next »

[Chewy]

I've called this a "user's experience" rather than a how-to because your mileage may vary if you follow in my foot steps. My requirement is what I already have from Smoothwall: A content filtering system, for use at home, to flag and block when a page is probably inappropriate content. The reason I want to change is that I believe PFsense is a better firewall but before Marcello built this excellent package I was missing content filtering.

Basic Install

Firstly install PFSense and ensure that it is working. You should have internet access but no filtering. Don't install any packages before you install Dansguardian, they may work but it's not what I did. In my set up I have a WAN interface pointing at the ISP and a LAN interface with the IP address 10.0.2.1

In the web interface go to: System>Packages>Available Packages and select Dansguardian
Click on the install button and wait for the installation to complete (It takes a fair amount of time so be patient)

Setup

Go to: Services>Dansguardian
Click on Enable Dansguardian
Listen interface - LAN
Listen Port - 8080
Proxy IP - 10.0.2.1 (My PFSense box)
Proxy Port - 3128

Go to the bottom and click Save

Check that DG is running Status>Services

At this point I found there was nothing listening on port 3128 (sockstat -4l) which I didn't expect because I thought the package installed Squid so either I missed something or I was just wrong, either way, I decided I'd install squid from the package.

In the web interface go to: System>Packages>Available Packages and select Squid
Squid configuration (optional)
Visible host name - "your host name"
save

Now there is a squid server listening on 3128
Go back to Services>Dansguardian and click save in order to recycle DG

Testing the set up

Set up your web browser to use Dansguardian and Squid. For Firefox proceed as follows:

Tools>Options
Network Tab>Settings>Manual Proxy configuration

 HTTP Proxy - 10.0.2.1 (IP of your dansguardian/PFsense machine)
 Port - 8080

 Tick - Use this proxy for all protocols

Now try to access both a good site and a bad site:

google.com - Good
tits.com - Bad (or any other bad site)

If you can access the good but not the bad everything is working as expected.

Now I want to add a transparent proxy. I believe that the package author prefers to use WPAD/PAC/auto configuration with dns+dhcp as opposed to a transparent proxy. I agree that it's better for a professional set up in a company but for me I just want to stop my daughters from inadvertently finding the wrong things on the net when browsing at home. In this use case I find the transparent proxy mush easier.  

There is a tick box in the squid configuration page that is marked "Transparent Proxy" and promises to redirect everything automagically for you, it doesn't work for a DG set up in my experience.

Add a rule to forward the browsing requests to Dansguardian (thanks to Zgruk for this since I copied it from his post):

Firewall>NAT
Port Forward tab click the + button
Interface: LAN
Protocol: TCP
Source: LAN subnet
Destination: any
Destination Port: HTTP to HTTP
Redirect IP: <the IP of your pfSense box> (10.0.2.1 in my case)
Redirect Target Port: 8080

Click Save and then Apply Changes

Then retry your good and bad test after resetting the web browsers proxy to No proxy and you should get the same results.
There are two other steps you can optionally choose, firstly to block direct access to Squid and hence bypassing DG altogether and secondly to do the same forwarding for HTTPS, the rules are detailed by Zgruk in this post

I haven't done either of these since for my use case it isn't required.

Further configuration

With the base system working I continued to modify some other options. Obviously these are for my own use case and may not be appropriate for your use case.

Naughtiness limit - By default the limit is set very low and since my daughters are teenagers I needed to increase it to a more appropriate limit.
Service>Dansguardian>Groups - Click Edit - Scroll to naughtiness limit and set as appropriate

Mime & Extension types - I find that despite the security risk from embedded virus teenagers like to download mpeg etc.
Service>Dansguardian>Access Lists - Click Edit -  Comment out with # the ones you don't want active as appropriate

URL exception list - Occasionally DG will block perfectly legitimate sites so I have a set of exceptions to allow the odd filtering mistake.  
Service>Dansguardian>Access Lists>Site - Click Edit

That's about it. If I've got things wrong or could have done them in a better way then do let me know. If this short write up helps anyone then it was worth the effort.

[daleq]

Thanks Chewy,

I too have been wanting to use pfSense, but held back due to a lack of content filtering.  Thanks for your installation summary.  I'll give it a try now.

Also, many thanks to marcelloc for his work in creating the package.

[marcelloc]

Chewy,

Thanks for your mini howto and experiencie feedback 

I'm involved on a lot of packages now but if I have some time in the future, I'll try to include transparente mode with a BIG security warning 

att,

Marcello Coutinho

[root2020]

Couple of issues that some people may have. By the way this is a great easy to follow Dans setup, thanks!

#1 When I installed squid my Proxy interface in squid was at "loopback", I changed that to LAN an things are fine now.
#2 Just a note if you use the firewall to redirect port 80 to 8080. Make sure that your firewall rule that was created by the portforward, is located above your "LAN-any" rule so that it gets executed properly.

[Wezz]

I did get the Dansguardian to work if I manually set the proxy, but I've added the rules to FW without any luck.
I've put the rule
Proto: TCP
Source: LAN net
Port: *
Destination: 192.168.1.1
Port: 8080
above the lan-any rule, so it should work but it does not?
How to solve?
I can provide screenshots if asked.

[marcelloc]

Your nat is not correct, pay attention on nat description from the first post and apply on your config.

[Wezz]

Your nat is not correct, pay attention on nat description from the first post and apply on your config.

I've done that,
First is NAT

Edit: I totally forgot that I'm connecting via VPN on my client, my bad.
Thanks for a great "user experience"

[Chewy]

I've only just had a chance to come back to see if there were any replies and this is a pleasant surprise. I'm delighted it's helped people.

[chris23]

thanks guys this really helped me out alot.

I have a question, what if I want to add in squidguard to control access at times of day.  Say 9am til 5pm only, on certain machines with a certain IP address.

Had a bit of a try and I seem to be able to get on the net anytime with the config I tried.

Anyone tried this??

Thanks
Chris

[marcelloc]

You mean dansguardian,squid and squidguard?

[chris23]

Yeah, can you not use squidguard as well?

Or can I just put some settings into danguardian to control time of day access?

Thanks

(by the way marcelloc, good work!!)

[Chewy]

I'm going to make a suggestion Chris but I've not tried this solution, it's speculative, so feel free to shoot me down if I missed something.

Firewall>Schedule is possibly what you're looking for to solve the problem. If you only want content filtering between 9 - 5 then apply the schedule to the redirect rule such that DG and Squid are bypassed outside of the access hours. If you don't want any access at all outside of those hours then you can construct a rule that blocks certain IP and is only activate outside of those hours.

Hope that helps

[chris23]

aagghhh,

genius.  Why did I not think of that.  So simple really, it passed me by....

Thanks a lot Chewy

[Chewy]

Update - I don't seem to be able to edit the original post which I can see makes some sense for integrity reasons so I'll add some updates here (these aren't necessarily requests for change just observations for fellow travellers).  

Refreshing Dansguardian when changes have been made seems to be a bit hit or miss. The only entirely reliable method I've found is that suggested by Zgruk from the command line issue "dansguardian -Q". The "save" buttons work sometimes but not others which I suspect is entirely to do with DG and not the packaging.

Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid, hence, any requests to DG fell into a black hole including the access to PFsense to fix the problem. Because of my (insecure) set up I could manually direct the browser at Squid to access PFsense, refresh DG using a simple save and that seemed to establish the socket between DG and Squid giving me back normal access.

If you're not as insecure as me (and I don't recommend it for any professional set up) then the way to get back access would be to use the command line refresh I mentioned above.

There may be a way to force squid to come up before DG I'm not sure. I'm more of a Linux man than BSD and despite their shared heritage they're different enough for me to have to research that change. If there's anyone out there who can supply the answer I'd be really grateful.  

[chris23]

Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid

Exactly the same issue here too.
I normally have to cycle the DG service after bootup.

Not sure quite what's happening here.