamic DNS. Use DynDNS as your DNS server and specify the categories of stuff you want to block, and particular sites you want to whitelist and blacklist. Try to resolve a "naughty" name, and it redirects to a block page. OpenDNS has a similar service with more features but much more expensive. I'm sure there are others. By allowing DNS from clients only to the pfSense DSN forwarder, and blocking DNS to anywhere else, clients can't just specify their own favourite DNS server. It has been effective in blocking general "naughty/bad stuff" and saves a lot more than $US40 of time and hassle in setting up other solutions. For that price it doesn't provide reporting or time-based rules - so if you have other rules like blocking Facebook at certain times, or certain client IPs or... then yu still need to implement those yourself.

    Thanks for the reply!

    Yea, I am at an academy, so time restrictions are required, as well as different restrictions for different groups of users (staff and students), so I am needing to look into an option I can implement locally (not to mention redirecting DNS out through a DNS server that is farther away might increase page load times… Anything off-island usually around 1 second ping times).

    But yea, thanks for the information about the snapshots. I'll do some looking into it to determine which snapshot I'll use.



  • @phil.davis:

    The 2.1-RC1 snapshots are built every 8 to 12 hours if there are any changes, so they are a moving target. But you can get some older snapshots at http://snapshots.pfsense.org/ also. The "trick" is to look on GitHub and see what changes have happened recently in the pfsense and pfsense-tools repos. I have a test system that I can upgrade first, to catch snapshots that have accidental bad changes. The snapshots are generally stable, but there have been a couple of hiccups along the way, so you do need to test or make an informed decision.
    I gave up bothering with Squid/SquigGuard… recently. I paid $US20 for the DynDNS "Internet Guide" DNS-based filtering and another $US20 for Dynamic DNS. Use DynDNS as your DNS server and specify the categories of stuff you want to block, and particular sites you want to whitelist and blacklist. Try to resolve a "naughty" name, and it redirects to a block page. OpenDNS has a similar service with more features but much more expensive. I'm sure there are others. By allowing DNS from clients only to the pfSense DSN forwarder, and blocking DNS to anywhere else, clients can't just specify their own favourite DNS server. It has been effective in blocking general "naughty/bad stuff" and saves a lot more than $US40 of time and hassle in setting up other solutions. For that price it doesn't provide reporting or time-based rules - so if you have other rules like blocking Facebook at certain times, or certain client IPs or... then yu still need to implement those yourself.

    I've been using the web filtering option from OpenDNS for years and it's free.



  • I've been using the web filtering option from OpenDNS for years and it's free.

    Max, thanks for pointing this out. OpenDNS is free for a single site (DNS requests all coming from a single public IP). I had forgotten about that. I got stuck when I wanted to expand to about 10 sites, then the quote they gave me was over-the-top expensive.



  • Sounds like what you really needed was 10 email addresses and 10 OpenDNS accounts…



  • @ElectroPulse:

    So far HTTP blocking has been working wonderfully… However, HTTPS blocking hasn't been. I've been reading about and working on this all week, and have yet to be able to block secure websites (due to the version of Squid I'm running).

    pfSense version: 2.0.3
    Squid Version: 2.7.9
    SquidGuard Version: 1.4_4

    By design, squid can not intercept HTTPS traffic. So if you want to block traffic to this site, you have to add firewall rules to block traffic on port 443 to the websites you want to block.


Log in to reply