Pfsense, alias and subdomains needed

kranzfr3d

hello folks,

this is my first post and i have have trouble configuring this, so hopefully i had hit the right forum for my question:

my goal is an proxy-server without caching functionalty, something like a (surf-)gateway only.
this makes sense, because i want to block all outbound except some internet sites, two of them need https!
so squid is wrong for my configuration, right?

my configuration works, but no subdomains are working :(
for example:
working:
http://domain.org
http://www.domain.org/someurl
https://domain.org
https://www.domain.org/someurl

not working:
http://subdomain.domain.org
https://subdomain.domain.org

this is my configuration:
i installed a new "clean" pfsense, latest version
under Firewall–> Alias: i configured as alias (hosts) something like "www.domain.org" (without ""), description named here  "destinationALIAS"
under Firewall--> Rules--> LAN:
i deactivated the standard ipv4 and ipv6 rules
i created a new rule:
Action: Pass
interface: LAN
protocol: any
source: any
port: any
destination: single host or alias - name choosen "destinationALIAS"

but why i cannot use subdomains? they are blocked....
i prefer to use as alias "*.domain.org" or "*domain.org", but its rejected.

if you need detailed informations i can them deliver tomorrow, but please help me out... thanks!
is there a simple way to get subdomains working?

gr33z

edit: configuration specified

podilarius

I use

.*domain.org

in my ACLs. This takes care of any domain and subdomain.
How are you blocking or allowing secure http (https)?

kranzfr3d

Hello podilarius,

thanks for your reply!

In your ACL? Do you mean a configuration with squid? i dont want to use squid :(
I got secure http (https) not to work with squid…so i dont want to block it.

I tried to use your pattern ".*domain.org" (without "") as Alias (Firewall --> Alias) as Host - but it isn't accepted, too :(
Error:
The following input errors were detected:

.*domain.org is not a valid host alias.

gr33z

podilarius

Yes. I was talking about squid config. Wildcards are not permitted in FW rules or Aliases to my knowledge. Firewall rules must resolve to something. As far as I know only the proxy software is smart enough for that. You might be able to use snort, but I have not messed with that in a long time.

kranzfr3d

Hello again,

ok, so if i'm using squid3x, then https-sites are not working - can you give me hints for that, please?

gr33z

podilarius

according to the proxy config, you can use a man-in-the-middle approach. It requires that you setup a WPAD/PAC in DNS or DHCP. This is new to me, but reading up on it looks promising. I am using my proxy only as a way to control site my girls should not be seeing. They can get to https sites though. This might be a way to circumvent that limitation.
Please post if you have any success, if you use it.