Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireless router

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 4 Posters 725 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Antibiotic @johnpoz
      last edited by

      @johnpoz
      Is it principal decision or was busy with getting old your kids?

      pfSense plus 24.11 on Topton mini PC
      CPU: Intel N100
      NIC: Intel i-226v 4 pcs
      RAM : 16 GB DDR5
      Disk: 128 GB NVMe
      Brgds, Archi

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Antibiotic
        last edited by johnpoz

        @Antibiotic just have zero use for a proxy, and I don't have to worry about content filtering - if you know what I mean with 2 teenage boys.. But your proxy would be used to get off the network, be it explicit or transparent.. Your client shouldn't be talking to the proxy at all even if explicit for anything on your local network.

        And if transparent - it sure wouldn't be used..

        There is really little advantage to a proxy these days with everything dynamic and https.. What is your point in wanting to run one to be honest?

        I thought I read they were even pulling squid, not sure if there is a new version.. There is a big proxy user about, he could help you with setup if you have your heart set on running one. Personal I see no point to it.. Reverse proxy sure, but my client going out to the internet, proxy gets me nothing but something that going to slow down my access.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        A 1 Reply Last reply Reply Quote 0
        • A
          Antibiotic @johnpoz
          last edited by

          @johnpoz in my case its only speed up browsing not a slow down)))

          pfSense plus 24.11 on Topton mini PC
          CPU: Intel N100
          NIC: Intel i-226v 4 pcs
          RAM : 16 GB DDR5
          Disk: 128 GB NVMe
          Brgds, Archi

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Antibiotic
            last edited by

            @Antibiotic Unless your like on dialup, I don't see how you think a proxy is going to speed up anything these days.. Most everything id dynamic and created on the fly, and you have the added overhead of having to do stuff to get https to work.. And there is nothing really still on http that is for sure.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @Antibiotic
              last edited by

              @Antibiotic said in Wireless router:

              129.168.20.1

              I trust that's a typo.

              What addresses do you have on the LAN side of pfSense? All the addresses I see are in the same subnet.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @JKnott
                last edited by

                @JKnott hahha - good catch on the typo ;) yeah that has to be a typo.. just transposed the 9 and the 2

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee
                  last edited by JonathanLee

                  @Antibiotic I purchased an official Netgate appliance just to learn about proxy use when I was completing my AA in cyber security.

                  Squid is one of the most complex packages to configure. But it is a dream to see run once it is configured. It is my favorite thing about my firewall the greatest puzzle for me ever. I love it. Like the hypothetical ultimate Rubik's cube.

                  You can use advanced options in Squid for just about anything you can dream of.

                  So yes, you can configure specific conditions in Squid.

                  I have timers set so that it turns off the cache after hours, some devices are always splice like an amazon tablet. I have devices locked to mac addresses with IP addresses to use the cache.

                  I have a book for Squid it 442 pages of amazing things you can do.

                  It is complex like @johnpoz said.

                  I also use it to do dynamic updates, so I do not have to sit and wait for a Windows 11 update over and over between different machines.

                  Here is an example of my custom config if it helps.

                  Just forget the cachemgr and the updates and all that focus on the IP addresses and mac addresses stuff also the timers.

                  cachemgr_passwd disable offline_toggle reconfigure shutdown #for use with cachemgr.cgi if you have linked the file
                  cachemgr_passwd REDACTED all #for use with cachemgr.cgi if you have linked the file
                  eui_lookup on #for use with mac addresses
                  acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\? #for use with never caching facebooks real-time checker
                  acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat #for use with never caching Facebook messages that is bad and creepy if you do that it is unethical so splice and move on
                  acl CONNECT method CONNECT #for use with windows update cache use over the proxy to help
                  acl wuCONNECT dstdomain www.update.microsoft.com #same use with windows updates
                  acl wuCONNECT dstdomain sls.microsoft.com #also use with windows updates
                  http_access allow CONNECT wuCONNECT localnet #allows connections for windows updates to the cache to connect to it
                  http_access allow CONNECT wuCONNECT localhost
                  http_access allow windowsupdate localnet #for use with my update file I hand crafted within the dynamic cache area
                  http_access allow windowsupdate localhost #same thing
                  http_access allow HttpAccess localnet #other services that require http access like antivirus updates and other enterprise services that require it
                  http_access allow HttpAccess localhost #same thing allow it to local host too
                  http_access deny manager #block manager access over http
                  http_access deny to_ipv6 #my isp does not use ipv6 so I block it
                  http_access deny from_ipv6
                  
                  acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
                  acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH #for use with squid seeing a broken domain connection when updates occur 
                  sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
                  sslproxy_cert_error deny all
                  #ok to the acls most of the above you can research on Squids website
                  acl splice_only src 192.168.1.8 #Tasha iPhone
                  acl splice_only src 192.168.1.10 #Jon iPhone
                  acl splice_only src 192.168.1.11 #Amazon Fire
                  acl splice_only src 192.168.1.15 #Tasha HP
                  acl splice_only src 192.168.1.16 #iPad
                  
                  acl splice_only_mac arp MAC ADDRESS HERE
                  acl splice_only_mac arp MAC ADDRESS HERE
                  acl splice_only_mac arp MAC ADDRESS HERE
                  acl splice_only_mac arp MAC ADDRESS HERE
                  acl splice_only_mac arp MAC ADDRESS HERE
                  
                  #this uses a no bump file I created for specific websites that ethically should always never intercept like banks etc don't do that. 
                  acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
                  acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"
                  
                  
                  acl markBumped annotate_client bumped=true #I created a flag here for use later
                  acl active_use annotate_client active=true
                  acl bump_only src 192.168.1.3 #webtv
                  acl bump_only src 192.168.1.4 #toshiba
                  acl bump_only src 192.168.1.5 #imac
                  acl bump_only src 192.168.1.9 #macbook
                  acl bump_only src 192.168.1.13 #dell
                  
                  acl bump_only_mac arp MAC ADDRESS HERE
                  acl bump_only_mac arp MAC ADDRESS HERE
                  acl bump_only_mac arp MAC ADDRESS HERE
                  acl bump_only_mac arp MAC ADDRESS HERE
                  acl bump_only_mac arp MAC ADDRESS HERE
                  
                  ssl_bump peek step1 #peek at step one look for my block items if its not there let it connect
                  miss_access deny no_miss active_use #do not cache the no miss I hate seeing miss saved for that
                  ssl_bump splice https_login active_use #splice the http here also and move on flag it active
                  ssl_bump splice splice_only_mac splice_only active_use now we splice specific ip addresses and the mac so mac and ip must match and flag it
                  ssl_bump splice NoBumpDNS active_use same here splice the no bumps 
                  ssl_bump splice NoSSLIntercept active_use spice the no intercept file
                  ssl_bump bump bump_only_mac bump_only active_use #always bump stuff like my research equipment for cybersecurity I want to see everything going on I want to see the containers in action I want every detail from it
                  acl activated note active_use true ok take all the active use put it into acl activated
                  ssl_bump terminate !activated kill everything not activated incase squid has a container or something in it terminate the connection. 
                  
                  acl markedBumped note bumped true #other research I was doing
                  url_rewrite_access deny markedBumped
                  
                  #for use with my quality of service to help speed up the proxy
                  
                  read_ahead_gap 64 KB
                  negative_ttl 1 second
                  connect_timeout 30 seconds
                  request_timeout 60 seconds
                  half_closed_clients off
                  shutdown_lifetime 10 seconds
                  negative_dns_ttl 1 seconds
                  ignore_unknown_nameservers on
                  pipeline_prefetch 100
                  
                  
                  # I am not using this I was creating an always bump file but didn't really finish it. 
                  #acl SSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.bump"
                  #ssl_bump bump SSLIntercept
                  

                  Ok so now that you got some basics of that remember order matters so dynamic cache advanced configure come before general advanced config so some ACLs are created here but used in the other advanced config.

                  acl block_hours time 01:30-05:00 #my network lock hours
                  ssl_bump terminate all block_hours #terminate all during block outs so nothing gets in nothing gets out. At least I hope so
                  http_access deny all block_hours #same block the http access during specific hours
                  acl getmethod method GET #set get for use with storeID
                  acl to_ipv6 dst ipv6 #for user with blocking ipv6 and stuff 
                  acl from_ipv6 src ipv6
                  
                  #ciphers for ssl intercept and tls use
                  tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
                  tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
                  
                  #my acls for my HttpAccess for antivirus it pulls up my huge file so I don't have a million reg expressions 
                  acl HttpAccess dstdomain "/usr/local/pkg/http.access"
                  acl windowsupdate dstdomain "/usr/local/pkg/windowsupdate"
                  acl rewritedoms dstdomain "/usr/local/pkg/desdom"
                  
                  #my store_id program it comes built in with squid but you need the files created and a database to use it
                  store_id_program /usr/local/libexec/squid/storeid_file_rewrite /var/squid/storeid/storeid_rewrite.txt
                  store_id_children 10 startup=5 idle=1 concurrency=0
                  always_direct allow !getmethod
                  store_id_access deny connect
                  store_id_access deny !getmethod
                  store_id_access allow rewritedoms
                  reload_into_ims on
                  max_stale 20 years
                  minimum_expiry_time 0
                  #this is refresh patters after this for updates etc or other items you don't want to download a million times let the proxy reserve it securely. 
                  refresh_pattern -i squid\.internal 10080 80% 79900 override-lastmod override-expire ignore-reload ignore-no-store ignore-private
                  
                  #FACEBOOK
                  refresh_pattern ^https.*.facebook.com/* 10080 80% 43200
                  
                  #FACEBOOK IMAGES  
                  refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200
                  refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200 
                  refresh_pattern -i facebook.com.(jpg|png|gif|jpg?) 10080 80% 43200 store-stale
                  refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png|jpg?) 10080 80% 43200
                  refresh_pattern ^https.*profile.ak.fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200
                  refresh_pattern ^https.*fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200
                  
                  #FACEBOOK VIDEO
                  refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80% 43200
                  refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200
                  
                  #APPLE STUFF
                  refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200  refresh-ims
                  
                  #apple update
                  refresh_pattern -i (download|adcdownload).apple.com/.*\.(pkg|dmg) 4320 100% 43200
                  refresh_pattern -i appldnld\.apple\.com 129600 100% 129600
                  refresh_pattern -i phobos\.apple\.com 129600 100% 129600
                  refresh_pattern -i iosapps\.itunes\.apple\.com 129600 100% 129600
                  
                  
                  #my favorite Windows update cache I hate redownloading items a millions times, this makes it green energy efficient. 
                  # Updates: Windows
                  refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200  refresh-ims
                  refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200  refresh-ims
                  refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200  refresh-ims
                  refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 
                  refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 
                  refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 
                  refresh_pattern -i .*windowsupdate.com/.*\.(cab|exe) 259200 100% 259200   
                  refresh_pattern -i .*update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 259200 100% 259200   
                  refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
                  refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
                  refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
                  refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 
                  refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200
                  #windows update NEW UPDATE 0.04
                  refresh_pattern update.microsoft.com/.*\.(cab|exe) 43200 100% 129600    
                  refresh_pattern ([^.]+\.)?(download|(windows)?update)\.(microsoft\.)?com/.*\.(cab|exe|msi|msp|psf) 4320 100% 43200  
                  refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 
                  refresh_pattern -i \.update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
                  refresh_pattern -i \.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
                  refresh_pattern -i \.download.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
                  refresh_pattern -i \.ws.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       
                      
                  refresh_pattern ([^.]+\.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*\.* 43200 100% 43200     
                  refresh_pattern ([^.]+\.)?.akamai.steamstatic.com/.*\.* 43200 100% 43200
                  
                  refresh_pattern -i ([^.]+\.)?.adobe.com/.*\.(zip|exe) 43200 100% 43200
                  refresh_pattern -i ([^.]+\.)?.java.com/.*\.(zip|exe) 43200 100% 43200
                  refresh_pattern -i ([^.]+\.)?.sun.com/.*\.(zip|exe) 43200 100% 43200
                  refresh_pattern -i ([^.]+\.)?.oracle.com/.*\.(zip|exe|tar.gz) 43200 100% 43200
                  
                  refresh_pattern -i appldnld\.apple\.com 43200 100% 43200
                  refresh_pattern -i ([^.]+\.)?apple.com/.*\.(ipa) 43200 100% 43200
                   
                  refresh_pattern -i ([^.]+\.)?.google.com/.*\.(exe|crx) 10080 80% 43200
                  refresh_pattern -i ([^.]+\.)?g.static.com/.*\.(exe|crx) 10080 80% 43200
                  
                  acl https_login url_regex -i ^https.*(login|Login).*
                  cache deny https_login
                  
                  
                  #windows updates a huge but you don't want to allow just anything to get in you cache so set it to only allow specific acls to access the larger limits and set the rest as standard
                  range_offset_limit 512 MB windowsupdate
                  range_offset_limit 4 MB
                  range_offset_limit 0
                  quick_abort_min -1 KB
                  

                  It was a quest to make that thing work not to mention you need to also worry about blocking DoH and use a blacklist.

                  So that is my research so far.

                  But transparent mode is 100 percent easier over this right?

                  My recommendation is play with the built in guy and use the ACL page set up some items to bypass the proxy if needed under general config.

                  I am a student remember, and I am learning so I could and most likely have some mistakes I made this post so you can take the parts you want to play with and use that to research with. Most of it is made with a goal of caching any and all containers before they reach a machine, and also making my network green and efficient, let the proxy serve the items already downloaded but do it ethically right don't intercept banks and email and messages and stuff just avoid it and move on.

                  Make sure to upvote

                  A johnpozJ 3 Replies Last reply Reply Quote 0
                  • A
                    Antibiotic @JonathanLee
                    last edited by

                    @JonathanLee Oh, thank you for public your hard work. I will take a look slowly)))

                    pfSense plus 24.11 on Topton mini PC
                    CPU: Intel N100
                    NIC: Intel i-226v 4 pcs
                    RAM : 16 GB DDR5
                    Disk: 128 GB NVMe
                    Brgds, Archi

                    JonathanLeeJ 1 Reply Last reply Reply Quote 1
                    • JonathanLeeJ
                      JonathanLee @Antibiotic
                      last edited by JonathanLee

                      @Antibiotic Don't forget I am a student so to be on the official side use Netgate's GUI options with the transparent options it works great like that but you could also use that IP address mac address, and timed options too. I think my brain melted after getting it to work. @johnpoz and others helped me a lot over the years.

                      Make sure to upvote

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @JonathanLee
                        last edited by

                        @JonathanLee said in Wireless router:

                        I also use it to do dynamic updates, so I do not have to sit and wait for a Windows 11 update over and over between different machines.

                        You understand windows does that on its own unless you have turned it off, it will pull updates from other machines on your network vs having to pull from the internet again..

                        https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        JonathanLeeJ 1 Reply Last reply Reply Quote 0
                        • JonathanLeeJ
                          JonathanLee @johnpoz
                          last edited by JonathanLee

                          @johnpoz Yes but it is cool to see it say refresh 304 and hit 200s for a huge update and it download in 2 seconds it's crazy fast to see it run John It is amazing. It reminds me of a Juniper content accelerator. Again, it is a lot to configure, if users could just click a radio button for the best of the best caching/acceleration options that would make it easy for end users.

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • A
                            Antibiotic @JonathanLee
                            last edited by Antibiotic

                            @JonathanLee Hello, any benefits for anonymity to check : Disable VIA Header and to make OFF X-Forwarded Header Mode. I will use non transparent proxy for one of my subnet, mostly for basic protection and gaming! I'm a little bit in doubt, will cache working in non transparent mode or he is working only in transparent mode? I have set for local cache "Memory Cache Size" 4GB but memory usage on main dashboard the same or squid use this dinamically? How to check that cache is working and increasing? Also for safety set Hard Disk Cache System to diskd , is it OK?

                            pfSense plus 24.11 on Topton mini PC
                            CPU: Intel N100
                            NIC: Intel i-226v 4 pcs
                            RAM : 16 GB DDR5
                            Disk: 128 GB NVMe
                            Brgds, Archi

                            JonathanLeeJ 1 Reply Last reply Reply Quote 0
                            • JonathanLeeJ
                              JonathanLee @Antibiotic
                              last edited by

                              @Antibiotic I use X-Forwarded Header Mode set to transparent as it was having issues with my IP looking like a private address with Netgate forums website.
                              That fixed it

                              I do not disable the VIA header so my requests follow RFC2616.

                              I do suppress the version however.

                              Hope that helps, The X-Forwarded Header Mode was causing issues with my system and setting it to transparent helped Netgate's staff helped me with that because I could not see that my IP was showing up incorrectly and causing issues, I am not behind a lot of equipment so I don't need it enabled.

                              Make sure to upvote

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.