• Max Baumgarten

Easy Web Filtering with pfSense


Setting up web filtering for your home or business does not need to be an expensive or cumbersome ordeal. Using free, open-source tools, we can set up web filtering for an entire network using pfBlockerNG and pfSense, a free, open-source router/firewall OS. This will work for most systems and browsers, but there are a few caveats I’ll talk about at the end of the guide.

1. Requirements

  • pfSense already setup and operating as your primary firewall/DNS server

  • Basic understanding of pfSense

  • URL filtering lists

  • 10 minutes


Here is our simple network:

WAN: 10.100.10.9 LAN: 192.168.1.1/24

We have a simple WAN/LAB setup. Four endpoints on the 192.168.1.1 network and a single pfSense Firewall/Router at the edge. The pfSense box is handling all our DHCP and DNS requests.


This guide can be applied to any type of network setup. However, the critical requirements are that your DNS queries are going to pfSense and that traffic is routed through pfSense in order to reach the internet. (More on this later...)

Simple pfSense setup


Notice I have an external DNS server setup on the pfSense box itself at 10.100.100.100. We are going to make sure that the only way to reach that DNS server, or any other DNS server is through this pfSense box.

2. Installing PfBlocker


The first step is to install the pfBlockerNG plugin on your pfSense instance.



Click Available Packages and find and Install pfBlockerNG (Note the development version)

3. Set up Your Firewall Rules


Because we are using DNS based filtering, we need to ensure that DNS queries are always answered by pfSense. Anyone who knows the basics about networking on Windows, Linux, or Mac knows how easy it is to change your DNS settings and point to whatever DNS server you want.


In order to prevent this, we are going to BLOCK all DNS requests that go anywhere besides pfSense. These rules are going to be set up on our simple LAN network, but can be done for all your different networks/subnets just as easily.


First, we need to make an ALLOW/PASS rule to allow DNS requests to our pfSense server. Under Firewall > Rules add a new rule:

Rule Information:

  • Action: Pass

  • Interface: LAN

  • Protocol: UDP

  • Source: Any

  • Destination: Single host or alias - 192.168.1.1

  • Destination Port Range: From - DNS, To - DNS

  • Description: Allow internal DNS requests

NOTE: Make sure to hit Save :)


Next, we will make a DENY/BLOCK rule that blocks ALL DNS requests going anywhere.

Rule Information:

  • Action: Block

  • Interface: LAN

  • Protocol: UDP

  • Source: Any

  • Destination: Any

  • Destination Port Range: From - DNS, To - DNS

  • Description: Block all other DNS

NOTE: Make sure to hit Save :)


Your policy should at least include these two rules rules for Port 53 (Ignore the Anti-Lockout Rule):

Your Allow rule to your pfsense internal interface must come BEFORE the BLOCK rules for all remaining DNS traffic.


This ruleset will block any DNS traffic going anywhere besides pfSense. This will make changing the DNS servers on an endpoint a useless endeavor as the DNS traffic will not reach any DNS server.

4. Setup pfBlockerNG


Next, were going to setup pfBlockerNG.


First, lets go to the pfBlockerNG settings. Go to Firewall > pfBlockerNG












First thing we're going to do is enable pfBlockerNG and remember to hit Save on the bottom.

Next, we are going to go to the DNSBL section in pfBlockerNG.

Here is where we can set up DNS blocking for our entire network.


First thing we want to do is Enable DNSBL.


The next step is to determine what our DNSBL Virtual IP is going to be. The DNSBL Virtual IP is where all the domains on your block lists get redirected so that the domain does not reach the end user.


This should be an address in the private address space. For example, in my network, my subnet is on 192.168.1.0/24. I decided to just use 172.16.16.16 as I don’t plan on ever using that network.


Use whichever virtual IP you want or copy mine, but just make sure to hit save on the bottom!

5. Adding DNSBL Feeds


Now we need to add some URL/Domain feeds to pfBlockerNG for our DNS Blocklist. Getting URLs is very easy and free. There are tons of free resources online with constantly updated feeds of URLs/domains.

Here are some websites that I use:

https://blocklist.site/app/ - Great website with clear categories for many different block lists


OISD Block List - Great blocklist for ads created by a reddit user


Steven Black Block List - Great collection of domains to block split into categories.


You can choose as little or as many categories as you want.


Within DNSBL, go to DNSBL Feeds and hit Add.

In this guide, we are going to block all Gambling and Drug related domains. Start by filling out the DNS GROUP Name and Description.


  • DNS GROUP Name: Drugs and Gambling

  • Description: List of drugs and gambling domains


Next, we need to start adding DNS Block Lists. Using one or more of the websites above, we can add as many lists as we want to this DNS Group. In this case, I am going to some URLs for lists of Drugs and Gambling domains.


Here’s how to grab a domain list from https://blocklist.site/app/

View and Pick your Categories
















Hit More Info (Or select List if you are doing multiple lists, the URLs will appear on the top)

Copy and paste the download Link.


Add the link to your DNSBL Feed entries. Hit Add if you need to add more than one.

Make sure each header/label is unique. You can call them whatever you want. You can see I have two different lists for Gambling.


Important: In order to block the domains, you need to set the List Action to Unbound.


Update Frequency - I set mine to once a day. There’s no reason to overload servers and hit it multiple times a day. I think once a day is fine.


Here are the settings summarized:

  • DNS GROUP Name: Drugs and Gambling

  • Description: List of drugs and gambling domains

  • DNSBL: Add your links, Format - Auto, State - ON

  • List Action: Unbound

  • Update Frequency: Once a Day


Hit save.

You should now see your DNS group(s) in your DNSBL Feeds. Make sure to hit save.

6. Updating Your DNS List


Next, we need to update the DNS List in pfBlockerNG so that we can start filtering.


In pfBlockerNG, hit Update and then hit Run and you should see your lists update.

That’s it! You can see on the pfSense homepage a new dashboard module for pfBlocker.

7. Let’s Test!


Using the command prompt on a windows machine, doing an ipconfig shows our DNS server is 192.168.1.1, which is the IP address of our pfSense box.

Let's see what happens when we try to go on some gambling or drug sites:

As you can see, visiting any domain on our block lists causes a 1x1 pixel to be returned to the end user. Regular sites continue to work as normal, but banned sites on the list resolve to a blank pixel in a web browser.

Remember we made those DNS BLOCK rules earlier? Let's see what happens when a user tries to go around them by changing the DNS settings on their endpoint:

As you can see, performing an nslookup on command prompt at external DNS servers does not yield any results. This is because we've blocked ALL DNS queries besides to the pfSense box.

8. Exceptions


This is not a foolproof method for web filtering. Some browsers, such as Mozilla Firefox, use DNS-over-HTTPS by default, which renders this system useless. This prevents pfSense, or any DNS service in general, to be controlled and filtered because the DNS queries are happening over an encrypted HTTPS connection. Firefox sets up their DNS-over-HTTPS with Cloudflare.

https://support.mozilla.org/en-US/kb/firefox-dns-over-https


If your users use Firefox in your organization, you may want to consider the enterprise version of Firefox and control the settings using policies and disable DNS-over-HTTPS. https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/manage-settings-policy


Additionally, this will not prevent someone reaching a blocked website by IP address. If someone wanted to get around this, they could lookup the IP for the desired site and reach directly instead of using DNS.


9. Conclusion


I hope you found this guide useful. This is a quick and easy way to setup DNS filtering at home using pfSense. This guide can also help you setup network wide Ad and Tracker blocking for your whole home or business.


There are some other alternatives out there for content filtering such as Pi-Hole and some paid options from Check Point, Fortinet, or other security vendors. Reach out for any questions about different filtering options.


Please reach out to us if you have any questions about setting up content filtering or pfSense for your home or business.


Email: contact@spikefishsolutions.com


Follow us @teamspikefish on Twitter/Instagram

LINKS
ABOUT

contact@spikefishsolutions.com

Tel: 1-786-774-1411

2001 Meridian Avenue

Miami Beach, FL, 33139

SOCIAL
  • Black LinkedIn Icon
  • Black Twitter Icon

© Spikefish Solutions Inc. All Rights Reserved