Hello everyone,
I hope you’re all doing well.
I run a small business, and I have a network setup with 7 VLANs—5 internal VLANs, one for CCTV, and one for Guest WiFi.
I need some suggestions on how to block certain content on the Guest WiFi side. Specifically, I want to block things like advertisements, torrents, adult content, etc. I’ve enabled pfBlocker on the Guest WiFi VLAN, which blocks some sites, but it only works the first time a site is visited. After that, the website resolves automatically.
I understand that it’s not possible to block everything, but I’ve managed to block most sites on my internal network using a software firewall (Bitdefender Endpoint Security).
What I’d like to do is ensure that the Guest WiFi side has proper blocking in place and that blocked users are shown a message like, “This site is blocked by the firewall” or “Access to this site is not allowed.”
If I need to install other packages or make additional configurations, I’m open to that, but I’d appreciate some guidance on the best approach.
My current pfSense setup:
- Intel Celeron CPU 2 Core
- 2 GB DDR3 RAM
- 2-Port Dual Intel NIC (2 ports for dual internet connections)
- 1 Internal NIC (connected to a switch)
- Pfsense 2.8.0 CE
Estimated devices:
Right now, I have pfBlocker enabled on the Guest WiFi outbound side and WAN inbound side. My CPU usage spikes up to 99%.
If I need to upgrade the hardware, please advise. Or if I’m doing anything wrong with my setup, I’d appreciate any feedback.
Thanks in advance!
Besides what is offered with pfblocker this is not really a feature of pfsense.
1 Like
I am not sure if you need to upgrade your hardware or not. My guess is yes you do, but without seeing a top screen shot or something similar to see what is driving your 99% CPU utilization, its hard to say. DDR3 RAM is kind of old at this point, and two cores doesn’t seem like enough. Leaving that aside, here’s what I would do about your blocking:
- Turn on the DNS resolver in pfSense and set pfSense to use the local resolver first before reaching out to remote servers
- Set your remote DNS servers to something like Cloudflare 1.1.1.3 which blocks malicious sites and adult content
- Block external client DNS access as well as the “canary” URL that Firefox uses for DNS over HTTPS Blocking External Client DNS Queries | pfSense Documentation
- Set up pfBlocker NG as you did previously
- If you really want to lock it down, use the pfblocker lists that block DNS and DOH
- I am not sure how to display a block message. I guess instead of using a virtual IP for the DNSBL configuration you could point it at a simple Nginx web site that displays your message
1 Like
The other thing you could do, is use OpenDNS as the DNS resolver for the guest network. They offer all the features you are looking for (Category blocking) as well as a custom screen you can design when a website is blocked. You would still need to use pfBlocker though to prevent smart users from reaching their own DNS servers.
1 Like
I will do that and let you know how much I can achieve.
Thanks for your help.
1 Like
Just asking this out of curiosity — I’ve been following you for many years, and I’ve learned a lot from your deployments. If you were in my position, what would you use instead of pfSense to achieve these goals?
Back in 2020, I migrated my entire business from a small, cheap router to pfSense and a managed switch, and I’ve never looked back. But recently, I’ve been looking to accomplish these blocking thing on Guest WiFi.
Would you recommend anything other than pfSense to achieve this?
Also, I’m going to try what @Louie1961 suggested and see how it goes.
2 Likes