You can't run Squid transparently on a bridged firewall so you can't put it in between the switch and Zyxel and maintain the same layer 2.

However you shouldn't need to. When you configure Squid in transparent mode in pfSense it adds port forwards to the LAN side interface to redirect all incoming traffic on port 80 (and 443) to the Squid process running on local host.
You can replicate that to Squid running on a different host easily enough. Just add port forwards in the Zyxel to forward traffic from the LAN side clients to the pfSense IP running Squid.

Some things to consider:
You may not want to forward all http/s traffic as you will need to reach the Zyxel interface and possibly upstream routers etc and that's probably better to do without using the proxy.
If you can you should put the Squid box on a different subnet to the LAN clients otherwise you will have an asymmetric routing situation with reply traffic going back dirrectly to clients. No idea how the Zyxel would react to that but it should block the out of state TCP traffic be default.
If you are running only Squid on that box pfSense may not be the best solution there. Though it is very easy to setup.

Steve

I don’t know their MAC addresses to add them, so I turned on dhcp to add them. They are listed in the dhcp leases. Thank you!

You probably want a variation on this:
https://www.netgate.com/docs/pfsense/backup/remote-config-backup.html#push-it

Never tried it myself but 30secs Googling turned up this likely suspect:
https://gist.github.com/ilumos/f6861ea879889146ce9ad61a956ba801

You should be able to get suitable command setup from that to write out the arp table to remote system directly I would have thought.

Edit: Tested. Mostly works. Should be adaptable to your needs.

Steve

I do have all network traffic exiting out my ExpressVPN gateway on each subnet/interface.

I still need to test remotely but I think I found the issue, I had the wrong gateway set in one of the Roadwarrior VPN firewall rules. Testing locally I can now connect to OpenVPN using the client and I still have internet at the same time.

I'll report back once I get a chance to test this remotely.

Great,
Thank you so much for your reply.

That is correct.

You're welcome
glad you got it solved

@victorhooi said in VLAN traffic not getting recognised correctly by DHCP server?:

The traffic is coming into the pfSense router on igb3, and from my packet capture it appears to have VLAN ID 35 - based on that, should it not go to the MM_LAN (VLAN ID 35) interface automatically, and get an address in the 10.0.35.0/24 range?

Yes.

Know that the DHCP server has no concept of a VLAN. That's all handled in the FreeBSD interface code. The DHCP server will either be listening on igb3 (untagged) or igb3.35 (35 tagged traffic)

Yes only after enabling the outbound option

Thanks Derelict :)

Does your son have access to your Pfsense box? Dumb question I know :D

For things like firewall rules, NAT, and Aliases /tmp/rules.debug is probably the most concise representation immediately available.

Just for being thorough , there was some issue couple years back where widget was showing client. Here is one of the threads where it came up

https://forum.netgate.com/topic/109365/ntp-is-wrong-by-almost-3-minutes/28

You can create a user group in pfSense that has only that page assigned to it.
If auth against AD returns users are members of that group (group name matches exactly) they will inherit the permissions from the group.

https://www.netgate.com/docs/pfsense/usermanager/user-authentication-servers.html

Steve

Hmm, that's the first time I've ever seen that.
If that's a common problem we need to fix it. How exactly were you getting the config file from the APU?

Steve

Which parts of that other thread did you follow exactly? Please retail what you have done.

Steve

@derelict said in Multi-tenant Managed Firewall:

The permissions system in pfSense is likely not going to work for that. There is nothing resembling a multi-instance pfSense.

Thanks for answer.

Best regards,

Alexandre

Hello @siil-it,

you can monitor the general pfSense state with SNMP within your classic monitoring.
For the snort alert you have to configure a syslog server and handle the messages from snort on your syslog server.

Kind regards

0_1531304315743_CA.png 0_1531304319226_CA2.png 0_1531304326596_CA3.png 0_1531304331667_CA4.png 0_1531304343129_interfaces.png 0_1531304348196_LDAP.png 0_1531304354900_LDAP2.png 0_1531304360776_nasclient.png 0_1531304365364_settings.png 0_1531304371489_settings2.png 0_1531304376890_settings3.png

I have assigned this privileges. Seems ok for me. If there are other recommendation, let me know

0_1531252323427_pfSense Operator Assigned Privilidges.JPG