[NOOB]OPNSense as a Content filter not filtering content

Started by qchoumont, December 09, 2024, 01:57:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 09, 2024, 01:57:57 AM
I'm attempting to set up OPNSense as a Content filter I have my LAN Ip set up and can access the OPNSense Device through the web portal, the OPNSense Device is using DHCP to get its WAN address and is connected to the internet.

I have enabled Unbound DNS:Blocklist
Force SafeSearch: ON
Type of DNSBL :All Porn List; PornTop1M List;Blocklist.site Porn

Apply

This does nothing.

I have thought that maybe I have to set my client default gateway to the OPNSense WAN Address, this results in internet loss.


My OPNSense device is connected to a ISP Router which is using a non public ip address. both the WAN and LAN ports are connected to in integrated switch and the cliet device is wired to the integrated switch.

Is there something I am missing?
December 09, 2024, 02:40:32 AM #1
i've just tried setting my OPNSense LAN address as my prefered DNS server and it works.

Is there a way to set this up so that it isn't so easily bypassed?
December 09, 2024, 02:51:56 AM #2
look into zenarmor for NGFW capability....

opnsense does support filtering based on FQDN....if that whats your after, but for true content filtering, you'll likely be better off with zenarmor
December 09, 2024, 07:42:41 AM #3
Or for stricter DNS based blocking:

- block port 53 and 853 outbound (destination invert, this firewall)
- give all client systems the local OPNsense as their DNS server via DHCP
- use AdGuard Home with Unbound and a DoH blocklist

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 09, 2024, 10:54:35 PM #4
I think Zenarmor is the route for me, i'm looking for a content filter solution for an elementary school and figured I'd explore pfSense as a solution over the weekend and ended up on OPNsense, it does about 80% of what I need through unbound but just needed an additional category for keeping the kids off of games. I'll trial zenarmor this week and hopfully it does everything I need it to and I can recommend the purchase of an appliance.

Thank you for your help. One hanging question I still have is, if I were to use OPNsence as my router would I be able to filter all traffic regardless of client device dns preferences?
December 09, 2024, 11:06:24 PM #5
Don't forget that if the users are bringing their own devices as in BYOD, they can still change the settings to use encrypted DNS with DNS over HTTPS and DNS over TLS. Then you need to start thinking about end point management.
In general you can filter traffic as long as is unencrypted and they can't change settings.
Suggestion: reach out to Zenarmor for their advice.
December 09, 2024, 11:11:27 PM #6
Quote from: qchoumont on December 09, 2024, 10:54:35 PM
Thank you for your help. One hanging question I still have is, if I were to use OPNsence as my router would I be able to filter all traffic regardless of client device dns preferences?

Yes, if you follow what I outlined above. We can help with the details if needed. Just consulted a german high school about exactly this setup two weeks ago.

And that's without Zenarmor, just DNS. You can nail it down pretty well.

@cookiemonster if you block regular DNS and DoT to anything but your OPNsense and then use a DoH block list in e.g. AdGuard Home, your are pretty good.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 09, 2024, 11:20:16 PM #7
Quote@cookiemonster if you block regular DNS and DoT to anything but your OPNsense and then use a DoH block list in e.g. AdGuard Home, your are pretty good.
Yes, true.
OP should be aware though, hence I mentioned it.
Print
Go Up Pages1
User actions