How to block HTTP and HTTPS websites with E2guardian

Hi guys,

In this blog post where I’m going to show you how to block HTTP and HTTPS domains by using E2guardian service in pfSense. E2guardian is a web filter and also works as a proxy server. It has many features and more potential than SquidGuard web filter. There are so many ways to block HTTPS domains, but all methods are not helpful and don’t work well. By using E2guardian, you don’t need to do anything on the client side to block HTTPS domains. By the way we will not use Squid or SquidGuard packages.

I will share the main website, github, forum page about the E2guardian end of the post. It might be helpful for you.

 

System Information

Here is the list below that we need have right now.

pfSense 2.4.x

WAN and LAN

E2guardian5.x

 

Install E2guardian Package

We will first add the unofficial repository to pfsense after that we will be able to install package. Access shell by using SSH or go to Diagnostics -> Command Prompt -> Execute Shell Command prompt menu and use the following command.

pfsense# fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.24.conf 

After fetching the repo file, go to System -> Package Manager and then install the package.

If you don’t see E2guardian package on the menu, you need to apply the patch of E2guardian to be able to install. Install “patch” package and then System > Patches > click “Add New Patch” button. Copy all code by the following link and paste it into the field.

Patch link here.

Do not forget to click “Apply” button to apply patch. When you do that, you will see E2guardian package.

 

Create Self-Signed Certificate

Create a self-signed certificate for E2guardian under System -> Cert. Manager menu. After that click + button under CAs tab. Here is the picture of it. Do not forget to save settings.

 

E2guardian Configuration

Now we will configure E2guardian service and then test it. Go to Services -> E2guardian Proxy menu. Then we will download the blacklist under the Blacklist menu, install widely used blacklist which is shallalist.


Go to Daemon menu and then enable the following feature and then Save the settings.

So far, the configuration of E2guardian services is done. Let’s test the service that if it’s working or not.

 

E2guardian Test

In this section, we will try to block a few HTTPS domains and test them. Go to ACLs -> Site Lists -> click to + button to create new ACL. I will block these domains “youtube.com, facebook.com, twitter.com, instagram.com”, add into this Banned menu what you want to block.

NOTE: The Default ACL should be on the top referring to other ACLs. 

Now we will create a group and assign to IP address into the group that we want to block. The clients who is in this group will be blocked. Go to Groups menu and click to the + button for creating a new group.

NOTE: The Default ACL should be on the top referring to other ACLs. 

Now we will assign local users IP address into the group that we created. The user who is in the group will be blocked for the websites. Go to IPs menu and add IP address into the group that you want to block. Expect these “10.0.0.1-11-2” ip address everybody can go to everywhere like “facebook,twitter,google etc”.

Now, we will test the service and see if it works or not. Go to the computer who is in the group and try to access the these domains ( for me ) “youtube.com, facebook.com, twitter.com, instagram.com”.

 

Troubleshooting

NOTE: If clients go through to denied domains, try to kill states of the clients. Access your pfsense with ssh and use the command to kill states of client “pfctl -k client_ip_address”. Go try to access denied domains again. 

NOTE: If still clients go through to denied domains, try to clear all cache of browser and try again.

NOTE: If something wrong about e2guardian service. Go access your pfsense by using ssh and then try to restart e2guardian service with ( /usr/local/etc/rc.d/e2guardian.sh restart ) command. If something wrong you’ll see the output of service.

NOTE: After you make changes on E2guardian menus, you don’t need to go to Daemon menu and click Save button. If you make changes on menus, click “Apply Changes” and that’s all, go test if it work or not.

 

Performance Tuning

Sometimes people complain about performance of E2guardian and how it makes the internet connection slow in network. There is a few options that we can check on E2guardian. Well, If you don’t use Content Filter and Antivirus and still internet connection slow then we can check the Http workers option on Daemon menu.

If you have 100 active users on your network, you need to increase the number of Http workers to between 2500 and 3000 value or more. After that you can test the internet connections for a few hours on network but make sure that internet connections are not still active from the past. Delete all user’s active connections from State Table on pfSense or delete just one client and then test it. 

Don’t forget to add widget of E2guardian on the Dashboard to see details of statistics/errors. If you see all workers become busy and the internet become still slow, try to increase Http workers more than before (not too much). If you want to learn what are these columns (Time, Busy, HttpwQ, LogQ …) means, check out this link.

If someone has experience on this topic, it’s welcome to share it on the comment section.

I also recommend you to read the performance tuning from this document.

 

Configure Sarg with E2guardian

I wrote a blog post about getting reports from E2guardian by using Sarg service. You can see the blog post by using the following link.

https://lifeoverlinux.com/how-to-configure-sarg-to-use-with-e2guardian/

 

Big thanks to Marcelloc and developers of E2guardian.

Here are the links that it might be helpful for you.

  1. http://e2guardian.org/cms/index.php
  2. https://github.com/e2guardian/e2guardian
  3. https://forum.netgate.com/topic/113757/unofficial-e2guardian-package-for-pfsense

If you have any question, feel free to ask in the comment section. 

” Online pfSense Firewall & Router Eğitimi | www.udemy.com/pfsense-training

Tagged with: , , ,
20 comments on “How to block HTTP and HTTPS websites with E2guardian
  1. Alexandre Salvador says:

    Hi,

    I am using 2.4.4 pfSense amd64 version but i could not success e2Guardian 5 install on my pfSense. When i add as a repository for e2Guardian 5 i could not find any package via pfSense package manager. and from the command shell i found some ways for make it, when i installed e2Guardian 5 i could not reach pfSense Web Management portal ?

    Thank you,

  2. Alexandre Salvador says:

    Thank you for your quick response than how can i make reporting except using squid ? Does lightsquid work without squid proxy server package ?

  3. Marcelloc says:

    On the same repo, sarg package is available and runs fine with e2guardian logs in squid format.

  4. Shaan says:

    I’ve followed your guide and installed e2guardian 5 on my pfsense router. But, I’m facing a problem, although site block is working, url blocking is not working. Ive followed the same steps as you have described for creating a site list to create a url list. Could you explain how it should be done ?

    The only difference I can see from yoursetup and mine is I am running it on pfsense 2.3.5 latest version as I have a i386 old board under the hood.

    • ibrahimucar says:

      I would suggest you to use pfSense 2.4.x version. It’s more stable on pfsense 2.4.x version. Most of people use pfSense 2.4 or above who use E2guardian. By the way, Site Lists and URL Lists are different things. I didn’t mention about URL Lists feature, I just told Site Lists.

      I actually have no time to write a blog post details of E2guardian. I’m preparing for IELTS exam. After 1 month I’ll try to write a new blog post about that.

      Do not forget to install latest version of E2guardian on pfSense 2.4.x version.

      • Shaan says:

        Thanks for the info, I’ll try the 2.4.x version and let you know if it works, it should I guess. There is no 2.4.x version for i386 boards, so I will have to get a spare x64 based system for that.

        It’s interesting that you are preparing for IELTS, because I am also an IELTS Exam Prep Trainer. Lemme know if you need help. Best of luck for the exam !

        • ibrahimucar says:

          Thanks for your kind words.)

          Updated: I got 6.0 out of 9.0 from IELTS. I could only studied 23 days for IELTS, many people study 5-6 month to get 6.5-7.0+ score. My score is enough for now.)

  5. Sujith says:

    Does e2guardian requires man in the middle ssl like squid proxy?

  6. Günay İnce says:

    İbrahim bey,
    Bilgilendirme ve anlatım için çok teşekkür ederim. Sayenizde ayarlamaları yaparak sistemi test ediyorum. Kendim araştırıp öğrenmeye çalışmaktayım. Sizin gibi üstadların bilgilerinden faydalanıyorum. Herşey için teşekkür ederim.

  7. Fahmi says:

    why can’t redirect to error page?

    just showing “secure connection failed” in firefox and just “this site can’t be reached” in chrome…

  8. mark says:

    it is possible to deny all website but allow some website like gmail and yahoo.??

    • ibrahimucar says:

      It looks like possible, you can deny all the categories in the Site Lists and then you can allow gmail and yahoo domains in the Exception Lists or Grey Lists in the same place. Don’t forget to create a category for the ACL and after this you will put your all network (192.168.1.0/255.255.255.0) into the group in the IP List.

      NOTE: This will not be healthy, because of you will block everything expect a few domains but this few domains will try to access google, facebook, twitter, etc. And as you see, google, twitter and others will be blocked, so the web sites will not be loading correctly.

      If someone knows how to do this in a better way, please welcome to tell us.

      Also you can ask this question on forum:
      https://forum.netgate.com/topic/113757/unofficial-e2guardian-package-for-pfsense/1135

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Archives

Tweets

Follow @ucribrahim on twitter.