I'm attempting to set up OPNSense as a Content filter I have my LAN Ip set up and can access the OPNSense Device through the web portal, the OPNSense Device is using DHCP to get its WAN address and is connected to the internet.
I have enabled Unbound DNS:Blocklist
Force SafeSearch: ON
Type of DNSBL :All Porn List; PornTop1M List;Blocklist.site Porn
Apply
This does nothing.
I have thought that maybe I have to set my client default gateway to the OPNSense WAN Address, this results in internet loss.
My OPNSense device is connected to a ISP Router which is using a non public ip address. both the WAN and LAN ports are connected to in integrated switch and the cliet device is wired to the integrated switch.
Is there something I am missing?
i've just tried setting my OPNSense LAN address as my prefered DNS server and it works.
Is there a way to set this up so that it isn't so easily bypassed?
look into zenarmor for NGFW capability....
opnsense does support filtering based on FQDN....if that whats your after, but for true content filtering, you'll likely be better off with zenarmor
Or for stricter DNS based blocking:
- block port 53 and 853 outbound (destination invert, this firewall)
- give all client systems the local OPNsense as their DNS server via DHCP
- use AdGuard Home with Unbound and a DoH blocklist
HTH,
Patrick
I think Zenarmor is the route for me, i'm looking for a content filter solution for an elementary school and figured I'd explore pfSense as a solution over the weekend and ended up on OPNsense, it does about 80% of what I need through unbound but just needed an additional category for keeping the kids off of games. I'll trial zenarmor this week and hopfully it does everything I need it to and I can recommend the purchase of an appliance.
Thank you for your help. One hanging question I still have is, if I were to use OPNsence as my router would I be able to filter all traffic regardless of client device dns preferences?
Don't forget that if the users are bringing their own devices as in BYOD, they can still change the settings to use encrypted DNS with DNS over HTTPS and DNS over TLS. Then you need to start thinking about end point management.
In general you can filter traffic as long as is unencrypted and they can't change settings.
Suggestion: reach out to Zenarmor for their advice.
Quote from: qchoumont on December 09, 2024, 10:54:35 PM
Thank you for your help. One hanging question I still have is, if I were to use OPNsence as my router would I be able to filter all traffic regardless of client device dns preferences?
Yes, if you follow what I outlined above. We can help with the details if needed. Just consulted a german high school about exactly this setup two weeks ago.
And that's without Zenarmor, just DNS. You can nail it down pretty well.
@cookiemonster if you block regular DNS and DoT to anything but your OPNsense and then use a DoH block list in e.g. AdGuard Home, your are pretty good.
Quote@cookiemonster if you block regular DNS and DoT to anything but your OPNsense and then use a DoH block list in e.g. AdGuard Home, your are pretty good.
Yes, true.
OP should be aware though, hence I mentioned it.