On May 8, 2020 11:57:47 PM CDT, Brian Wall <kc0iog at gmail.com> wrote: >pfSense is very powerful in the L2/L3 sense, but I'm looking for >something >that does "things that a firewall shouldn't" like content filtering and >captive portal. pfSense can do that, sort of, but it's obviously not >what >it's designed for. I also had L7 needs.. specifically, I needed to be able to block YouTube on the kids Chromebooks during the schoolday to give us a reasonable chance that they would get their homework done when not having an adult look directly over their shoulder. I initially tried OpenWRT with it's DNS inspection feature, but that ended up blocking many other Google services that the kids needed for school, like Google Drive. I concluded that I needed a firewall that supported forced tls inspection without decryption (so I wouldn't have to push root certificates to all the devices), and after digging around, ended up using the free version of Sophos XG. It's been working well so far; the inspection works as desired, and it's easy to override if needed. It is also handling WAN load balancing and failover between cable, DSL, and LTE nicely. I wish it was open source.. but I'm willing to live with it for now. (When Encrypted SNI becomes widespread, this method won't work anymore, and you'll have to use a proxy that requires pushing a root certificate to the client. Sophos also supports this, but hopefully I won't need it any more once the kids aren't doing school from home.) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20200509/99b71707/attachment.htm>