Block outbound internet access for certain subnets except for certain websites

Hello everyone,

I’ve setup squid + squidguard on a pfsense unit, to perform only ACL’s (cache is not needed, I’ve lots of bandwidth here) for certain networks, through transparent mode, and I am having issues (mostly with dynamic websites like were sometimes it dont display the webpage) with HTTPS on browsers, because the problamatic MiTM.

I’ve read that deploying a WPAD script through DHCP, that could solve this problem, but I’ve not yet try it, or even read anywhere someone that has his setup running flawless.

Before setting up this proxy, I was using simple firewall rules, and I was trying to organize it better per subnet through a proxy, but I know that implementing proxys can be a struggle (and I am seeing it now) so I dont know if going to WPAD strategy, I am in reality shooting my own feets, with endusers using androids, IOS, MacOS, Windows XP (to control industrial machines where upgrading is an issue), Windows 10 …

I also know the DNS blocking way with pfblocker but dont know if this is fesable for this case or even scalable.

How do you usually do? or what do you recommend?

Thanks in advance!