Block Facebook and YouTube for Specific IPs While Allowing Others on the same network

tmeita · May 15, 2025, 12:16am

Hi everyone,

I’m having trouble finding a clear answer to this online, which is why I registered here to ask. I’m hoping someone can help.

Current Setup:

All users connect through a TP-Link AX1500 Wi-Fi router (configured in Access Point mode).
pfSense is handling DHCP, with all user IPs statically reserved to avoid changes.
The DHCP DNS is set to point to our Windows Server to support Active Directory.
- Note: Clients are not joined to the domain, but they use AD credentials to map shared/network drives.
For internet access, the Windows Server forwards DNS requests to pfSense.
pfSense uses pfBlockerNG to block threats and ads.

What I’m Trying to Achieve:

I want to block access to Facebook, YouTube, and similar sites only for specific users (based on IP address) while allowing access for others.

What I’ve Tried So Far:

I’ve configured pfBlockerNG, and it successfully blocks Facebook and YouTube—but the block applies to all users, not just specific ones.
I created two alias groups in pfSense:
- Restricted – contains IPs of users I want to block.
- Unrestricted – contains IPs of users I want to allow.
My goal is to make this change entirely within pfSense, so users don’t need to configure anything on their devices—it should be seamless.

My Question:

Given this setup, is it possible in pfSense to block Facebook, YouTube, etc., for only specific IPs while allowing access for others?

Or, is there a better way to approach this based on the tools and devices I’m currently using?

Any help or suggestions would be greatly appreciated!

FredFerrell · May 15, 2025, 1:52am

I would use DNS blocking with IP exclusions so the unrestricted users can still access everything else. You should be able to permit the IPs in the DNSBL config. I would also NAT all outbound DNS traffic to your pfSense LAN IP so it forces all DNS queries to your firewall.

tmeita · May 15, 2025, 2:26am

Thank you FredFerrell for your reply,

I am new to pfsense; I have been looking for that option to exclude IPs (Alias: Unrestricted) on pfblockerng DNSBL (also tried the pfblockerng_devel version) but with no luck. Could you confirm that this option is there and if you could elaborate more.

xMAXIMUSx · May 15, 2025, 2:40am

One simple method, since you have staic IP’s for these users is to create 2 alias’. One for the domains you want to block (youtube and facebook). The second are the IP’s you want to block these domains from. Make a block rule on the interface you need and this would stop them.

Screenshots

Blocked domains

IP’s to block domains

tmeita · May 15, 2025, 3:17am

Thank you, xMAXIMUx, for your reply.

I’ve tried this approach before, and if I recall correctly, it worked for Facebook but not for YouTube.

Does the Blocked_Domains alias use the IP addresses of websites like Facebook and YouTube? If so, wouldn’t those IP addresses change frequently?

I’m really curious about how you’ve set up the Blocked_Domains alias. Would you mind sharing the details with me?

xMAXIMUSx · May 15, 2025, 1:55pm

I tested this and it works for me in my lab.

It’s possible, but notice in the fine print about using FQDN in my screenshot.

Alias setup

tmeita · May 15, 2025, 11:33pm

Thank you xMAXIMUSx;

That was what I tried before, it works on facebook. It also works on “youtube.com” but not “www.youtube.com” even if I add “www.youtube.com” to the FQDN list. If my users search google for youtube, they will get the “youtube.com” search result and so they cannot access it. But if they type www.youtube.com in the browser’s address bar, then it works.

Can you confirm this is true for you as well?

xMAXIMUSx · May 16, 2025, 3:30pm

Then simply add www.youtube.com to your alias. It should update the IP’s.

Edit:
Running a DNS query shows these results.

Resolved IP addresses of "www.youtube.com": ["172.217.0.174","142.250.190.46","142.250.191.206","142.250.190.110","142.250.190.142","172.217.4.46","142.250.191.174","142.250.190.14","172.217.2.46","142.251.32.14","142.250.191.142","142.250.191.238","142.250.191.110","172.217.5.14","142.250.190.78","172.217.1.110","2607:f8b0:4001:c66::5b","2607:f8b0:4001:c56::5b","2607:f8b0:4001:c66::be","2607:f8b0:4001:c56::88"]

Resolved IP addresses of "youtube.com": ["209.85.145.190","209.85.145.91","209.85.145.93","209.85.145.136","2607:f8b0:4001:c01::be","2607:f8b0:4001:c01::5b","2607:f8b0:4001:c01::5d","2607:f8b0:4001:c01::88"].

tmeita · May 28, 2025, 12:26am

Thanks Everyone,

I wanted to share my recent success with AdGuard Home. After some consideration, I decided to try out AdGuard Home so I install Raspberry Pi Desktop on a used computer and run AdGuard Home on it. I then configured my pfSense DHCP settings to point to AdGuard Home’s IP address, allowing me to handle all DNS-based content filtering there.

I’m extremely pleased with AdGuard Home, it provides everything I need (and more!) with remarkable ease of use.

As an extension, I also implemented this setup on my home network by installing AdGuard Home directly on my Synology NAS, and also redirect dns from my routers dhcp setting to my Synology (AdGuard) ip address. It works great.

Highly recommend giving it a try if you’re looking for an efficient ad-blocking and DNS filtering solution for FREE.

I wish AdGuardHome could run straight on pfsense in the future.

Cheers!