URL filtering in pfsense (not Squid)

costasppc · September 24, 2021, 12:43pm

Hello!

Any suggeestions on URL filtering in pfsense, besides Squid-Squidguard?

Best regards

K

Crowfather · March 23, 2022, 3:38pm

Have you tried pfBlocker-Ng. It’s can’t filter on URIs but it can filter out FQDNs. (ie. it can block Reddit as a whole but not specifically /r/pfsense.

LPD7 · August 7, 2022, 10:47pm

Dont think it can do SSL/TLS HTTPS URLs which is what is of real value nowadays. I tried doing it within PFB blacklist but no luck due to HTTPS. If it is doable on HTTPS please let me know, I am trying to do it via squid which when activated keeps crashing my system.

Paul · August 8, 2022, 7:40am

PFSense may not be the solution if you want to do url filtering - Untangle is the product

bb77 · August 8, 2022, 8:05am

It is doable, but it’s a tedious process and you will have to generate your own certificates and roll them out to the certificate stores on your clients in order to do full SSL inspection.

In order to block URLs you could also use “Splice Whitelist and Bump otherwise”. That will save you from rolling out certs to the clients, but otherwise makes maintaining it even more tedious, because many websites and services don’t play well with that. So you will probably find yourself manually maintaining a list with bypass rules… I had set it up that way a few years ago following this video and then removed it again because it caused too many issues.

So If you only need URL filtering, I would recommend using a DNS blocker like pfblockerNG. See also here: https://www.youtube.com/watch?v=DNGaJPM1yjQ

Squid needs a decent CPU in order to work properly. if I remember correctly, it didn’t support HW accelaration on pfSense and could only utilize one CPU core when I tested it. Not sure if that has changed in the meantime…

bb77 · August 8, 2022, 8:41am

Untangle which apperantly goes by NG Firewall now, also uses Squid for their Webfilter in the backend but it’s probably better optimized on Linux than it is on FreeBSD / pfSense. Also Arista provides you with a large URL database out of the box. But while web filtering on Untangle is indeed more turnkey, you will still have to manually intervene when issues with certain web services arise. And they will arise!

Btw. if you want to use HTTP/3 respectively QUIC for certain services, you may start creating bypass rules right now…