URL filtering in pfsense (not Squid)

Hello!

Any suggeestions on URL filtering in pfsense, besides Squid-Squidguard?

Best regards

K

Have you tried pfBlocker-Ng. It’s can’t filter on URIs but it can filter out FQDNs. (ie. it can block Reddit as a whole but not specifically /r/pfsense.

Dont think it can do SSL/TLS HTTPS URLs which is what is of real value nowadays. I tried doing it within PFB blacklist but no luck due to HTTPS. If it is doable on HTTPS please let me know, I am trying to do it via squid which when activated keeps crashing my system.

PFSense may not be the solution if you want to do url filtering - Untangle is the product

It is doable, but it’s a tedious process and you will have to generate your own certificates and roll them out to the certificate stores on your clients in order to do full SSL inspection.

In order to block URLs you could also use “Splice Whitelist and Bump otherwise”. That will save you from rolling out certs to the clients, but otherwise makes maintaining it even more tedious, because many websites and services don’t play well with that. So you will probably find yourself manually maintaining a list with bypass rules… I had set it up that way a few years ago following this video and then removed it again because it caused too many issues.

So If you only need URL filtering, I would recommend using a DNS blocker like pfblockerNG. See also here: Why I Prefer DNS Blocking Over Squid Proxy Filtering in pfsense - YouTube

Squid needs a decent CPU in order to work properly. if I remember correctly, it didn’t support HW accelaration on pfSense and could only utilize one CPU core when I tested it. Not sure if that has changed in the meantime…

Untangle which apperantly goes by NG Firewall now, also uses Squid for their Webfilter in the backend but it’s probably better optimized on Linux than it is on FreeBSD / pfSense. Also Arista provides you with a large URL database out of the box. But while web filtering on Untangle is indeed more turnkey, you will still have to manually intervene when issues with certain web services arise. And they will arise!

Btw. if you want to use HTTP/3 respectively QUIC for certain services, you may start creating bypass rules right now… :wink: