How do I allow certain websites through with pfsenseNG?



  • I cant seem to find any guide showing how to add websites that can go through (via IP4, Alias) to countries that are otherwise blocked.

    For example all of Russia is blocked yet there are a couple of websites I'd like to allow through the firewall yet when I try to add them to an Alias, giving them 'Permit_Both', I still cant access the website. For the website I used it's IP address, not it's URL domain name.

    Any help or a link to a guide on how to do that specific task would be awesome! Thanks!  :D


  • Moderator

    Don't use "Permit Both" as that allows those websites access to your network without a LAN device making the request… (Stateful firewall)

    Change the "Rule Order" in the pfBNG General tab to have the "Permit Outbound" rules before the Block/Reject rules...

    Firewall rules are processed top to bottom ....



  • @BBcan177:

    Don't use "Permit Both" as that allows those websites access to your network without a LAN device making the request… (Stateful firewall)

    Change the "Rule Order" in the pfBNG General tab to have the "Permit Outbound" rules before the Block/Reject rules...

    Firewall rules are processed top to bottom ....

    The reason why I selected Permit Both is to try to make it easier until I can actually get it to work.

    When I go to Firewall > Rules > LAN / WAN - I see the block lists for all the various regions/continents but I don't see that it setup a rule for permitted websites at pfblockerNG > IPv4. Shouldn't there be something there 'Alias' I created under pfsense>IPv4 tab?

    As I said, I'm in need of some sort of step-by-step guide to setting up allowed websites that can pass through.


  • Moderator

    Check your "Rule Order" setting to ensure that the pfB Permit is above the Block/Reject rules…
    goto the IPv4 Tab, create a new Alias called "Whitelist"... Enter the IPs that you want to allow outbound access (to bypass the Block rules) at the bottom in the Custom List... Set the Action as "Permit Outbound"... Save... then run a "Force Update" ...



  • @BBcan177:

    Check your "Rule Order" setting to ensure that the pfB Permit is above the Block/Reject rules…
    goto the IPv4 Tab, create a new Alias called "Whitelist"... Enter the IPs that you want to allow outbound access (to bypass the Block rules) at the bottom in the Custom List... Set the Action as "Permit Outbound"... Save... then run a "Force Update" ...

    Perhaps this is my problem, under the Firewall rules on the LAN tab I'm not seeing pfb Permit. Do I need to manually create that?

    Here's what it's showing under LAN http://i.imgur.com/ZuvChp2.png


  • Moderator

    You have to goto the "IPv4" tab and manually create a "Whitelist" Alias as I suggest above… Then it will auto create the firewall rules to allow the outbound traffic to bypass the other Block rules.

    You should rethink your approach and Whitelist the Countries instead of blocking the world..
    Please see the following links:
    https://forum.pfsense.org/index.php?topic=102071.0 https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324 https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921

    There are also other Blocklists that can be used...
    https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973



  • @BBcan177:

    You have to goto the "IPv4" tab and manually create a "Whitelist" Alias as I suggest above… Then it will auto create the firewall rules to allow the outbound traffic to bypass the other Block rules.

    You should rethink your approach and Whitelist the Countries instead of blocking the world..
    Please see the following links:
    https://forum.pfsense.org/index.php?topic=102071.0 https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324 https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921

    There are also other Blocklists that can be used...
    https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973

    Not sure why you sent me that one link, a rather nasty response to that person that blocked everything with the first comment calling that persons settings 'absurd'. Nice dickish community support.. When there's no official documentation for the plugin, what are people supposed to go by? Not everyone has proper training in firewalls and people like me aren't even in the IT field so all we have to go by are guides we search in Google. Every guide I came across on both YouTube and blogs from Google search said to block the countries you dont need access to or from. In fact the default settings and little comments would suggest that one would simply highlight the regions they want blocked. Most people would refer to official documentation but that doesn't exist.

    Really it boils down to the lazy developers not creating proper guides.. even one official guide would be nice. It's not as if it's something absurd to ask or unheard of, in fact most packages have rather lengthy documentation.

    But thanks for the help….


  • Moderator

    When you click on "Country" it brings you to this page…

    Kind of says it all but hey… who reads the documentation anyways...

    Best to follow some guide someone put on youtube...

    And as per being "Lazy"... Maybe its best you just get an off the shelf Dlink and plug and play to your hearts content... You don't just turn stuff on out of the box and expect to integrate packages to your network. It takes effort... People are here to help if you want to learn.

    BTW... I'm the dev of the package and the last time I looked... I do this all for FREE and on my own time... What have you done...



  • @BBcan177:

    BTW… I'm the dev of the package and the last time I looked... I do this all for FREE and on my own time... What have you done...

    And from those of us who do listen… whom you have helped...  Thank you SO MUCH!
    I won't say its perfect (and I don't think you would either), but with a little tweaking here and there, random updates to block or allow lists, it works damn well.  I'm amazed at the numbers that build in the dash widget.

    Similar thanks go out to Bill for Snort too!

    Rick


Log in to reply