Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Merchant

Pages: [1] 2
1
Routing and Multi WAN / Multi WAN on Single WAN NIC
« on: July 05, 2016, 04:08:18 am »
I am trying to configure MULTI WAN on single WAN NIC ,is it technically possible for Load balancing /Fail over



2
Hello , Currently using Physical Machine for pfsense with 2 NIC (Connected to ISP on NIC #1 and LAN on NIC #2 )

We will be getting one more WAN and i am planning to move ot Virtual Deployment

will the Deployment work as shown in below PIC (Note Phy NIC is only 2 on Hyper V Server)

3
Feedback / Error 403
« on: June 20, 2016, 01:51:51 am »
Error 403

We're sorry, but we could not fulfill your request for /index.php on this server.

You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.

Your technical support key is: 7c28-f67b-2b02-1b1f

If you are unable to fix the problem yourself, please contact the WEBMA5TER and be sure to provide the technical support key shown above.


Error 403

We're sorry, but we could not fulfill your request for /index.php?topic=113123.0 on this server.

You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.

Your technical support key is: 7c28-f67b-2b02-1b1f

If you are unable to fix the problem yourself, please contact the WEBMA5TER and be sure to provide the technical support key shown above.


every link i open i am getting same, after refreshing page loads , then when  i open another page same happens

4
Firewalling / PFsense Rule order
« on: May 20, 2016, 06:57:17 am »
pass   *            *               *   LAN adadress 443/80/22 ANTI LOCKOUT RULE
block    TCPV          !ManagmentDevices   *   facebook   *
block   icpv4tcp/udp   !LANNOPROXY         *   *         443
block   icpv4tcp/udp   !LANNOPROXY         *   *         80

pass   tcpv4+6*      *               *   *         *   LIMITER TO equally share bandwidth   & Max Spd 9Mbps
pass   tcpv4+6*      *               *   *         *   LIMITER TO equally share bandwidth & Max Spd 1Mbps
block    tcpv4+6 tcp/udp   *               *   WANBLOCK   *   WAN IP BLOCKED


pass   two default allow lan to any rule
pass    ipv6 default allow lan ipv6 to any rule


when there is a limiter  Rule Pass rule and squid proxy block 80/443 rule , in which order to setup

5
Traffic Monitoring / bandwidthd -Development
« on: May 14, 2016, 12:28:04 am »
Code: [Select]
bandwidthd - caused stability problems for some, no package maintainer, not converted
anyone have any idea will bandwidthd will be back ?  cause currently  only one pack for monitoring and reporting daily usage per IP is  is  Darkstat which i find not good as bandwidthd   

6
Packages / darkstat Reports in MB /GB
« on: May 09, 2016, 08:14:12 am »
is there anyway to make darkstat display report in MB/GB ?

7
Cache/Proxy / SqudGuard Target category save ERROR
« on: April 21, 2016, 02:45:26 am »
when i try to save Target category i am getting following error

Code: [Select]
jquery-1.12.0.min.js:2 Uncaught Error: cannot call methods on sortable prior to initialization; attempted to call method 'serialize'n.extend.error @ jquery-1.12.0.min.js:2(anonymous function) @ jquery-ui-1.11.4.min.js:6n.extend.each @ jquery-1.12.0.min.js:2n.fn.n.each @ jquery-1.12.0.min.js:2e.fn.(anonymous function) @ jquery-ui-1.11.4.min.js:6save_changes_to_xml @ pkg.php?xml=squidguard_dest.xml:228onclick @ pkg.php?xml=squidguard_dest.xml:309


8
Cache/Proxy / Squadguard downgrade after moving to release version
« on: April 13, 2016, 08:03:40 am »
Code: [Select]
>>> Upgrading pfSense-pkg-squidGuard...
Updating pfSense-core repository catalogue...
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be DOWNGRADED:
pfSense-pkg-squidGuard: 1.14_2 -> 1.14_1 [pfSense]

43 KiB to be downloaded.
Fetching pfSense-pkg-squidGuard-1.14_1.txz: ..... done
Checking integrity... done (0 conflicting)
[1/1] Downgrading pfSense-pkg-squidGuard from 1.14_2 to 1.14_1...
Removing squidGuard components...
Menu items... done.
Services... done.
Loading package instructions...
[1/1] Extracting pfSense-pkg-squidGuard-1.14_1: .......... done
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...



after upgrading to 2.3 from 2.3RC i got update icon for package squid and squidguard and its saying downgrade

9
in 2.3 squid i find there need of space after Date , IP , status, currently its all looking like 1 line

10
Traffic Shaping / Traffic shapper HFSC compatibility issue ?
« on: April 05, 2016, 07:17:57 am »
Setup tested on 
Pfsense 2.2.6 
squid with wpad (non transparent mode)
Squidguard with blacklist
snort
Limiter (to equally share bandwidth amount IP)
dont have any DMZ servers


using Traffic shapper wizard i configured HFSC and granted highest priority to web traffic and once i clicked finished within moment network began to crawl , even issue  access to pfsense via lan  ( when tried pinging it was above 2k ping and it eventually died out 

Max host at that time will b 2-3 hosts  doing browsing   (no p2p or heavy applications ) ,

i read on forum i need to increase ack Q. to 10% but i couldnt even get few seconds time  to edit the shapper 


Solution was forced  Reboot pfsense (since ssh also not connecting )  then quickly login and disable shapper 


so is there any compatibility issue with shapper and once of the package i am using ?


(Time of issue )
max 2-3 hosts only


11
IDS/IPS / Snort Updating issue (SSL)
« on: April 05, 2016, 03:31:47 am »
Code: [Select]


snort update error
[code]
Apr 5 13:46:24 pfsense.xxx.local nginx: 2016/04/05 13:46:24 [error] 57647#0: *1822 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.246, server: , request: "POST /snort/snort_download_updates.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "https://192.168.0.1/snort/snort_download_updates.php"
Apr 5 13:46:19 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 5 13:46:19 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate
Apr 5 13:46:04 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 5 13:46:04 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate
Apr 5 13:45:49 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 5 13:45:49 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate
Apr 5 13:45:34 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 5 13:45:34 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate
Apr 5 13:45:33 php-fpm 81238 /snort/snort_download_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
Apr 5 13:45:30 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Snort OpenAppID detectors file download failed... server returned error '0'...
Apr 5 13:45:30 php-fpm 81238 /snort/snort_download_updates.php: File 'snort-openappid.tar.gz' download attempts: 4 ...
Apr 5 13:45:15 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 5 13:45:15 php-fpm 81238 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate
Apr 5 13:45:02 snort 96563 invalid appid in appStatRecord (1122)
Apr 5 13:45:02 snort 96563 invalid appid in appStatRecord (1119)
Apr 5 13:45:02 snort 96563 invalid appid in appStatRecord (1114)


2.3-RC (amd64)
built on Mon Apr 04 17:09:32 CDT 2016
FreeBSD 10.3-RELEASE
CPU Type   Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz
2 CPUs: 1 package(s) x 2 core(s)
Temperature   
44.0C
Load average   
0.22, 0.28, 0.30

12
General Questions / WAN IN traffic not showing in LAN Traffic
« on: March 01, 2016, 02:54:57 am »
Code: [Select]
2.2.6-RELEASE (amd64)
built on Mon Dec 21 14:50:08 CST 2015
FreeBSD 10.1-RELEASE-p25

Code: [Select]
Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz
2 CPUs: 1 package(s) x 2 core(s)

Code: [Select]
State table size
1% (1406/196000)
Show states
MBUF Usage
8% (2124/26584)

Code: [Select]
State table size
1% (1406/196000)
Show states
MBUF Usage
8% (2124/26584)


I am facing weird issuing , i am seeing WAN IN traffic in traffic graph but i am not seeing any LAN traffic


Connection

ISP Router ->  PFsense int0(wan)-----pfsense int1(LAN)---->Switch ---> PC's


 i am using Squid Dynamic Cache to cache windows update and AV updates for 30+ PC's


Code: [Select]

# refresh_pattern -i \.htm 120 50% 10080 reload-into-ims
# refresh_pattern -i \.html 120 50% 10080 reload-into-ims
# refresh_pattern ^http://*.facebook.com/* 720 100% 4320
#refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320
# refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320
# refresh_pattern ^http://*.yimg.*/.* 720 100% 4320
# refresh_pattern ^http://*.gmail.*/.* 720 100% 4320
# refresh_pattern ^http://*.google.*/.* 720 100% 4320
# refresh_pattern ^http://*.kaskus.*/.* 720 100% 4320
# refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320
# refresh_pattern ^http://*.plasa.*/.* 720 100% 4320
#refresh_pattern ^http://*.telkom.*/.* 720 100% 4320

# refresh_pattern imeem.*\.flv  0 0% 0     override-lastmod override-expire
# refresh_pattern \.rapidshare.*\/[0-9]*\/.*\/[^\/]*   161280    90%    161280 ignore-reload
 
#  refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv?)    10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims
# refresh_pattern (get_video\?|videoplayback\?id|videoplayback.*id|videodownload\?|\.flv?)    10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims
# refresh_pattern -i (get_video\?|videoplayback\?id|videoplayback.*id||videodownload\?|\.flv?)       10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims


# refresh_pattern mediafire.com\/images.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png)    10800 80% 10800 reload-into-ims override-expire ignore-private
# refresh_pattern ^http:\/\/images|pics|thumbs[0-9]\.      10800 80% 10800 reload-into-ims ignore-no-cache  ignore-reload override-expire
# refresh_pattern ^http:\/\/www.onemanga.com.*\/           10800 80% 10800 reload-into-ims ignore-no-cache  ignore-reload override-expire
 
# ANTI VIRUS
refresh_pattern guru.avg.com/.*\.(bin)                      10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims
refresh_pattern (avgate|avira).*(idx|gz)$                           10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims
refresh_pattern kaspersky.*\.avc$                                   10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims
refresh_pattern kaspersky                                           10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims
refresh_pattern update.nai.com/.*\.(gem|zip|mcs)                    10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims
refresh_pattern ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)     10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims
 
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

refresh_pattern windowsupdate.com/.*\.(cab|exe)             10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe)             10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe)             10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims
 
#images facebook
refresh_pattern ((facebook.com)|(85.131.151.39)).*\.(jpg|png|gif)      10800 80% 10800 ignore-reload  override-expire ignore-no-cache
refresh_pattern -i \.fbcdn.net.*\.(jpg|gif|png|swf|mp3)                  10800 80% 10800 ignore-reload  override-expire ignore-no-cache
refresh_pattern  static\.ak\.fbcdn\.net*\.(jpg|gif|png)                  10800 80% 10800 ignore-reload  override-expire ignore-no-cache
refresh_pattern ^http:\/\/profile\.ak\.fbcdn.net*\.(jpg|gif|png)      10800 80% 10800 ignore-reload  override-expire ignore-no-cache

 
#All File
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|divx|dvr-ms)      10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v))          10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)     10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 10800 80% 10800 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))     10800 80% 10800 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
 
# refresh_pattern (cgi-bin|\?)       0      0%      0
# refresh_pattern ^gopher:    1440    0%    1440
# refresh_pattern ^ftp:         10080     95%     10800 override-lastmod reload-into-ims
#  refresh_pattern         .     180     95% 10800 override-lastmod reload-into-ims


13
pfBlockerNG / PFblockerNG whitelist LAN IP
« on: January 27, 2016, 02:06:19 am »
Code: [Select]
2.2.6-RELEASE
bandwidthd Network Management 0.6.3
darkstat Network Management 3.1.1
Lightsquid Network Management 2.43
ntopng Network Management 0.8.2
pfBlockerNG Security 2.0.4
Sarg Network Management 0.6.10
snort Security 3.2.9.1
squid3 Services 0.4.7
squidGuard Network Management 1.9.18


Can anyone help me find how to whitelist some of the LAN IP (Eg 192.168.0.200-254) ?
because i am using PfblockerNG for blocking ads  but manager need to view ads from http://www.googleadservices.com/

which appears at top of google search page (currently it is redirecting to 10.0.0.1 IP address

Code: [Select]
inging www.googleadservices.com [10.10.10.1]

14
Cache/Proxy / SquidGuard blocking for all IP range
« on: January 20, 2016, 11:34:07 pm »
PFsense ,squid3(non transparent-wpad),squidguard are latest version  and its working perfect in blocking but  its blocking all IP range instead of selected ip range

Settings -  Common AC (whitelist(allow)   , blacklist (Deny)  , default access (All )allow


- multimedia    > Name: Working_Hours >     Multimedia block during working hours (09:3-1:30 & 2:15 to 6:30)
client IP (192.168.0.2-192.168.0.229)     , and rebooted

But issue is  squidguard is blocking multimedia for IP's above 192.168.0.229 (shown in pic below)

kindly help me to fix the issue

Proxy COnfig
Code: [Select]
# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.0.1:3128
http_port 127.0.0.1:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
visible_hostname sssssss
cache_mgr sssssss
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.0.0/24 127.0.0.0/8
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 200 MB
cache_dir ufs /var/squid/cache 50000 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|?) 0  0%  0
refresh_pattern .    0  20%  4320


#Remote proxies


# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535
acl sslports port 443 563 

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

quick_abort_min 0 KB
quick_abort_max 0 KB
request_body_max_size 0 KB
reply_body_max_size 153600 KB allsrc
delay_pools 1
delay_class 1 2
delay_parameters 1 2097152/2097152 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
acl throttle_exts urlpath_regex -i '/var/squid/acl/throttle_exts.acl'
delay_access 1 allow throttle_exts
delay_access 1 deny allsrc

# Reverse Proxy settings


# Package Integration
url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0

# Custom options before auth


# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc


Filter config
Code: [Select]
# ============================================================
# SquidGuard configuration file
# This file generated automaticly with SquidGuard configurator
# (C)2006 Serg Dvoriancev
# email: dv_serg@mail.ru
# ============================================================

logdir /var/squidGuard/log
dbhome /var/db/squidGuard

# Working Hours
time Working_Hours {
weekly * 09:30-13:30
weekly * 14:10-18:30
}

# Multimedia block during working hours
src multimedia {
ip     192.168.0.1-192.168.0.220
}

#
dest blk_BL_adv {
domainlist blk_BL_adv/domains
urllist blk_BL_adv/urls
redirect http://192.168.0.1:80/sgerror.php?url=blank_img&msg=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}

#
dest blk_BL_aggressive {
domainlist blk_BL_aggressive/domains
urllist blk_BL_aggressive/urls
log block.log
}

#
dest blk_BL_alcohol {
domainlist blk_BL_alcohol/domains
urllist blk_BL_alcohol/urls
log block.log
}

#
dest blk_BL_anonvpn {
domainlist blk_BL_anonvpn/domains
urllist blk_BL_anonvpn/urls
log block.log
}

#
dest blk_BL_automobile_bikes {
domainlist blk_BL_automobile_bikes/domains
urllist blk_BL_automobile_bikes/urls
log block.log
}

#
dest blk_BL_automobile_boats {
domainlist blk_BL_automobile_boats/domains
urllist blk_BL_automobile_boats/urls
log block.log
}

#
dest blk_BL_automobile_cars {
domainlist blk_BL_automobile_cars/domains
urllist blk_BL_automobile_cars/urls
log block.log
}

#
dest blk_BL_automobile_planes {
domainlist blk_BL_automobile_planes/domains
urllist blk_BL_automobile_planes/urls
log block.log
}

#
dest blk_BL_chat {
domainlist blk_BL_chat/domains
urllist blk_BL_chat/urls
log block.log
}

#
dest blk_BL_costtraps {
domainlist blk_BL_costtraps/domains
urllist blk_BL_costtraps/urls
log block.log
}

#
dest blk_BL_dating {
domainlist blk_BL_dating/domains
urllist blk_BL_dating/urls
log block.log
}

#
dest blk_BL_downloads {
domainlist blk_BL_downloads/domains
urllist blk_BL_downloads/urls
log block.log
}

#
dest blk_BL_drugs {
domainlist blk_BL_drugs/domains
urllist blk_BL_drugs/urls
log block.log
}

#
dest blk_BL_dynamic {
domainlist blk_BL_dynamic/domains
urllist blk_BL_dynamic/urls
log block.log
}

#
dest blk_BL_education_schools {
domainlist blk_BL_education_schools/domains
urllist blk_BL_education_schools/urls
log block.log
}

#
dest blk_BL_finance_banking {
domainlist blk_BL_finance_banking/domains
urllist blk_BL_finance_banking/urls
log block.log
}

#
dest blk_BL_finance_insurance {
domainlist blk_BL_finance_insurance/domains
urllist blk_BL_finance_insurance/urls
log block.log
}

#
dest blk_BL_finance_moneylending {
domainlist blk_BL_finance_moneylending/domains
urllist blk_BL_finance_moneylending/urls
log block.log
}

#
dest blk_BL_finance_other {
domainlist blk_BL_finance_other/domains
urllist blk_BL_finance_other/urls
log block.log
}

#
dest blk_BL_finance_realestate {
domainlist blk_BL_finance_realestate/domains
urllist blk_BL_finance_realestate/urls
log block.log
}

#
dest blk_BL_finance_trading {
domainlist blk_BL_finance_trading/domains
urllist blk_BL_finance_trading/urls
log block.log
}

#
dest blk_BL_fortunetelling {
domainlist blk_BL_fortunetelling/domains
urllist blk_BL_fortunetelling/urls
log block.log
}

#
dest blk_BL_forum {
domainlist blk_BL_forum/domains
urllist blk_BL_forum/urls
log block.log
}

#
dest blk_BL_gamble {
domainlist blk_BL_gamble/domains
urllist blk_BL_gamble/urls
log block.log
}

#
dest blk_BL_government {
domainlist blk_BL_government/domains
urllist blk_BL_government/urls
log block.log
}

#
dest blk_BL_hacking {
domainlist blk_BL_hacking/domains
urllist blk_BL_hacking/urls
log block.log
}

#
dest blk_BL_hobby_cooking {
domainlist blk_BL_hobby_cooking/domains
urllist blk_BL_hobby_cooking/urls
log block.log
}

#
dest blk_BL_hobby_games-misc {
domainlist blk_BL_hobby_games-misc/domains
urllist blk_BL_hobby_games-misc/urls
log block.log
}

#
dest blk_BL_hobby_games-online {
domainlist blk_BL_hobby_games-online/domains
urllist blk_BL_hobby_games-online/urls
log block.log
}

#
dest blk_BL_hobby_gardening {
domainlist blk_BL_hobby_gardening/domains
urllist blk_BL_hobby_gardening/urls
log block.log
}

#
dest blk_BL_hobby_pets {
domainlist blk_BL_hobby_pets/domains
urllist blk_BL_hobby_pets/urls
log block.log
}

#
dest blk_BL_homestyle {
domainlist blk_BL_homestyle/domains
urllist blk_BL_homestyle/urls
log block.log
}

#
dest blk_BL_hospitals {
domainlist blk_BL_hospitals/domains
urllist blk_BL_hospitals/urls
log block.log
}

#
dest blk_BL_imagehosting {
domainlist blk_BL_imagehosting/domains
urllist blk_BL_imagehosting/urls
log block.log
}

#
dest blk_BL_isp {
domainlist blk_BL_isp/domains
urllist blk_BL_isp/urls
log block.log
}

#
dest blk_BL_jobsearch {
domainlist blk_BL_jobsearch/domains
urllist blk_BL_jobsearch/urls
log block.log
}

#
dest blk_BL_library {
domainlist blk_BL_library/domains
urllist blk_BL_library/urls
log block.log
}

#
dest blk_BL_military {
domainlist blk_BL_military/domains
urllist blk_BL_military/urls
log block.log
}

#
dest blk_BL_models {
domainlist blk_BL_models/domains
urllist blk_BL_models/urls
log block.log
}

#
dest blk_BL_movies {
domainlist blk_BL_movies/domains
urllist blk_BL_movies/urls
log block.log
}

#
dest blk_BL_music {
domainlist blk_BL_music/domains
urllist blk_BL_music/urls
log block.log
}

#
dest blk_BL_news {
domainlist blk_BL_news/domains
urllist blk_BL_news/urls
log block.log
}

#
dest blk_BL_podcasts {
domainlist blk_BL_podcasts/domains
urllist blk_BL_podcasts/urls
log block.log
}

#
dest blk_BL_politics {
domainlist blk_BL_politics/domains
urllist blk_BL_politics/urls
log block.log
}

#
dest blk_BL_porn {
domainlist blk_BL_porn/domains
urllist blk_BL_porn/urls
log block.log
}

#
dest blk_BL_radiotv {
domainlist blk_BL_radiotv/domains
urllist blk_BL_radiotv/urls
log block.log
}

#
dest blk_BL_recreation_humor {
domainlist blk_BL_recreation_humor/domains
urllist blk_BL_recreation_humor/urls
log block.log
}

#
dest blk_BL_recreation_martialarts {
domainlist blk_BL_recreation_martialarts/domains
urllist blk_BL_recreation_martialarts/urls
log block.log
}

#
dest blk_BL_recreation_restaurants {
domainlist blk_BL_recreation_restaurants/domains
urllist blk_BL_recreation_restaurants/urls
log block.log
}

#
dest blk_BL_recreation_sports {
domainlist blk_BL_recreation_sports/domains
urllist blk_BL_recreation_sports/urls
log block.log
}

#
dest blk_BL_recreation_travel {
domainlist blk_BL_recreation_travel/domains
urllist blk_BL_recreation_travel/urls
log block.log
}

#
dest blk_BL_recreation_wellness {
domainlist blk_BL_recreation_wellness/domains
urllist blk_BL_recreation_wellness/urls
log block.log
}

#
dest blk_BL_redirector {
domainlist blk_BL_redirector/domains
urllist blk_BL_redirector/urls
log block.log
}

#
dest blk_BL_religion {
domainlist blk_BL_religion/domains
urllist blk_BL_religion/urls
log block.log
}

#
dest blk_BL_remotecontrol {
domainlist blk_BL_remotecontrol/domains
urllist blk_BL_remotecontrol/urls
log block.log
}

#
dest blk_BL_ringtones {
domainlist blk_BL_ringtones/domains
urllist blk_BL_ringtones/urls
log block.log
}

#
dest blk_BL_science_astronomy {
domainlist blk_BL_science_astronomy/domains
urllist blk_BL_science_astronomy/urls
log block.log
}

#
dest blk_BL_science_chemistry {
domainlist blk_BL_science_chemistry/domains
urllist blk_BL_science_chemistry/urls
log block.log
}

#
dest blk_BL_searchengines {
domainlist blk_BL_searchengines/domains
urllist blk_BL_searchengines/urls
log block.log
}

#
dest blk_BL_sex_education {
domainlist blk_BL_sex_education/domains
urllist blk_BL_sex_education/urls
log block.log
}

#
dest blk_BL_sex_lingerie {
domainlist blk_BL_sex_lingerie/domains
urllist blk_BL_sex_lingerie/urls
log block.log
}

#
dest blk_BL_shopping {
domainlist blk_BL_shopping/domains
urllist blk_BL_shopping/urls
log block.log
}

#
dest blk_BL_socialnet {
domainlist blk_BL_socialnet/domains
urllist blk_BL_socialnet/urls
log block.log
}

#
dest blk_BL_spyware {
domainlist blk_BL_spyware/domains
urllist blk_BL_spyware/urls
log block.log
}

#
dest blk_BL_tracker {
domainlist blk_BL_tracker/domains
urllist blk_BL_tracker/urls
log block.log
}

#
dest blk_BL_updatesites {
domainlist blk_BL_updatesites/domains
urllist blk_BL_updatesites/urls
log block.log
}

#
dest blk_BL_urlshortener {
domainlist blk_BL_urlshortener/domains
urllist blk_BL_urlshortener/urls
log block.log
}

#
dest blk_BL_violence {
domainlist blk_BL_violence/domains
urllist blk_BL_violence/urls
log block.log
}

#
dest blk_BL_warez {
domainlist blk_BL_warez/domains
urllist blk_BL_warez/urls
log block.log
}

#
dest blk_BL_weapons {
domainlist blk_BL_weapons/domains
urllist blk_BL_weapons/urls
log block.log
}

#
dest blk_BL_webmail {
domainlist blk_BL_webmail/domains
urllist blk_BL_webmail/urls
log block.log
}

#
dest blk_BL_webphone {
domainlist blk_BL_webphone/domains
urllist blk_BL_webphone/urls
log block.log
}

#
dest blk_BL_webradio {
domainlist blk_BL_webradio/domains
urllist blk_BL_webradio/urls
log block.log
}

#
dest blk_BL_webtv {
domainlist blk_BL_webtv/domains
urllist blk_BL_webtv/urls
log block.log
}

# Whitelist
dest Whitelist {
}

# Blacklist
dest Blacklist {
}

#
rew safesearch {
s@(google..*/search?.*q=.*)@&safe=active@i
s@(google..*/images.*q=.*)@&safe=active@i
s@(google..*/groups.*q=.*)@&safe=active@i
s@(google..*/news.*q=.*)@&safe=active@i
s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1@i
s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1@i
s@(search.live..*/.*q=.*)@&adlt=strict@i
s@(search.msn..*/.*q=.*)@&adlt=strict@i
s@(.bing..*/.*q=.*)@&adlt=strict@i
log block.log
}

#
acl  {
# Multimedia block during working hours
multimedia  within Working_Hours {
pass Whitelist !Blacklist !blk_BL_adv !blk_BL_downloads !blk_BL_movies !blk_BL_music !blk_BL_podcasts !blk_BL_porn !blk_BL_spyware !blk_BL_warez all
} else {
pass all
redirect http://192.168.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
#
default  {
pass !Blacklist !blk_BL_adv !blk_BL_movies !blk_BL_music !blk_BL_porn Whitelist all
redirect http://192.168.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
}

15
Firewalling / PFsense issue blocking all traffic using LAN Rules
« on: January 07, 2016, 03:29:40 am »
Setup

ISP Router 192.168.2.1 ----> PFSENSE WAN 192.168.2.2 --->PFSENSE LAN 192.168.0.1
Package
Squid -WPAD-NON transparent
SNort -
PFblockerNG

Issue is i am unable to block all traffic using LAN Rule

pic attached 

for showing even after blocking my IP i am able to PING to google DNS , but webtraffic stoped , so i was thinking if mobile users can bypasss firewall by using different applications  ( Since Even when i did block fully Source (MY IP ) to Destination ( ANY ) my PC was able to PING to WAN


kindly help to solve , thank you

edit - i tried blocking a mobile user also using source ALias (Alias PIC attached) local ip and destination -ANY
still That IP is able to download /Watch video

Pages: [1] 2