-
I have a custom list with TLDs in I want to block that gets parsed with the fetched adblock lists. It just contains the TLDs.
How are you using the ACLs in Squid?
I've never tried to use anything special for websockets. Not a problem I've seen or tried to work past before.
Steve
-
@stephenw10 Thanks for sharing your implementation of custom list under DNSBL Groups. Nice and easy way to turn them on and off.
I am using pfSsense DNS Resolver (via DHCP), and DoT to external/public DNS service providers (Cloudflare and Google). Clients (browsers, and MacOS) seem to go directly to the public DNS service providers, via port 443 (DoH) or port 853 (DoT). I am testing with some firewall rules to block/reject them, to ensure all DNS traffic goes through pfSense DNS Resolver. Still not 100% clear how effective this implementation is.
WRT ACL, my implementation is relatively straightforward.
- acl bypass_ssl src IP address (DHCP subnet and specific hosts)
- acl bypass_ssl_dst dst IP address (to domains that use WebSockets or enforce server cert pinning)
- I've read through the squid config reference; and am about to try "acl broken_sites ssl::server_name .example.com" when I get home tonight.
-
@distengr Hope you managed to fix your issue with your sophos appliance.
-
@dkzsys - Mate, you got a fantastic write-up on how you fixed the issue. I tried your approach of going through the different ports, but the problem is, it never showed WHICH port. It just kept showing "link up". That is way too vague for me to decide, what exactly was happeninging. Eventually, I ran out of steam and got frustrated when Netgate support simply told me that they plan to release drivers for these NICs only in 2.7.0 and "had no idea when that release will be out".
I searched around the Internet and found that Opnsense already has drivers for these and seeing Linux Tech Tips(LTT) make a switch to Opnsense since Pfsense have drivers for their NIC simply pushed the nail in the coffin for me.
I'll be holding on to this install for a while and see how it goes and will probably tinker around in pfsense by using your guide few months down the line. Thank you again for posting the detailed response!
-
Um, for igb? The only driver that's currently in 2.7 and not 2.6 is the igc version that supports i226.
The doesn't apply to either of those Sophos devices.
-
Has anyone tried to use the sfp port with a GPON optic as a WAN port for incoming ISP fiber?
-
@dabbler455 not from here. Unfortunately, my provider doesn't offer that option.
-
@dkzsys I'm having the same exact problem but I don't understand how you resolved it. I've set a static IP on my PC but that hasn't helped. I've tried assigning the WAN interface to igb1 and LAN to igb0 but it still doesn't work.
I guess I'm not getting the whole "upper NIC card/lower NIC card thing". Are you saying that I should use igb0 as WAN and igb1 as LAN - but connect to the ports labeled 5 and 6 on the back of the unit?
-
@ErniePantuso see diagram below for illustration, for Sophos XG125W. Similar concept applies to other appliances with multiple NIC cards. See if this makes sense, otherwise, feel free to ask more questions.
-
Since I got stuck with a non-connecting SG125, thanks for all the explanations that allowed me to find correct settings to access the freshly installed appliance.
For future users, see the connections in the picture below, valid for SG125.
I have only tested igb4 and igb5, but I suppose it will continue igb6, igb7, igb0, igb1, igb2, igb3.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.