I have been experimenting with pfSense for a few weeks now. I am using 1.2.3 at the moment primarily because most of the information I find is for 1.2.3, v2.0 is not as clear when looking for help. I plan to use 2.0 after I understand what I am doing.
Anyway, I have my pfSense box working fine, I have set my iptable rules and port forwards, all is going as expected. It is a simple setup, one NIC to the DSL Modem, one to the LAN, using 192.168.1.0/24. Pretty basic.
I installed Squid and Squid Guard. Squid works, not too hard to understand. I am currently testing how I can limit my kids and unknown machines to a 'kid friendly' set of websites while allowing my known machines no restrictions.
I created a TargetCategory:
no redirect or expressions
I created a group ACL:
Client(source):192.168.1.10 (my computers IP)
Time: not using
No redirects or other options needed for this test
I did APPLY this, I understand that has to be done. I do understand that the Default Access [All] target applies to everything. I have seen mention that you would want to use the value "whitelist" for the [All] target group, but I don't see that option. The results are listed here.
kids-test (allow) All (allow) -- allowed to go anywhere
kids-test (whitelist) All (allow) -- allowed to go anywhere
kids-test (allow) All (deny) -- can go nowhere
kids-test (whitelist) All (deny) -- can go nowhere
I also decided that the common ACL rule might come into play, so I tried the above settings (group ACL) with [All]-deny and [All]-allow in the common ACL menu, but the results did not change.
SquidGuard is working, that much is certain. It denies my computer to go anywhere http when it is engaged, I just cannot get the filtering to work properly.
Next I decided to try out multiple group ACLs. I had thought that perhaps the logic was such that if I created an group ACL for the entire subnet (192.168.1.0/24) and set that to [All]-Deny, and set that as the 2nd ACL (after my test1 ACL), perhaps then the kids sites would be allowed because they were in a target category (whitelisted) but that other requests would fall the the next ACL which would deny all.
I am not exactly a stranger to heirarchy, I understand how it works. I don't see a method to the madness here though, at least not one I can find documented. There are a lot of ways to do this from a prompt, but I don't really have the experience to go mucking around with command line syntax. Besides I had thought it would be pretty straight forward with a nice GUI. There is of course a high probability that I am not doing something correctly. I have read many articles and threads about this, and I thought with my basic test it would work easily, but I was mistaken.
I understand there have been many many questions regarding Squid and SquidGuard. I apologize I have to add yet another one, but after many hours messing with this, I either need some help or I am going to go back to my Dlink router which poses no such problems because it is so void of options