Block almost all traffic



  • Don't know if this is the right category to post this, hopefully someone can move the thread to the right place if I'm wrong.

    I need to setup a almost isolated network containing two computers, and then block all websites but a few from these two.
    Today there's no internet access from these computers, but I need to check some maps and other sites to be able to run certain things.

    My idea of an setup are d-ling 3g/4g router –>computer running pfsense --> switch --> computer A &B, if it is any difference computer A & B use static IPs.
    Other than that I want to connect to my 3g/4g router with an laptop or cellphone with wifi, without possibilty to access computer A & B.

    The websites I wan't access to are for example http://map.eniro.com/geowebcache/service/tms1.0.0/nautical/[z]/[x]/[iy].png and http://www.smhi.se
    All other websites need to be blocket for bort inbound and outbound traffic.

    Is this possible, and how do I set it up?



  • This is probably what you're looking for: https://doc.pfsense.org/index.php/SquidGuard_package

    The easiest way I can imagine blocking access to your computers A and B from your laptop and cellphone would be to enable the personal firewalls on both PCs. Otherwise you're looking into running multiple VLANs, one for your wifi and one for your wired PCs.



  • I've found squidguard, but haven't found the right way to configure it, but OK, now I know I'm on the right track. A link to a good guide would be good thou.

    Personal  firewalls on computer A & B are no option, they need to be "open", as it is today, with the exception that they have internet access. My thought are that cellphones, laptops and other devices connect directly to the 3g/4g router, and computer A & B connect to the router with a pfsense-device in between.



  • Isolating the PCs behind the pfSense would do the trick, sure.

    As for a guide for Squidguard, a quick Google search for 'pfsense squidguard' coughs up numerous links to tons of info.



  • VLANs and/or multiple physical interfaces on the pfSense box.

    [Router] -> pfSense box -> one or more internal networks

    If you have more than two NICs available on the pfSense box, you could plug your WiFi Access Point into NIC #3 and the physical switch for the wired clients into NIC #2.  NIC #1 connects to the WAN/Router.  That will enforce separation of traffic between the two LANs unless you poke a hole between the two using firewall rules.

    Without more then two NICs, then you have to go with VLANs on the internal interface and you will need a switch that supports VLANs.  Your other devices do not need to support VLAN, but the switch has to.  Decent 8-port switches with VLAN are in the $50-$100 range.  The better WiFi Access Points also support VLANs where you can have up to four different SSIDs that tag their traffic with a VLAN.

    Either way, by segregating your clients into multiple LANs, you can then setup SquidGuard or OpenDNS filtering to only affect some of the LANs.  My usual setup is:

    VLAN #101) Heavily filtered / restricted / bandwith limited LAN (and WiFi) using OpenDNS filtering
    VLAN #200) Moderately bandwidth limited LAN for guests, limited egress ports
    VLAN #300) Internal LAN, more egress ports opened up


Log in to reply