Pfsense, alias and subdomains needed



  • hello folks,

    this is my first post and i have have trouble configuring this, so hopefully i had hit the right forum for my question:

    my goal is an proxy-server without caching functionalty, something like a (surf-)gateway only.
    this makes sense, because i want to block all outbound except some internet sites, two of them need https!
    so squid is wrong for my configuration, right?

    my configuration works, but no subdomains are working :(
    for example:
    working:
    http://domain.org
    http://www.domain.org/someurl
    https://domain.org
    https://www.domain.org/someurl

    not working:
    http://subdomain.domain.org
    https://subdomain.domain.org

    this is my configuration:
    i installed a new "clean" pfsense, latest version
    under Firewall–> Alias: i configured as alias (hosts) something like "www.domain.org" (without ""), description named here  "destinationALIAS"
    under Firewall--> Rules--> LAN:
    i deactivated the standard ipv4 and ipv6 rules
    i created a new rule:
    Action: Pass
    interface: LAN
    protocol: any
    source: any
    port: any
    destination: single host or alias - name choosen "destinationALIAS"

    but why i cannot use subdomains? they are blocked....
    i prefer to use as alias "*.domain.org" or "*domain.org", but its rejected.

    if you need detailed informations i can them deliver tomorrow, but please help me out... thanks!
    is there a simple way to get subdomains working?

    gr33z

    edit: configuration specified



  • I use

    
    .*domain.org
    
    

    in my ACLs. This takes care of any domain and subdomain.
    How are you blocking or allowing secure http (https)?



  • Hello podilarius,

    thanks for your reply!

    In your ACL? Do you mean a configuration with squid? i dont want to use squid :(
    I got secure http (https) not to work with squid…so i dont want to block it.

    I tried to use your pattern ".*domain.org" (without "") as Alias (Firewall --> Alias) as Host - but it isn't accepted, too :(
    Error:
    The following input errors were detected:

    .*domain.org is not a valid host alias.

    gr33z



  • Yes. I was talking about squid config. Wildcards are not permitted in FW rules or Aliases to my knowledge. Firewall rules must resolve to something. As far as I know only the proxy software is smart enough for that. You might be able to use snort, but I have not messed with that in a long time.



  • Hello again,

    ok, so if i'm using squid3x, then https-sites are not working - can you give me hints for that, please?

    gr33z



  • according to the proxy config, you can use a man-in-the-middle approach. It requires that you setup a WPAD/PAC in DNS or DHCP. This is new to me, but reading up on it looks promising. I am using my proxy only as a way to control site my girls should not be seeing. They can get to https sites though. This might be a way to circumvent that limitation.
    Please post if you have any success, if you use it.