• I have an interface that is connected to a wireless router and is used as a guest network. I'd like to setup a system (proxy) that will block users on that network from surfing "bad" sites. I have two questions:

    1. Is there a manual/how-to out there that shows how to setup a proxy that will do that?
    2. With #1 in mind, since a lot of these websites work on HTTPS, would I need to do something special to do a MITM SSL stripping to be able to filter the traffic?
  • LAYER 8 Netgate

    The only way to get "in the middle" of an HTTPS conversation is to coerce your users to install a trusted root CA and generate certificates on-the-fly using that CA for every site they visit.  Or throw a certificate error for every site because you're generating certificates on-the-fly and your users don't have a trusted root for you installed.  That's the nature of HTTPS.  No magic pill.


  • I have an idea.  Put that guest network on a separate interface.
    Create a limiter to limit the damage the "guests"can do to your bandwidth.
    If they just can't behave themselves, kill their access every time they do things you have told them not to.


  • @Derelict:

    The only way to get "in the middle" of an HTTPS conversation is to coerce your users to install a trusted root CA and generate certificates on-the-fly using that CA for every site they visit.  Or throw a certificate error for every site because you're generating certificates on-the-fly and your users don't have a trusted root for you installed.  That's the nature of HTTPS.  No magic pill.

    I'm fine with throwing cert errors, as long as I can achieve the blocking.

    I have an idea.  Put that guest network on a separate interface.
    Create a limiter to limit the damage the "guests"can do to your bandwidth.
    If they just can't behave themselves, kill their access every time they do things you have told them not to.

    Is there a way to use the limiter to completely block traffic instead of just limiting it?