In a nutshell, you can’t so easily.
In a larger shell, you’d have to force all connections through a proxy such as squid (not transparent). WPAD/PCAP or manually configuring the clients to use it. Block all other traffic except to proxy. You can then filter on web content via the proxy, including HTTPS traffic.
That said, it may be possible to bypass this by using the proxy to corkscrew connections to say a VPN server.
You’ll need to block more than pr0n sites. Reddit is full of pr0n if you are that way inclined.
Turns PFSense into a ngfw-ish with category based blocking on the free tier.
The Oisd block list that blocks nsfw dns for porn:
To be implemented via pfBlockerNG
pfsense is great for suricata, snort, and other security analysis of traffic but sucks at web filtering.
you really do need an external service like opendns or to run pi-hole alongside PFSENSE.
I would love to see this in a plug in…
There really is no technical way to absolutely do this. It’s easy to prevent things from getting in but, it’s sort of all or nothing with letting things out. You will get plenty of people that will disagree with what I’m saying but I’m talking about absolutes and not best efforts. There is a reason high side networks have no external access, in critical environments.
Maybe just talk to your kids and tell them your expectations. Let them ask questions if they have questions and have logic and reason behind your values and why you want to impart them.
you can take all measures like DNS, firewall rules, etc but VPN will bypass everything.
simple browser embeded VPNs bypass DNS & firewall rule restrictions.
If you still want to do this pfsense is not the device to do it. You would need a security device that does layer 7 filtering(SophosXG home/Untangle). You then need to deploy a certificate to all the devices so you can do MITM on all traffic. This is time consuming and if the kid is smart they could get around it. This is because you not only have to block porn etc but all the tools that can get around the block(vpn/proxies).
After all those DNS blocking stuff, etc…why not install a parental control app in each of your kid’s devices?
I would suggest Qustudio Parental Control App.
how to block is boring. i wonder more why hide such normals things from kids instead of educating them on it lol
I run AdGuard Home on my server. You can have per device block lists and enforce safe search, the 2 reasons I left pi-hole.
If you go this route gotta make sure you block other DNS requests at the firewall. Although I would be ridiculously proud if my kid figured out how to swap the DNS server to look at some titties.
Actually you can force google safe search as well, using dns.
It is more important to block malicious content, like scam and bait sites.
How do enterprises achieve this?
Asking for a friend 
Works pretty damn good. They have a list of supported sites that’s pretty expansive.
Basically if it supports NSFW tags then the site will still load but that tagged content throughout the site will not load. You may be able to still read some stuff but no images forsure
This! It would work even outside of the house/WiFi.
That with the Oisd nsfw block list !!
That will prevent the DNS lookup for the site. It won’t actually block the site.
Simply changing the computers DNS server, or setting the browser to use DNS over HTTPS with a different DNS server will by-pass that restriction.
At a dns level some sites may be blocked but it’s not at the word level but the site level yeah it works. For instance via this: oisd | Included lists
If no vpn is used of course.