On May 8, 2020 11:57:47 PM CDT, Brian Wall <kc0iog at gmail.com> wrote:
>pfSense is very powerful in the L2/L3 sense, but I'm looking for
>something
>that does "things that a firewall shouldn't" like content filtering and
>captive portal.  pfSense can do that, sort of, but it's obviously not
>what
>it's designed for.

I also had L7 needs.. specifically, I needed to be able to block YouTube on the kids Chromebooks during the schoolday to give us a reasonable chance that they would get their homework done when not having an adult look directly over their shoulder. I initially tried OpenWRT with it's DNS inspection feature, but that ended up blocking many other Google services that the kids needed for school, like Google Drive. I concluded that I needed a firewall that supported forced tls inspection without decryption (so I wouldn't have to push root certificates to all the devices), and after digging around, ended up using the free version of Sophos XG. It's been working well so far; the inspection works as desired, and it's easy to override if needed. It is also handling WAN load balancing and failover between cable, DSL, and LTE nicely. I wish it was open source.. but I'm willing to live with it for now.

(When Encrypted SNI becomes widespread, this method won't work anymore, and you'll have to use a proxy that requires pushing a root certificate to the client. Sophos also supports this, but hopefully I won't need it any more once the kids aren't doing school from home.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20200509/99b71707/attachment.htm>