pfSense is a robust open-source-based router/firewall operating system that’s based on FreeBSD. You’ll notice the expression “open-source-based.” That’s because there are now two pfSense versions available: pfSense CE (community edition), which is fully open-source, and pfSense Plus, which includes some extra proprietary features. Both are free to use for home users. But for this tutorial, we’re going to be using the community edition.
pfSense CE includes some powerful networking tools, out of the box, that enable you to build a secure network. But you can also install extra packages from the pfSense official repository and make your firewall even more capable.
In this post, we’re going to be using two such packages, Squid and SquidGuard. Squid is a web proxy that can handle caching and content filtering, while SquidGuard is a URL redirector that integrates with Squid. Let’s take a minute to provide a bit of context around proxy servers, how they work, and what they’re used for.
What is a proxy server?
A proxy server acts as a middleman between your device, such as a laptop, tablet, or smartphone, and the website you are trying to access. Essentially, your traffic first goes through the proxy server before reaching its ultimate destination.
There are a few reasons why it’s useful to send your traffic through a proxy server. One of the benefits is that the proxy server can cache content, meaning it will save some remote content locally. This allows for faster internet browsing because once the content has been cached, the next time a client requests that content, it will be served locally instead of being downloaded from the internet again. It’s like having a shortcut to frequently visited websites that saves time and speeds up your browsing experience.
Another reason is content filtering. Content filtering means restricting access to specific domains or IP addresses. For example, organizations that block access to social media sites are engaged in content filtering.
Content filtering also enables you to block online ads. Ads are not only annoying, but they also infringe on your privacy, use up your internet data, and can even carry dangerous malware. It’s completely reasonable to want to eliminate them. And we’re going to show you how to do just that with Squid and SquidGuard in pfSense. As mentioned above, SquidGuard is a URL redirector that integrates with Squid. It also allows for list-based filtering, which is key to getting this up and running.
This guide assumes that you’ve got pfSense set up with configured WAN and LAN interfaces. We’re also assuming that you can access the GUI.
We will start by installing the Squid proxy server.
- To access the Package Manager, simply click on System and then Package Manager from the top menus. This will direct you to the Installed Packages tab of pfSense’s Package Manager.
- Select Available Packages. This displays the list of available packages.
- Scroll down until you find the Squid package and click Install. This brings up the Package Installer window.
- Click Confirm. The installation begins.
- Once the installation has finished, the word Success should be displayed at the bottom of the Package Installer window. If so, Squid has been successfully installed.
Now that we’ve installed Squid, it’s time to configure our proxy server.
- Select Services > Squid Proxy Server from the top menus. This takes you to the Squid Settings pages. You’re on the General tab by default.
To properly set up ad-blocking with Squid, we’ll only be focusing on the necessary sub-menus rather than going over every single one. Keep in mind that any settings not mentioned should be kept at their default values.
However, before we can begin the configuration process, we need to navigate to the Local Cache tab and accept the default local caching settings by clicking on the Save button at the bottom of the page. If you skip this step and attempt to configure the proxy, you’ll be prompted to accept the default local cache settings, and any changes you made up to that point will be lost.
You can tweak your local cache settings later if you want to. You just need to come back to Squid’s Local Cache tab.
Squid General Settings
- Make sure the Check to enable the Squid proxy box is unchecked. We’re going to configure the proxy server before enabling it.
- If your setup includes both IPv4 and IPv6, select IPv4+IPv6 from the Listen IP Version drop-down menu. If you’re only using IPv4, set it to IPv4.
- Make sure your LAN interface is selected in Proxy Interface(s). Any additional interfaces you add should be selected here as well if you want to filter the traffic from those interfaces with Squid.
- In the Outgoing Network Interface field, select Default (auto).
Transparent Proxy Settings
There are two ways in which proxy servers can operate: transparent and explicit. Transparent mode requires no configuration on your clients, meaning that their traffic will be proxied transparently. However, this mode is only capable of proxying HTTP traffic over port 80 and not HTTPS traffic unless Man In the Middle SSL filtering is configured. We’ll discuss that further down.
Explicit mode, on the other hand, requires you to configure each of your clients to request access to the proxy. In Explicit mode, all TCP traffic is proxied, whether HTTP or HTTPS. This is the mode that we recommend for this guide since it provides a more comprehensive solution. While both modes can be enabled without any issues, transparent mode has limited scope for ad-blocking due to the widespread use of HTTPS on the internet today. But transparent mode is still useful for caching.
SSL Man In the Middle Filtering
While it’s possible to transparently proxy HTTPS connections using Squid, I don’t recommend it. Because to do this, you need to break HTTPS. Squid can replace a website’s SSL certificate with its own. It does this by decrypting the connection and re-encrypting it using its own certificate. So this will effectively enable you to filter SSL connections, but the HTTPS validation that’s meant to happen in your browser will be broken.
- Tick the Enable Access Logging box. This allows Squid to log your traffic so you can see what’s happening if you need to troubleshoot anything.
- Tick the Log Pages Denied by SquidGuard box. This makes SquidGuard’s logs available from the Real Time tab with the Squid Proxy logs. This will become useful after we’ve installed SquidGuard.
Headers Handling, Language and Other Customizations
These settings are optional, but they’re useful in limiting the amount of information exposed in the Squid headers.
- Set the X-Forwarded Header Mode to off.
- Tick the Disable VIA Header box.
- Tick the Suppress Squid Version box.
- Click Save.
SquidGuard, once installed, will be doing the bulk of the filtering. But Squid itself is nonetheless capable of filtering traffic. This is configured in the ACLs tab.
The Allowed Subnets box enables you to provide additional subnets with access to the Squid proxy. This is particularly useful for subnets that are present on your system, but that may not have a dedicated interface, such as IPsec, making their selection impossible on the General tab. We won’t be adding anything here.
You can enter IP addresses in this box, and those IPs will bypass the proxy server even if their subnets are configured to use the proxy.
Banned Host Addresses
You can enter IP addresses in this box and they will be banned from using the proxy server even if their subnets are allowed.
You can add domains to the Whitelist box, making them available to all hosts that are authorized to use the proxy. Entries in the Whitelist override any Blacklist entries.
Adding domains to the Blacklist box will render those domains inaccessible to all hosts that are authorized to use the proxy.
Block User Agents
This particular box is particularly useful for preventing certain applications from accessing the internet. Whenever an application sends a request out to the internet, the request includes a field called the user agent. This field identifies the specific application being used. For instance, the user agent for Google Chrome is simply “Chrome.”
User agents were originally developed to identify the different web browsers making requests to the server, so the server could properly format the data for that particular browser. Then user agents got generalized to practically any app making web requests.
Blocking a user agent in Squid is simple. You just need to prefix the user agent string with “^” (without the quotes).
For example, entering ^Chrome in Squid’s Block User Agent box will effectively disallow Google Chrome from accessing the internet. Entering ^Mozilla will block Firefox from accessing the internet, etc.
Bear in mind that user agents are very specific and may not be as simple as the examples listed above. You should make sure to have the exact user agent you want to block to avoid blocking unintended traffic.
Block MIME Types (Reply Only)
MIME or Multipurpose Internet Mail Extensions are used to define file types that are included in URLs. MIME types follow a type/subtype structure, where the type is the general category and the subtype is the specific type. Examples will make this clearer.
If we add audio/mpeg to the Block MIME Types, we will be blocking the download of mp3 files. Were we to add image/png to the Block MIME Types box, we would be blocking the download of png images.
Like user agents, MIME types are very specific. Make sure to enter the exact type and subtype for the filtering to work properly in Squid.
Blacklisting an entry
To test our Squid installation and make sure everything is working correctly before moving on to the next steps, we’re going to enter a domain in the Blacklist box. If we set things up correctly, Squid should block any attempts to access that domain.
- From the ACLs tab of the Squid Proxy Settings, list facebook.com in the Blacklist box and click Save.
- From the General tab of the Squid Proxy Settings, tick the Enable Squid Proxy box.
- Click Save.
We’ve configured Squid to block facebook.com, and enabled the proxy server.
The next thing we need to do is configure our web browser to use the proxy server, so we can see if it’s working properly. If it is, Squid should block access to facebook.com.
Configuring Firefox to use Squid
- Launch Firefox and click the Settings icon at the top right of the UI. Select Preferences (or Options in Windows). This displays the General Settings page.
- Scroll down the General Settings until you see Network Settings, and click the Settings button.
- Select Manual Proxy Configuration.
- In the HTTP Proxy box, enter your pfSense box’s IP address. The default is 192.168.1.1.
- Enter 3128 in the Port field.
- Check the Also use this proxy for FTP and HTTPS box.
- Click OK at the bottom of the menu, and exit the Settings page.
Now, when I try to access facebook.com – whether over HTTP or HTTPS – I get the following error:
And that’s exactly what I wanted. Squid is working properly.
So our proxy server is working and configured to block Facebook, but if we were to block ads this way, we’d have to add a massive amount of domains to Squid’s Blacklist. This is far from ideal.
Thankfully, we can install SquidGuard from pfSense’s official repository. SquidGuard is an add-on package that enables list-based filtering. With list-based filtering, all we need to do is enter the URL to a list of blacklisted domains, and SquidGuard will automatically block any domains that match.
Now that we have a basic Squid proxy set up, we can proceed with installing and configuring SquidGuard.
- Select System > Package Manager from the top menus. Like before, this takes you to the Installed Packages tab of the Package Manager.
- Select the Available Packages tab. This displays the list of available packages.
- Scroll the page until you find SquidGuard, and click Install. You’re taken to the Package Installer window.
- Click Confirm to begin the installation.
- Once complete, Success should be displayed at the bottom of the Package Installer window. We’ve successfully installed SquidGuard.
Now that SquidGuard is installed, we can configure it for list-based filtering.
- Select Services > SquidGuard Proxy Filter from the top menus. This takes you to the General tab of the SquidGuard Proxy Filter Settings.
As we did when configuring Squid, we’ll now configure SquidGuard section by section. And we will only focus on the sub-menus required to achieve our goal. Any settings that are not specifically mentioned should be left untouched.
- Check the Blacklist box.
- In the Blacklist URL field, enter the following blacklist URL: https://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz. The URL links to a blacklist organized in various categories that SquidGuard will download. For each category, we can choose to either allow or block traffic to the domains it includes. The list is available for free and is maintained by Toulouse University in France. You’re free to use other lists but bear in mind that many – if not most – are paid.
- Once you’ve typed-in the URL, click Save at the bottom of the page.
Downloading the blacklist
- Select the Blacklist tab within the SquidGuard Proxy Filter Settings. This displays the Blacklist Update page.
- Click the Download button. SquidGuard will download and parse the blacklist.
- Once done, you should see Blacklist update complete in the Blacklist update Log window.
Configuring blacklist filtering in SquidGuard
- Still from the SquidGuard Proxy Filter Settings page, select the Common ACL tab.
- Click the + symbol to the right of the Target Rules List header to display the Target Rules List.
- Scroll down the list until you find “blk_blacklists_publicite,” which means advertisements in French. Select Deny from the drop-down menu to its right.
- You can go ahead and block any other categories you want to filter.
- Once done, scroll to the bottom of the list and select Allow from the drop-down menu to the right of Default Access.
- Click Save.
- Select the General tab of the SquidGuard Proxy Filter Settings again, and click the Enable box, then click Save at the bottom of the page.
- After you’ve saved your changes, click the Apply button at the top of the page.
Testing the setup
We’ve now configured Squid and integrated SquidGuard for blacklist filtering. Because I already configured my browser to use the proxy in our previous test. If I access a webpage that displays ads, they should be filtered.
With Squid enabled:
With Squid disabled:
Great, it works. But as things are set up now, Squid and SquidGuard will only filter my browser’s traffic. But what if I wanted to filter ads out system-wide? That’s what I’m going to show you now. We’re going to configure our device(s) to send all their traffic through the proxy server. This means all your apps will benefit from Squid’s ad-blocking. I’m going to show you how to set this up on Windows, macOS, Linux, iOS, and Android.
Configuring system-wide content filtering on client devices
Reset the browser settings
First, we need to undo the manual proxy settings we applied to Firefox in our previous test.
- Access the Network Settings in Firefox’s preferences, and select Use system proxy settings. This tells Firefox to use the system’s (your device) proxy settings as its own.
- Click OK at the bottom of the menu and close the Settings page.
- Select Network from the System Preferences app.
- Select your current connection and click Advanced at the bottom right.
- Select the Proxies tab.
- Click the Web Proxy (HTTP) and the Secure Web Proxy (HTTPS) boxes.
- Enter the IP address of your pfSense box and the proxy port, which is 3128 by default. So, in my case, I enter 192.168.1.1 and 3128.
- Click OK and Apply.
- Access the Settings app (Win+I keyboard shortcut).
- Select Network and Internet.
- Select the Proxy tab.
- Scroll down to find the Manual proxy setup section.
- Enable the Use a proxy server switch.
- Enter the IP address of your pfSense box and the proxy port – 192.168.1.1 and 3128 in my case.
- Click Save.
- Access the Network Settings window and select Network proxy.
- From the Method drop-down menu, select Manual.
- Enter the IP address of your pfSense box and the proxy port – 192.168.1.1 and 3128 in my case – next to HTTP Proxy and HTTPS Proxy.
- Exit the Network Settings window.
- Access the Settings app, select WiFi, and tap the “i” next to your WiFi connection.
- Scroll down the page and select Configure Proxy.
- Choose Manual.
- Enter the IP address of your pfSense box and the proxy port – 192.168.1.1 and 3128 in my case – next to Server and Port.
- Exit the Settings app.
- Launch the Settings app and select WiFi.
- Long-press the current WiFi network.
- Choose Modify network.
- Expand the Advanced options.
- From the Proxy drop-down menu, select Manual.
- Enter the IP address of your pfSense box and the proxy port – 192.168.1.1 and 3128 in my case – under Proxy hostname and Proxy port.
- Click Save.
You may have noticed that these settings only apply to WiFi. In order to use the proxy with mobile data on iOS or Android, you would need to install a mobile device management (MDM) profile, which is beyond the scope of this tutorial.
You’ve now successfully set up a proxy server with blacklist filtering, which will block annoying (and obnoxious) ads on all your devices. Not only will this enhance your privacy and security by preventing ads from stealing your data, but it will also reduce your bandwidth consumption. You’ll also experience faster loading times for web pages because ads won’t be downloaded and because Squid is caching frequently requested content for you, removing the need to go back out to the internet to fetch it.