For most intent and purposes, the squid proxy server/squidguard setup can be used to block specific websites from been accessed by users in our lan. You can use a blacklist as shown in the squid proxy server guide for pfsense.
You can even go further to create rules to block one group of computers while giving access to another group or subnet.
Howerver, if you have configured certificates using the certificate manager in pfsense, then deployed them to your client machines and if you have configured squid to use ssl man in the middle filtering, then you should be alright as your pfsense proxy will monitor https traffic as well as http traffic and block websites according to your rule that use the https protocol e.g facebook.
But deploying certificates to the client machines an be a hassle especially if you have large numbers of computers and find it inconvenient to manually move from one machine to the other installing certificates. Active directory certificate service can come to the rescue . It enables you remotely issue certificates to the right store in the client machine, but that is of course, if you have the certificate server in your network.
If you need to simply block access from groups of computers to simple sites like facebook.com e.t.c temporarily or while you figure out how to install your certificates onto remote machines, or permanently if you prefer this solution, simply use the firewall feature in pfsense.
This guide will show you how to block websites using the pfsense firewall feature.
Step 1: Create an alias under firewall. Firewall => alias. Click on IP tab and click on the + sign to add alias. Call it something intuitive like fb_blocker_list and give it a description.
Also in the type field, select network, and enter in the ip address range used by facebook or the website to be blocked. A simple google search should give you this result.
As at present, facebook ip addresses are
126.96.36.199/21, 188.8.131.52/18, 184.108.40.206/22, 220.127.116.11/20, 18.104.22.168/20, 22.214.171.124/19, 126.96.36.199/22, 188.8.131.52/22, 184.108.40.206/16, 220.127.116.11/16, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
Now save and apply changes. Then go back to firewall tab => rules and then click on lan.
Now click on the + sign to add a rule.
Set the action=block,
In the destination, select the type to be single host or alias. In the red box under, start typing your alias name e.g fb_bl… and the system will bring out your alias, simply click on it to select it.
Now save it and apply changes.
Now try to access facebook.com from any computer on the local network.
Bear in mind that I have my squid proxy already setup in transparent mode and it logs and blocks http traffic depending on my rules. Howerver, it doesn’t block https traffic since I have not configured the ssl man in the middle filtering. I will do just that in a later guide. But to prevent my users from consuming company data and playing during work hours, I have implemented this temporary or permanent solution depending on how you see it.
It is possible that your company may have a social media team that promotes the business on social media. Also your manager or CEO may want access to facebook. In this case, you can create a rule above the blocked rule to allow access to facebook for your manager computer ip and the social media team ip addresses alike.
Here is how to do it.
Go to firewall => alias and click the plus sign to create an alias called allowed_to_access_fb. In the type, select host and enter as many ip addresses as you would like to have access to facebook.
Now click save and apply changes.
Go back to firewall=>rules=>lan and click the plus sign to add a new rule.
Set the action to pass
Interface to lan
Protocol to tcp/udp
Tcp version to ipv4
Source type to single host or alias and then select the alias “allowed_to_access_fb”
Destination type to single host or alias and then select the alias “fb_blocker_list”
Now save and apply changes.
Try to access facebook from the ip address allowed, the result is
Next, we will look at how to monitor and block traffic using certificates based on the https protocol with pfsense.