How to block HTTP and HTTPS websites with E2guardian

Hi guys,

In this blog post where I’m going to show you how to block HTTP and HTTPS domains by using E2guardian service in pfSense. E2guardian is a web filter and also works as a proxy server. It has many features and more potential than SquidGuard web filter. There are so many ways to block HTTPS domains, but all methods are not helpful and don’t work well. By using E2guardian, you don’t need to do anything on the client side to block HTTPS domains. By the way we will not use Squid or SquidGuard packages.

I will share the main website, github, forum page about the E2guardian end of the post. It might be helpful for you.

 

System Information

Here is the list below that we need have right now.

pfSense 2.4.x

WAN and LAN

E2guardian5.x

 

Install E2guardian Package

We will first add the unofficial repository to pfsense after that we will be able to install package. Access shell by using SSH or go to Diagnostics -> Command Prompt -> Execute Shell Command prompt menu and use the following command.

pfsense# fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.24.conf 

After fetching the repo file, go to System -> Package Manager and then install the package.

If you don’t see E2guardian package on the menu, you need to apply the patch of E2guardian to be able to install. Install “patch” package and then System > Patches > click “Add New Patch” button. Copy all code by the following link and paste it into the field.

Patch link here.

Do not forget to click “Apply” button to apply patch. When you do that, you will see E2guardian package.

NOTE: I have experienced that, after patching successfully. We need to Reboot the pfSense in order to see the E2guardian package in Package Manager. Please do that if you don’t see the E2guardian package.

 

Create Self-Signed Certificate

Create a self-signed certificate for E2guardian under System -> Cert. Manager menu. After that click + button under CAs tab. Here is the picture of it. Do not forget to save settings.

 

E2guardian Configuration

Now we will configure E2guardian service and then test it. Go to Services -> E2guardian Proxy menu. Then we will download the blacklist under the Blacklist menu, install widely used blacklist which is shallalist.


Go to Daemon menu and then enable the following feature and then Save the settings.

So far, the configuration of E2guardian services is done. Let’s test the service that if it’s working or not.

 

E2guardian Test

In this section, we will try to block a few HTTPS domains and test them. Go to ACLs -> Site Lists -> click to + button to create new ACL. I will block these domains “youtube.com, facebook.com, twitter.com, instagram.com”, add into this Banned menu what you want to block.

NOTE: The Default ACL should be on the top referring to other ACLs. 

Now we will create a group and assign to IP address into the group that we want to block. The clients who is in this group will be blocked. Go to Groups menu and click to the + button for creating a new group.

NOTE: The Default ACL should be on the top referring to other ACLs. 

Now we will assign local users IP address into the group that we created. The user who is in the group will be blocked for the websites. Go to IPs menu and add IP address into the group that you want to block. Expect these “10.0.0.1-11-2” ip address everybody can go to everywhere like “facebook,twitter,google etc”.

Now, we will test the service and see if it works or not. Go to the computer who is in the group and try to access the these domains ( for me ) “youtube.com, facebook.com, twitter.com, instagram.com”.

 

Troubleshooting

NOTE: If clients go through to denied domains, try to kill states of the clients. Access your pfsense with ssh and use the command to kill states of client “pfctl -k client_ip_address”. Go try to access denied domains again. 

NOTE: If still clients go through to denied domains, try to clear all cache of browser and try again.

NOTE: If something wrong about e2guardian service. Go access your pfsense by using ssh and then try to restart e2guardian service with ( /usr/local/etc/rc.d/e2guardian.sh restart ) command. If something wrong you’ll see the output of service.

NOTE: After you make changes on E2guardian menus, you don’t need to go to Daemon menu and click Save button. If you make changes on menus, click “Apply Changes” and that’s all, go test if it work or not.

 

Performance Tuning

Sometimes people complain about performance of E2guardian and how it makes the internet connection slow in network. There is a few options that we can check on E2guardian. Well, If you don’t use Content Filter and Antivirus and still internet connection slow then we can check the Http workers option on Daemon menu.

If you have 100 active users on your network, you need to increase the number of Http workers to between 2500 and 3000 value or more. After that you can test the internet connections for a few hours on network but make sure that internet connections are not still active from the past. Delete all user’s active connections from State Table on pfSense or delete just one client and then test it. 

Don’t forget to add widget of E2guardian on the Dashboard to see details of statistics/errors. If you see all workers become busy and the internet become still slow, try to increase Http workers more than before (not too much). If you want to learn what are these columns (Time, Busy, HttpwQ, LogQ …) means, check out this link.

If someone has experience on this topic, it’s welcome to share it on the comment section.

I also recommend you to read the performance tuning from this document.

 

Configure Sarg with E2guardian

I wrote a blog post about getting reports from E2guardian by using Sarg service. You can see the blog post by using the following link.

https://lifeoverlinux.com/how-to-configure-sarg-to-use-with-e2guardian/

 

Big thanks to Marcelloc and developers of E2guardian.

Here are the links that it might be helpful for you.

  1. http://e2guardian.org/cms/index.php
  2. https://github.com/e2guardian/e2guardian
  3. https://forum.netgate.com/topic/113757/unofficial-e2guardian-package-for-pfsense

If you have any question, feel free to ask in the comment section. 

” Online pfSense Firewall & Router Eğitimi | www.udemy.com/pfsense-training

Tagged with: , , ,
28 comments on “How to block HTTP and HTTPS websites with E2guardian
  1. Alexandre Salvador says:

    Hi,

    I am using 2.4.4 pfSense amd64 version but i could not success e2Guardian 5 install on my pfSense. When i add as a repository for e2Guardian 5 i could not find any package via pfSense package manager. and from the command shell i found some ways for make it, when i installed e2Guardian 5 i could not reach pfSense Web Management portal ?

    Thank you,

  2. Alexandre Salvador says:

    Thank you for your quick response than how can i make reporting except using squid ? Does lightsquid work without squid proxy server package ?

  3. Marcelloc says:

    On the same repo, sarg package is available and runs fine with e2guardian logs in squid format.

  4. Shaan says:

    I’ve followed your guide and installed e2guardian 5 on my pfsense router. But, I’m facing a problem, although site block is working, url blocking is not working. Ive followed the same steps as you have described for creating a site list to create a url list. Could you explain how it should be done ?

    The only difference I can see from yoursetup and mine is I am running it on pfsense 2.3.5 latest version as I have a i386 old board under the hood.

    • ibrahimucar says:

      I would suggest you to use pfSense 2.4.x version. It’s more stable on pfsense 2.4.x version. Most of people use pfSense 2.4 or above who use E2guardian. By the way, Site Lists and URL Lists are different things. I didn’t mention about URL Lists feature, I just told Site Lists.

      I actually have no time to write a blog post details of E2guardian. I’m preparing for IELTS exam. After 1 month I’ll try to write a new blog post about that.

      Do not forget to install latest version of E2guardian on pfSense 2.4.x version.

      • Shaan says:

        Thanks for the info, I’ll try the 2.4.x version and let you know if it works, it should I guess. There is no 2.4.x version for i386 boards, so I will have to get a spare x64 based system for that.

        It’s interesting that you are preparing for IELTS, because I am also an IELTS Exam Prep Trainer. Lemme know if you need help. Best of luck for the exam !

        • ibrahimucar says:

          Thanks for your kind words.)

          Updated: I got 6.0 out of 9.0 from IELTS. I could only studied 23 days for IELTS, many people study 5-6 month to get 6.5-7.0+ score. My score is enough for now.)

  5. Sujith says:

    Does e2guardian requires man in the middle ssl like squid proxy?

  6. Günay İnce says:

    İbrahim bey,
    Bilgilendirme ve anlatım için çok teşekkür ederim. Sayenizde ayarlamaları yaparak sistemi test ediyorum. Kendim araştırıp öğrenmeye çalışmaktayım. Sizin gibi üstadların bilgilerinden faydalanıyorum. Herşey için teşekkür ederim.

  7. Fahmi says:

    why can’t redirect to error page?

    just showing “secure connection failed” in firefox and just “this site can’t be reached” in chrome…

  8. mark says:

    it is possible to deny all website but allow some website like gmail and yahoo.??

    • ibrahimucar says:

      It looks like possible, you can deny all the categories in the Site Lists and then you can allow gmail and yahoo domains in the Exception Lists or Grey Lists in the same place. Don’t forget to create a category for the ACL and after this you will put your all network (192.168.1.0/255.255.255.0) into the group in the IP List.

      NOTE: This will not be healthy, because of you will block everything expect a few domains but this few domains will try to access google, facebook, twitter, etc. And as you see, google, twitter and others will be blocked, so the web sites will not be loading correctly.

      If someone knows how to do this in a better way, please welcome to tell us.

      Also you can ask this question on forum:
      https://forum.netgate.com/topic/113757/unofficial-e2guardian-package-for-pfsense/1135

  9. VicPome says:

    It’s not working for me. I did everything you wrote, however I can not filter the contents. “Troubleshooting” included.

    • ibrahimucar says:

      Interesting! Actually I wrote everything about E2guardian and If you did installation correct, then you should be doing wrong configuration. I don’t know what to say because I wrote everything I got.

      I’m guessing that you have latest pfsense and installed fresh E2guardian and then you did “e2guardian configuration” part correctly. You having trouble while trying to filter, well you probably doing some wrong configuration filter. You can try to search how to filter in e2guardian on google for more information or you can ask your question on forum of E2guardian. They might help you step by step.

      I also suggest you to watch this videos which will show you step by step how to install, configure and test parts of e2guardian.
      (part1,part2,part3):
      https://www.youtube.com/watch?v=V4Md4Ja1pMg
      and other one:
      https://www.youtube.com/watch?v=rHmvAtt5Ybw

  10. jb says:

    hello
    followed all instructions
    filtered https (block https for youtube,facebook, instagram)
    but i cannot browse any other website. it says RESPONSE 403 *NETERROR* in realtime logs.

    • ibrahimucar says:

      Hello,

      I accept your comment but I don’t know how to guide you to solve the problem. If I could have time to connect your pfSense, I would solve it in a few minutes but from here without access, I don’t know what to say and don’t have so much time actually.

      I recommend you to write your problem on pfsense forum of E2guardian.

      If someone had faced with this problem, welcome to tell the solution on comment section.

  11. thiru says:

    Hi,

    Can any one please explain how to configure e2guarding to block URL or bannedsitelist based on timeslots . e.g

    I want to block facebook between 10.am to 5.pm .

  12. Yavuz Kandemir says:

    Merhaba Hocam, makaleniz gerçekten güzel. Udemy deki dersleriniz gibi.
    E2guardian’ı kurup çalıştırdım. Real time loglarda bir sürü alttaki şekilde hata var. nedeni ve çözümü ne olabilir?

    11.01.2020 15:08:40 192.168.1.19 192.168.1.19 TCP_DENIED/403 https://127.0.0.1

  13. Raheel Qaiser says:

    Patch can NOT be applied cleanly

  14. Ahmet says:

    Merhaba,
    E2guardian ip adresli filtreleme yaptığımda engelleyebiliyorum fakat hem pfsense local kullanıcılarında hemde Squid Proxy Server servisinin altındaki kullanıcılar üzerinden E2guardian içerisindeki Users alanından engellemeyi başaramadım. Groups sekmesinin altındaki Default kuralına göre engelleme yapıyor ama benim oluşturduğum grouplar üzerinden engellemeyi başaramadım.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Archives