0

I would like to know how to implement a more granular filtering in pfSense.

Scenario:

  • pfSense with 2 WAN and 1 LAN
  • 160 clients with DHCP

I would like to know how to allow websites on a per client basis.

Example:

  • group A allow websites X and deny websites Y
  • group B allow websites X and allow websites Y
  • group C allow websites X and allow websites Y and allow websites Z

How is a configuration like this done?

Thanks for the help

Ern

mzhaase
  • 3,778
  • 2
  • 19
  • 32
user376817ernesto
  • 19
  • 1
  • 2

2 Answers2

1

You can do this with Squid. Perhaps as a transparent proxy? Up to you...

Install the squid package on your pfSense firewall from System->Package Manager.

Go to Services->Squid Proxy Server->General and at the bottom click Show Advanced Options

Here you can add custom ACLs in the boxes. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details on that. You can get the fine control that you need, it's just a matter of reading the documentation.

Ryan Babchishin
  • 6,160
  • 2
  • 16
  • 36
0

pfBlockerNG can do this.

Also, the new tag feature in Unbound can do this, with no additional components needed. More details at Unbound's home.

It's only supported in Unbound 1.5.10 onwards, so you may need to update your pfSense.

The config is a bit long winded, even convoluted, sophistication comes with complexity. Perhaps a pfSense GUI for it might appear for it in the future. It is a new feature.

pfSense web admin gui > Services > DNS Resolver > Custom Options

# give pfSense a server: tag so it puts directives in correct place
server:                                      

# define a new tag
define-tag: "websiteX"
define-tag: "websiteY"
define-tag: "websiteZ"

# create access control entry
access-control: 10.1.1.0/24 allow  # group A
access-control: 10.1.2.0/24 allow  # group B
access-control: 10.1.3.0/24 allow  # group C

# tag the access
# allocate ip ranges to the tag
access-control-tag: 10.1.1.0/24 "websiteX"     
access-control-tag: 10.1.2.0/24 "websiteX"     
access-control-tag: 10.1.3.0/24 "websiteX"     
access-control-tag: 10.1.1.0/24 "websiteY"     
access-control-tag: 10.1.2.0/24 "websiteY"     
access-control-tag: 10.1.3.0/24 "websiteY"     
access-control-tag: 10.1.1.0/24 "websiteZ"     
access-control-tag: 10.1.2.0/24 "websiteZ"     
access-control-tag: 10.1.3.0/24 "websiteZ"     

# create the local-zone, and allow normal service 
#  which allows non-blocked users access
#  and allow all types like A and AAAA and CNAME    
local-zone: www.websitex.com typetransparent  
local-zone: www.websitey.com typetransparent  
local-zone: www.websitez.com typetransparent  

# tag the domain
local-zone-tag: www.websitex.com websiteX       
local-zone-tag: www.websitey.com websiteY
local-zone-tag: www.websitez.com websiteZ       

# ensure local data served first
access-control-tag-action: 10.1.1.0/24 "websiteY" redirect  
access-control-tag-action: 10.1.2.0/24 "websiteZ" redirect  

# Send users to your polite internal block page
access-control-tag-data: 10.1.1.0/24 "websiteY" "A 10.1.1.1"
access-control-tag-data: 10.1.2.0/24 "websiteZ" "A 10.1.1.1"
David McNeill
  • 196
  • 1
  • 10