Turn your Fortigate into a PiHole (well ... kind of)

How it started 

I was always annoyed about ad's in mobile apps. As I'm an iPone user and I don't like Safari there are no adblock apps on the iPhone working for me. Also at the desktop at home, the ads bother me surfing news websites.

I heard a lot about PiHole. A kind of DNS keeper of your network. All DNS traffic is routed through and matched against several blacklists. If there is a hit, the request will be blocked. Therefore the ad cannot be loaded it's not using network bandwith and it's not bothering me.

So I tried running PiHole inside a Docker container on my Synology NAS. It worked pretty well, but every other day DNS responses got slow or the Docker container hangs. For me not really usable. I don't like restarting containers before watching Netflix ... you know.

Some day I stumbled over the possibility to add external block lists to a Fortigate firewall. As I'm using such a box at home, there was new hope for me :-)
So here's the: How to use a Fortigate box to block annoying ads in your network.
  • Add external filter lists
  • Set up a DNS filter, block the external filter lists
  • Set up a DNS server on the Fortigate with the DNS filter enabled

How it's done

This is all done on a Fortigate firewall with firmware 6.2.5

External lists

First we add the external lists. I currently use 8 lists, which are a mix of advertisers and trackers.

Connect to you box using SSH. At the CLI you can paste this:

config system external-resource
    edit "Disconnect-Ad-Filter"
        set type domain
        set category 194
        set resource "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
        set refresh-rate 60
    next
    edit "AdGuard"
        set type domain
        set category 192
        set resource "https://v.firebog.net/hosts/AdguardDNS.txt"
        set refresh-rate 60
    next
    edit "Firebog"
        set type domain
        set category 193
        set resource "https://v.firebog.net/hosts/Easylist.txt"
        set refresh-rate 60
    next
    edit "Firebog-Privacy"
        set type domain
        set category 195
        set resource "https://v.firebog.net/hosts/Easyprivacy.txt"
        set refresh-rate 60
    next
    edit "Fireblog-Admiral"
        set type domain
        set category 196
        set resource "https://v.firebog.net/hosts/Admiral.txt"
        set refresh-rate 60
    next
    edit "Fireblog-Privacy-2"
        set type domain
        set category 197
        set resource "https://v.firebog.net/hosts/Prigent-Ads.txt"
        set refresh-rate 60
    next
    edit "OISD"
        set type domain
        set category 198
        set resource "https://dbl.oisd.nl/"
        set refresh-rate 60
    next
    edit "OISD-IP"
        set type address
        set resource "https://hosts.oisd.nl/"
        set refresh-rate 60
    next
end

config system dns-server
end

DNS Filter

Next we add a DNS filter. You can do this under the 'Security Profiles' tab in the GUI of the Fortigate. Enable the option FortiGuard Category Based Filter

In the category filter list you can see an entry called 'Remote Categories'. Open this entry, you will find seven of the external entries we added before. Set all of them to 'Redirect to Block Portal'.

At the bottom of the menu you find the option External IP Block lists. Click at the + sign and select the entry 'OSID-IP'.

Now, all eight lists are active in this DNS filter profile.


Set up a DNS Server

Setting up a DNS server is most easy done by CLI (like most of things). Paste this code to your CLI to setup the server. Change the dnsfilter-profile to the name of your DNS profile.

    edit "internal"
        set mode forward-only
        set dnsfilter-profile "Your-DNS-Filter"
    next

After setting up your DNS server, don't forget to publish it with your DHCP.

That's it

Now you should notice much less ad  bothering. Either by web browser or by app on your mobile.

With these simple steps you can get rid of most ads. YouTube ads cannot be blocked this way.

Comments

  1. I do get an error: The external resource contains more entries than is supported. The maximum amount of entries per-resource is 131,072

    not an issue at yours?

    ReplyDelete

Post a Comment