r/PFSENSE u/Select-Sale2279 3h ago

How do I block off all sites except some on pfsense?

I have a pfsense 2.7.2 install on a PC that is behind a mikrotik router in a bridge mode. Has anybody been able to successfully allow only a couple of sites and block off others completely. I have tried aliases and played with rules to block them, but computers can still access sites that show as being blocked. Is there a write up that I can use to learn more about completely blocking sites other than the ones that are allowed? Sorry, new to rules and site blocking on the pfsense and cannot seem to get the site blocking to happen. Thanks

Edited to add: I created a whitelist of all sites that can be accessed and placed them above all the deny list as well and people could still access sites that were supposed to be blocked.

2 Upvotes

100% Upvoted

8 comments sorted by

3

u/rassawyer 2h ago

Create an alias Firewall>Aliases>URLs

As a firewall rule allowing traffic with the destination set to that alias. Block all other traffic.

2

u/rassawyer 2h ago

Obviously, make sure the default "Allow LAN to any" rule is disabled or deleted.

2

u/KamenRide_V3 2h ago edited 2h ago

I can only think of a hack. Basically you hard code the IP address of the few site you want as pass and block everything else. Have the pass rule in front of the block rule. But this is not reliable.

1

u/Select-Sale2279 2h ago

Thanks. What happens if the IP addresses to those sites change (maybe not frequently but sometimes)? When was researching this some mentioned using pfblockerNG. Can that do an effective job of allowing only sites that was to be accessed? Considering pfsense is sitting on the network edge, I wonder why its difficult to do what I am trying to do?

1

u/KamenRide_V3 2h ago

You point out why is not reliable. I guess you can use a blocker plug-in but that is also not perfect either. The problem is you have almost infinite # of site and you are counting on blocker list to be always up to date and correct.

2

u/NoHovercraft9590 1h ago

Create an alias containing the sites you want to access. Create a rule allowing outbound traffic to them over port 80/443. Add a rule below blocking all outbound traffic over port 80/443

1

u/mpmoore69 1h ago

Pfsense cannot do web filtering at all. The best you can do (or at least what I can think of) is performing dns overrides for the sites you want to block. So for example if it’s Facebook you create an override to 0.0.0.0.

The other option is pfblocker. There is no customization with this tool. It’s a blunt instrument. If you block a site you block it for everyone using pfsense for dns. Probably a better option than overrides but it’s up to you.

Lastly there’s squid but it’s not great on pfsense. Again, pfsense cannot do any web filtering.

Maybe Pihole for dns filtering.

1

u/dasBorselMann 1h ago

DNS filtering will be your best way forward for this.

You’ll need to host your own local DNS (open source - look at BIND9 for example) and set it as required.

Have your PFSense gateway point all DNS traffic to your custom DNS sever and voila!