Sanity check - can I do this with pfSense ?



  • Hello all  :)

    I've re-purposed a Firebox Core x1250e and fitted a 60Gb hdd, following the excellent instructions on the wiki - firstly a big thanks to all those who have given time figuring this all out !

    I now have pfSense 2.1 Live CD build installed and booting nicely. The box has 2Gb of ram that i had hanging around, along with a 2Ghz P4-M cpu.

    I'm looking to focus the minds of my two older sons on finding a job rather than playing online games. Basically i'd like to:

    1. Force LAN users to log in in order to gain access to the internet.
    2. Depending on the time of day, i either want to give normal unrestricted access or disallow access to a blacklist of sites - steam / EA for example. A redirect to a "shouldn't you be looking for a job ?" page would be an evil bonus….

    I believe that a combination of Squid / Squidguard / LightSquid (for reporting) and user accounts on the pfSense box would allow me to acheive this ?

    One thing I have to watch is that I don't want to mess up networking related to the VOIP phones we have (Siemens, currently using a fixed IP address and a port forward to exposed host on my current soho router) or access to the streaming TV service otherwise the missus will have my nuts on a plate  ;)

    Any comments or hints most welcome. Thanks in advance.

    Kind Regards,
    Robin



  • I would separate your traffic into different VLANs and put your sons computers in the VLAN that you want to limit.
    I would use captive portal to do the redirecting part and blocking access to the internet. The proxy idea sounds good to block particular websites. I'm not sure how you would setup the schedule as I have not looked into that but under firewall there is a setting for schedule so I guess you would just make one and then apply it to your rules for what ever subnet they are on.



  • Thanks for that - I'd not considered using a VLAN up to now. My LAN switch supports VLANS so certainly something to look at.

    Next step is to arrange a family change control for some system downtime to get the pfSense box in place.

    Kind Regards,
    Robin


  • Netgate Administrator

    Yep use the captive portal if you want logins.
    There was an issue a while ago with using captive portal and scheduled firewall rules in combination. Both features use (used?) ipfw rather than pf. It was possible to end up bypassing the captive portal. The way to avoid it was to use scheduled 'allow' rules rather than 'block' rules. That was a number of versions ago so it may not be relevant any longer, something to watch out for though.
    I assume you meant Pentium-M rather than P4-M.  ;)

    Steve



  • Hi Steve,

    Thanks for the tip (and for your sterling efforts with the Fireboxes too)

    You're spot on re the cpu… D'Oh  :-[

    Cheers
    Robin


  • Netgate Administrator

    Some research later. It looks like I'm well behind the times on this, schedules are now handled by pf not ipfw so you should have no problem. This has been the case since 2.0:
    @https://doc.pfsense.org/index.php/2.0_New_Features_and_Changes#Firewall:

    Schedule rules are handled in pf, so they can use all the rule options.

    Steve