Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense, alias and subdomains needed

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 2 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kranzfr3d
      last edited by

      hello folks,

      this is my first post and i have have trouble configuring this, so hopefully i had hit the right forum for my question:

      my goal is an proxy-server without caching functionalty, something like a (surf-)gateway only.
      this makes sense, because i want to block all outbound except some internet sites, two of them need https!
      so squid is wrong for my configuration, right?

      my configuration works, but no subdomains are working :(
      for example:
      working:
      http://domain.org
      http://www.domain.org/someurl
      https://domain.org
      https://www.domain.org/someurl

      not working:
      http://subdomain.domain.org
      https://subdomain.domain.org

      this is my configuration:
      i installed a new "clean" pfsense, latest version
      under Firewall–> Alias: i configured as alias (hosts) something like "www.domain.org" (without ""), description named here  "destinationALIAS"
      under Firewall--> Rules--> LAN:
      i deactivated the standard ipv4 and ipv6 rules
      i created a new rule:
      Action: Pass
      interface: LAN
      protocol: any
      source: any
      port: any
      destination: single host or alias - name choosen "destinationALIAS"

      but why i cannot use subdomains? they are blocked....
      i prefer to use as alias "*.domain.org" or "*domain.org", but its rejected.

      if you need detailed informations i can them deliver tomorrow, but please help me out... thanks!
      is there a simple way to get subdomains working?

      gr33z

      edit: configuration specified

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        I use

        
        .*domain.org
        
        

        in my ACLs. This takes care of any domain and subdomain.
        How are you blocking or allowing secure http (https)?

        1 Reply Last reply Reply Quote 0
        • K
          kranzfr3d
          last edited by

          Hello podilarius,

          thanks for your reply!

          In your ACL? Do you mean a configuration with squid? i dont want to use squid :(
          I got secure http (https) not to work with squid…so i dont want to block it.

          I tried to use your pattern ".*domain.org" (without "") as Alias (Firewall --> Alias) as Host - but it isn't accepted, too :(
          Error:
          The following input errors were detected:

          .*domain.org is not a valid host alias.

          gr33z

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            Yes. I was talking about squid config. Wildcards are not permitted in FW rules or Aliases to my knowledge. Firewall rules must resolve to something. As far as I know only the proxy software is smart enough for that. You might be able to use snort, but I have not messed with that in a long time.

            1 Reply Last reply Reply Quote 0
            • K
              kranzfr3d
              last edited by

              Hello again,

              ok, so if i'm using squid3x, then https-sites are not working - can you give me hints for that, please?

              gr33z

              1 Reply Last reply Reply Quote 0
              • P
                podilarius
                last edited by

                according to the proxy config, you can use a man-in-the-middle approach. It requires that you setup a WPAD/PAC in DNS or DHCP. This is new to me, but reading up on it looks promising. I am using my proxy only as a way to control site my girls should not be seeing. They can get to https sites though. This might be a way to circumvent that limitation.
                Please post if you have any success, if you use it.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.