Blocking WhatsApp, Netflix, BitTorrent or a VPN tunnel by IP doesn't work — those services rotate IPs constantly. You need to block at Layer 7: the application itself. Here's how pfSense does it with Zenarmor, Suricata and friends.
The OSI stack has seven layers. Each layer gives you a different lens to block traffic. Most admins only use Layers 3–4 (IP + port). That's why users bypass blocks with a VPN or a new IP of the same CDN.
From turnkey commercial (Zenarmor) to DIY free (Suricata). Pick based on how many users you have, your budget, and how granular your policy needs to be.
The commercial DPI engine for pfSense. 300+ pre-categorised apps, per-user policies, real-time analytics dashboard.
pfSense's native package. Signature-based — you enable the Emerging Threats application ruleset to get app blocking.
Transparent HTTP(S) proxy with URL/app filtering. Classic Indian-school-lab choice. Best for forced-proxy environments.
Use DNSBL feeds (GeoIP, social, streaming categories) combined with SNI-match firewall rules for half-DPI blocking.
Best turnkey option. Free tier is enough for home labs and sub-100-user offices. Paid tiers unlock more policies and advanced reporting.
Add Zenarmor's package manifest via SSH, then install from the package manager.
Diagnostics › Command PromptFirst-run wizard asks which interface to watch (LAN usually) and which mode: monitoring-only to observe traffic first, enforcing to actually block.
A policy = who (source: LAN users or specific IPs) + what (categories to block: social, streaming, gambling, adult, P2P, VPN, proxies) + when (schedule).
For workplace: P2P, Torrents, VPN & Anonymizers, Adult, Gambling, Proxy-Avoidance. Optional: Streaming, Social Media (on a schedule).
Zenarmor → Reports shows top apps, top users, blocked attempts in real time. Watch for 30 minutes to catch false positives before going fully enforcing.
Firewall › Zenarmor › Reports# SSH to pfSense as admin, select option 8 (Shell), then: pkg update fetch -o /tmp/zen.sh https://raw.githubusercontent.com/sunnyvalleynetworks/install-zenarmor/master/install.sh chmod +x /tmp/zen.sh /tmp/zen.sh # The script installs the package, pulls the latest DPI signatures, # and enables a menu entry in the WebGUI: Firewall > Zenarmor # First-run wizard in the WebGUI walks you through: # 1. Interface selection (choose LAN) # 2. Mode (start with 'Monitoring' for a week) # 3. Sign in with Sunny Valley account (free) # 4. Pick your licence tier (Free / Business / Enterprise)
If you can't pay for Zenarmor, Suricata's Emerging Threats rulesets include dozens of application-identification rules. Less polished UX, zero cost.
WAN catches inbound threats; LAN catches outbound app traffic (what we want here).
Under LAN interface → Categories → tick: emerging-policy.rules (contains app identification), emerging-p2p.rules (torrents), emerging-games.rules, emerging-chat.rules. Save.
Interface settings → Block Offenders: checked. Which IP to Block: BOTH. Kill states: yes. This converts Suricata from passive IDS to active IPS.
Watch the Alerts tab for a few days. Right-click alerts triggered by legit traffic (e.g. Slack, Zoom) and "Suppress rule" per that source IP.
Services › Suricata › Alerts# Drop TikTok native app TLS handshakes (pattern-match on SNI) drop tls any any -> any any (msg:"KHOJI BLOCK TikTok SNI"; \ tls_sni; content:"tiktokv.com"; nocase; endswith; \ sid:9000001; rev:1;) # Drop BitTorrent DHT (Distributed Hash Table) UDP pings drop udp $HOME_NET any -> any 6881:6999 (msg:"BLOCK BitTorrent DHT"; \ content:"d1:ad2:id20:"; offset:0; depth:12; \ sid:9000002; rev:1;) # Drop common VPN bypasses (NordVPN, ExpressVPN TLS patterns) drop tls any any -> any any (msg:"BLOCK NordVPN"; \ tls_sni; pcre:"/.*\.nordvpn\.com$/i"; \ sid:9000003; rev:1;)
Block Facebook, Instagram, TikTok, X from 9am-6pm on weekdays. Allow at lunch and after hours.
Block Netflix, Hotstar, YouTube, Prime on office WAN. Keep the fibre for actual work.
Block BitTorrent protocol entirely. Prevents copyright notices from the ISP, saves 10s of Mbps.
Users install NordVPN / Windscribe on laptops to bypass your other blocks. Kill at the network level.
Block Roblox, Fortnite, Steam updates during class hours. Resume after 4pm.
Permanent block on gambling + adult categories — standard for schools, libraries, public WiFi, banks.
Users are creative. These three techniques defeat naive blocking setups. Stack all three defences.
Chrome and Firefox bypass your DNS filter by sending DNS queries inside HTTPS to dns.google, cloudflare-dns.com, mozilla.cloudflare-dns.com. Block those hostnames via pfBlockerNG DNSBL and their known IPs via firewall alias.
Similar to DoH but on port 853. Easy fix: firewall rule LAN → any : TCP+UDP 853 = block.
NAT rule: redirect outbound TCP/UDP 53 to pfSense's own resolver. Users configuring 8.8.8.8 on their laptop get silently rerouted to your Unbound. Combined with #1 and #2, they have no external DNS path.
Zenarmor's "VPN & Proxy" category covers the top 50 commercial VPN services. For Suricata, enable emerging-policy.rules which has patterns for NordVPN / ExpressVPN / ProtonVPN handshakes.
Determined users will tether their phone. You can't block it at the network level — but you can enforce endpoint MDM (Intune, Jamf) that disables tethering on corporate laptops.
Block social media during business hours, allow at lunch, full access after 7pm. Works in both Zenarmor (native schedules) and pfSense firewall rules (via the Schedules feature).
Name: WorkHours. Days: Mon-Fri. Time range: 9:00 to 18:00 (except 13:00-14:00 for lunch if you want to allow social at lunch).
In either a pfSense firewall rule or a Zenarmor policy, pick the schedule from the dropdown. Rule only fires during scheduled hours.
Zenarmor policy: Category = Social Networks, Action = Block, Schedule = WorkHours. Done — users get Instagram at lunch and after 6pm, nothing during deep-work hours.
Zenarmor or Suricata setup + category policies + schedule-based rules + bypass prevention + monthly tuning. Handover includes admin dashboard training.
