This article describes how to set up a virusscanner on your PfSense router. We’ll set up the Squid proxy server and ClamAV as a virusscanner.

A lot of internet sites now use TLS (https) so not scanning inside encrypted web traffic would miss a lot of data. However we cannot decrypt en re-encrypt traffic with the original encrypter’s certificate intact because we do not have their private keys. We’ll use our own keys, resulting in an incorrect certificate, making it necessary for all clients to trust our certificate. If you’re in a small network or using Active Directory this is not much work. In AD you can use Group Policies to install the certificate. If you have many clients coming and going in your network this is not a feasable solution, but then you would probably not be responsible for all those clients.

We’ll create a Certficiate Authority in PfSense and you need to install that CA’s certficate in all your clients as Trusted Root.

Go to System > Cert Manager > CAs and click Add.

Under Method choose ‘Create an internal Certificate Authority’ and fill out the rest of the form. In my case under ‘Common Name’ I had to enter the exact fqdn of my PfSense web interface – the host and domain name that appears in the address bar of the PfSense web interface, e.g. pfsense.vorkbaard.nl or router.example.com or just example.com. If you keep getting certificate/security errors in your clients’ browsers this may the issue.

I suggest you set its lifetime nice and high so you don’t have to distribute a new one so often. Of course this is up to you.

A CA is now available.

Under Actions click the Export icon and save the file. Now you’ll need to distribute it to all network clients. If you’re using Active Directory you can do it with Group Policies.

To install it manually in Windows: open the file and click Install Certificate.

Choose either Current User or Local Machine and click Next.

Choose ‘Place all certificates in the following store’ and click Browse.

Click Trusted Root Certification Authorities and click OK.

Click Next.

Click Finish.

Click Yes.

Hurray \o/

If you want to remove the certificate, start certmgs.msc and look it up inder Trusted Root Certification Authorities.

Pushing the certificate via Group Policies
To push out the cert via Active Directory Group Policy open the Group Policy Management Editor and edit the Default Domain Policy. Under Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies right-click Trusted Root Certification Authorities and choose Import.

Store Location: Local Machine. Click Next.

Select your exported certificate.

Place all certificates in the following store: Trusted Root Certification Authorities.

Click Finish.

You are victorious \o/

On the client do

gpupdate /force

or just reboot.

Setting up Squid
Install the Squid package via System > Package Manager > Available Packages.

Go to Services > Squid Proxy Server > Local Cache and click Save. No need to change anything, just letting Squid know this cache location is available.

Services > Squid Proxy Server > check ‘Enable Squid Proxy’ and select LAN.

Services > Squid Proxy Server > check Transparent Proxy Settings. This will route all web traffic through the proxy ports without the need to configure anything on the clients.

Services > Squid Proxy Server > SSL Man In the Middle Filtering > check ‘Enable SSL filtering’. SSL/MITM Mode: Splice Whitelist, Bump Otherwise. SSL Intercept Interface(s): LAN.
I had to set SSL Proxy Compatibility Mode to Intermediate because certain sites would not load if this was set to Modern.
CA: Choose the CA you created earlier.

Click Save.

Verify that your client’s internet connection is still working. Try sites with and without https. If it doesn’t work check under Status > Services if the Squid proxy service is started.

Your clients should work for both http and https sites. At a https site check the certificate; it should be the one we created earlier.


Enabling the virus scanner on the proxy
Go to Services > Squid Proxy Server > Antivirus. Check Enable AV.
Redirect url: the complete url your PfSense installation’s web interface + “/squid_clwarn.php”, for example https://pfsense.vorkbaard.nl:9856/squid_clwarn.php
ClamAV Database Update: every 1 hour but DO read ClamAV’s policy on this. Click the Update AV button once. At the time of writing they allow one update per hour.
Optional ClamAV Database Update Servers: enter your own location’s server here. If you do Clam allows you to update more often, namely four times per hour (information correct at the time of writing). More info: http://www.clamav.net/documents/clamav-virus-database-faq

Testing the virus scanner
Google for ‘eicar test virus download’. At the time of writing the correct url is: http://www.eicar.org/85-0-Download.html.

Find the download section and click the download links. This should result in a SquidClamav virus warning.

If you just get an error check the Services > Squid Proxy Server > Antivirus > Redirect url value.