Content Filtering - PfSense

ajrbservices · July 11, 2020, 1:19pm

Hi All,
I have a pfsense VM with a Windows VM behind it. I would like to enable content filtering using squid (or similar). But from the videos I can only see the ability to block for all users or no users…
Is there a way to integrate with Active Directory where it blocks based on user groups etc, but without the need for the user to enter credentials in the browser?

E.g. A school setup with pfsense, we want teachers to access facebook.com, but not pupils. We would like teacher machines to automatically authenticate through some form of AD SSO with the firewall, so if they go to facebook, it just works… For the students, we would like a custom block page…

Is this possible? Any help would be appreciated - I have taken to google, but a lot of the responses there seem very contradictory.

Thanks a bunch

David · July 11, 2020, 2:32pm

Not possible with pfsense. If you want per-user domain group based access, you are looking at next-gen firewalls just as fortigates (and equivalent rivals).

ajrbservices · July 11, 2020, 2:44pm

Damn it! Thank you for your reply , I was really hoping that this would be possible

Acestes · July 11, 2020, 4:38pm

It might not be possible with groups, but I think you can have a different set of rules for a different network/VLAN, I’m sure I’ve done that in the past. So if the teachers are accessing things from a different VLAN to the students it may be possible.

LTS_Tom · July 11, 2020, 4:39pm

Untangle is another option that offers filtering like this. I know there are ways to get it working in pfsense, but there is nothing easy or simple about doing it and we don’t offer any support for that type of configuration.

Acestes · July 11, 2020, 4:49pm

A quick Google reveals this https://www.pf2ad.com/en/index.html which allows for NTLM authentication with pfSense so no credentials have to be entered when an ACL via LDAP is used with squid etc. Please note I’ve never used this and have quite literally just found it via Google, so please do your own research into it, however I thought it might be of interest to you and worth considering.

ajrbservices · July 11, 2020, 5:12pm

Thanks all for your input on this. Acestes, I will look into this - much appreciated!!

Greg_E · July 12, 2020, 12:47pm

I haven’t set this up, but it think e2guardian can do this. I have it set up to blanket block everything, then define a list of places we allow the students to get. The worst part might be that it isn’t an approved package for pfsense, so a couple of hoops to jump through to get it installed, and the same hoops every time you upgrade pfsense.

xMAXIMUSx · July 14, 2020, 2:12pm

You can have your cake (pfsense) and eat it too. Just use something like nxfilter. You’ll just need to set the upstream DNS properly. If teachers are on another VLAN then you can set policies on that IP range.