Making a PfSense Box for church (Dansguardian or Squidguard)

mjmcgee

I'm setting up a PfSense box for my church.  I am using an old Dell that I installed a couple of NIC cards (along with the built-in NIC).  What I'm trying to do is have two separate networks. (Private LAN and public network attached to wireless APs) I was hoping to get DansGuardian on the public network so certain content can be blocked.  Being able to log the traffic would be a plus. I have squid and DansGuardian installed but i'm having issues getting everything else set up.  in WAAAYYY over my head and would appreciate any help.

The computer has an old Intel Celeron processor (2.5 Ghz I think), 1GB of RAM, one Intel (built-in) NIC and 2 TP-Link Gigabit cards installed.

A Former User

Ok I'll bite. If you feel ignored it could be your post really has no specific problem.
If your over your head then I would suggest keeping it simple.
There is a wealth of info just by searching the forums here first.
Personally I would focus on getting the private lan secure and truly private.
Run cable when possible and have OpenVPN and freeradius for your wireless clients to avoid
sniffing on private wireless. Public is nice but not important until your ready.
As for packages with that amount of ram you may find SNORT and PFBlockerng enough with vpn's will
eat it up. I run a newer Celeron at home with slower speed but ram is 4GB.
Processor never hits max but memory can easily exceed 1GB worth. You do not want the firewall
to be overworked with too many bells and whistles.
As for logging, well, this is a firewall so it can produce enough logs to make your eyes bleed.
So, for your general question I suggest(like the sign shows in my office) KISS- Keep It Simple Stupid.
Focus on the private and for now if you really need the public access just open the gates to hell and worry
about them later. (bad pun) Port 53 to firewall only and allow 80 and 443 out is basic starting point.
Deny the rest.
To help you with firewall basics may I suggest reading Marcus Ranum's "The Six Dumbest Ideas in Computer Security".
It always helps me get my mind right. Shows up with web search, best 5 minutes worth of your time.
Once you understand what you are doing your questions will be more precise and then you may find the help is fast in answering.
You want to avoid asking questions that are replied with more questions.
I have been here for a few years but my posts are still under double digit. A lot of good info in the forums.
The guys here know their stuff but you need to meet them half way. Do your part and research first.
If the problem is with the program, they will definitely want to talk to you. Since they are busy trying
to get version 2.3 out any hand holding is basically ignored. I bought the older paperback manual years ago and the latest one is available(not paperback).
Search for some more memory and try SNORT first then check into PFBlockerng.
Good programs to start at.
SNORT has a free subscription version and PFBlockerng has two running posts full of info(not in manual).
Just a thought.

mjmcgee

I definitely appreciate your reply.  I should have asked more direct and specific questions.  However, I simply have too many.  I have "set up" and DBANed the system enough times that not even the NSA could get the data from the previous Windows 7 install back.  I want the box to do a few main tasks.

1. Content filtering on the public network. (Its for the church so we don't to give anyone the chance to browse kiddie porn and get all of our computers seized by the FBI or any other 3 letter org.)

2. Handle routing and DHCP for the public network so the APs don't get overloaded.  We have between 35-60 devices on our network each week.

3. Control the bandwidth used by the public network.  We are planning on implementing a live stream of our sermons on YouTube.  That needs to have priority over FaceBook videos.

4. Log what each device is doing and what websites are browsed so if law enforcement "requests" logs, we can provide them.

If all of that is pushing the PfSense box to its limit I can have a 3 router setup (Attempt to make figure below…no promises) and keep it separate from the private LAN. If I can do it all with PfSense, then i would love to save the cost of the routers.

Internet
                                              :
                                              :
                            ---------Router #1---------
                            :                                    :
                            :                                    :
                      Router #2                      Router #3
                            :                                    :
                            :                                    :
                  Private Network                  PfSense Box
                                                                  :
                                                                  :
                                                        Public Network

So what I've done so far is install squid and DansGuardian.  I think I followed almost every tutorial ever made on this but none of them set it up how I needed/wanted it.  I have a total of 3 Ethernet ports now in the box. (1 integrated on motherboard and 2 TP-Link Gigabit NICs.) I want the WAN on the integrated Intel interface (fxp0), the private LAN on one of the installed NICs (re0), and the public network on the other installed NIC (re1).

All of the tutorials I saw were just to get DansGuardian filtering everything on one interface.  Also, I did not have internet access for both NICs and I could not figure out how to achieve that.  I am unsure if I should bridge them or what.  Every tutorial I've found has you port forward all internet through squid and DansGuardian.  I have had to disable the Port Forwarding countless times because I did not configure something correctly.

So I guess I'm not totally a noob.  However, I know enough to really mess stuff up.  If I could get some specific help with getting Internet access on both NICs with squid/dansguardian filtering and logging only of them, I think I would be good to go.  I can concentrate on locking down the private network after I have the public one separate and filtered/bandwidth capped. Currently we have open Wifi routers (no password, no filter, no blocks) set up and we are just waiting for someone with a grudge to really mess up everything.

errorz

If you upgrade your hardware, in my experience, pfsense can handle both of your routing needs with a simple vlan setup. Depending on the setup at the facility, commercial products like ubiquiti's unifi (rather cheap and handles vlan fine) will help in the process…

If I were you, I would just move over your DNS @ the church to opendns for now and lock down inappropriate material for the time being (not foolproof but it helps for easy filtering).

This will ease the pressure on figuring out Squid/ Squidguard/etc. There are also very extensive lists for pfblockerng that, for a small fee, you can block all kinds of shenanigans (security & otherwise) that are rather easy to setup as well.

The point I am trying to make is don't try to do it all, all at once. Change a couple settings to get openDNS (free) to provide some content blocking for now, work on the various facets of pfsense depending on the network setup @ the church.

mjmcgee

@errorz:

If you upgrade your hardware, in my experience, pfsense can handle both of your routing needs with a simple vlan setup. Depending on the setup at the facility, commercial products like ubiquiti's unifi (rather cheap and handles vlan fine) will help in the process…

If I were you, I would just move over your DNS @ the church to opendns for now and lock down inappropriate material for the time being (not foolproof but it helps for easy filtering).

This will ease the pressure on figuring out Squid/ Squidguard/etc. There are also very extensive lists for pfblockerng that, for a small fee, you can block all kinds of shenanigans (security & otherwise) that are rather easy to setup as well.

The point I am trying to make is don't try to do it all, all at once. Change a couple settings to get openDNS (free) to provide some content blocking for now, work on the various facets of pfsense depending on the network setup @ the church.

Good ideas.  I have OpenDNS set up currently.  However, if someone knows how to change their own DNS servers on their device then they can get to whatever they want.  I wanted something like DansGuardian or SquidGuard to block content for even the people who know how to do this.  I need help setting up and configuring a VLAN so I can get it all straightened out.

Also, I have put in a proposal to replace the current WIFI setup (6 different routers from 4 different brands) with OpenMesh.  It looks like OpenMesh will have all the functionality we need and the price point we need.

KOM

However, if someone knows how to change their own DNS servers on their device then they can get to whatever they want.

https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

robi

@errorz:

lock down inappropriate material for the time being (not foolproof but it helps for easy filtering).

How do you lock down inappropriate material withiut Squid/ Squidguard/etc ??

The Computer Guy

You can use DNS servers. Also, if you look at the post above yours, with pfSense you can force traffic through the dns servers you set.

robi

Oh, I see. That' doesn't keep you away from content which is inappropriate… in a church!

KOM

That' doesn't keep you away from content which is inappropriate… in a church!

It does if you use custom DNS that filters out bad stuff, like OpenDNS or Norton ConnectSafe.  Nothing is perfect, though.  If people are determined to use a church's network to find porn, they will eventually find porn.