Setup Web Filtering

Category based web filtering in OPNsense is done by utilizing the built-in proxy and one of the freely available or commercial blacklists.

For this this How-to we will utilize the UT1 “web categorization list” from the Université Toulouse managed by Fabrice Prigent. This list is supplied for free under the Creative Commons license.

Other popular lists that are expected to work well with OPNsense are:

For this tutorial we will assume:

  • Proxy has his default settings / is not configured
  • We only want web filtering and nothing else (no caching, no authentication)

Note

For other general/basic setup item of the proxy see Setup Caching Proxy

Step 1 - Disable Authentication

To start go to Services->Web Proxy->Administration.

Click on the arrow next to the Forward Proxy tab to show the drop down menu. Now select Authentication Settings and click on Clear All to disable user authentication. And click Apply to save the change.

Step 2 - Configure Blacklist

Click on the tab Remote Access Control Lists. Now click on the + in the lower right corner of the from to add a new list.

A screen will popup, enter the following details:

Enabled Checked Enable/Disable
Filename UT1 Choose a unique filename
URL (copy/paste the URL) The URL of the blacklist
categories (Leave blank) If left blank the full list will be fetched
Description UT1 web filter Your description
The URL of the full compressed UT1 category based list is:
ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
../../_images/proxy_ut1.png

Press Save Changes.

Step 3 - Download the Categories

Now press Download ACLs, please note that this will take a while (can be several minutes) as the full list (>19 MB) will be converted to squid ACLs.

Step 4 - Setup Categories

Now we can select the categories we want to use by clicking on the pencil icon next to the description of the list. This will open the edit window again, but now you will see all available categories extracted from the list.

../../_images/proxy_categories.png

For our example we will filter ads and adult content. The easiest way to do so is clear the list and select the following from the drop down list:

../../_images/proxy_catgegory.png

Now Save changes and press Download ACLs again to download and reconstruct the list with only the selected categories. This will take roughly the same amount of time as the first fetch as the adult alone section is ~15 MB.

Step 5 - Enable Proxy

To enable the proxy just go to Services->Proxy Server->Administration and check Enable proxy en click on Apply. The proxy will bind to LAN and port 3128.

It may take a while for the proxy to start and the play icon on the top right corner of the screen will turn red. Refresh the page to see if the proxy is done loading (play icon will turn green).

Step 6 - Disable Proxy Bypass

To make sure no-one can bypass the proxy you need to add a firewall rule. Go to Firewall->Rules and add the following to the top of the list rule on the LAN interface (if LAN is where your clients and proxy are on).

Action Block
Interface LAN
Protocol TCP/UDP
Source LAN net
Destination Port Range HTTP
Category Block Proxy Bypass
Description Block HTTP bypass

Save

And one more rule to block HTTPS access:

Action Block
Interface LAN
Protocol TCP/UDP
Source LAN net
Destination Port Range HTTPS
Category Block Proxy Bypass
Description Block HTTPS bypass

Save & Apply changes

../../_images/proxy_firewall.png