Block LAN access to DMZ
-
Is it possible that you're getting a cached version of your VoIP config page?
-
I dont think so because if I try to access it from another computer on LAN it connects too …
-
Well, if you're running Squid in Transparent mode then the other computer would be using it too by default. I don't believe this is your problem but I always rule out the easy stuff first.
Is this a brand new install?
Could we get a real screenshot of your LAN rules screen?
-
" LAN 192.168.1.5:49538 127.0.0.1:3128 "
Your not connecting to the opt1 your connecting to the proxy. Tell you proxy not to go there either!
So you have a proxy setup on your client on the lan network. So your client asks the proxy to go there, your machine is not directly going there ;)
The question is good are you using transparent proxy or explicit? If explicit you should be set to bypass local networks anyway, and just set your opt1 network to be bypassed as well. But you don't have any rules that says the proxy can not go there is your problem.
-
I wasn't sure if the firewall would get in between the LAN client and Squid or not.
-
no his rule says he can go anywhere as long as is not the opt1 network. So clearly he can talk to the lan ip that proxy is listening on. He asks the proxy hey got to this opt1 address. Proxy is the source of that traffic, not lan IP.
If he wants to use a proxy, then not only does he have to worry about firewall rules - he also needs to make sure the proxy blocks what he wants blocked.
-
I have squid proxy + havp running.
Squid proxy is in transparent mode.
attached config. pictures
![Captura de Tela 2014-09-04 às 19.26.24.png](/public/imported_attachments/1/Captura de Tela 2014-09-04 às 19.26.24.png)
![Captura de Tela 2014-09-04 às 19.26.24.png_thumb](/public/imported_attachments/1/Captura de Tela 2014-09-04 às 19.26.24.png_thumb)
![Captura de Tela 2014-09-04 às 19.25.03.png](/public/imported_attachments/1/Captura de Tela 2014-09-04 às 19.25.03.png)
![Captura de Tela 2014-09-04 às 19.25.03.png_thumb](/public/imported_attachments/1/Captura de Tela 2014-09-04 às 19.25.03.png_thumb) -
I disabled SQUID and now the block rule is working 100%! Now I can see Pfsense log files blocking the access but I don´t want to disable SQUID. I noticed that SQUID has an option that is supposed to bypass proxy for local addresses as above:
Bypass proxy for Private Address Space (RFC 1918) destination
Do not forward traffic to Private Address Space (RFC 1918) destination through the proxy server but directly through the firewall.I turned SQUID on again and I set this option ON but with no luck… I can still access OPT network from LAN when SQUID is on.
There is another option to manually set which addresses SQUID will bypass proxy by destionation. I also set an specific OPT IP address on that but no luck either...
Bypass proxy for these destination IPs
Do not proxy traffic going to these destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]Any ideas on how to keep SQUID running and disable OPT access from LAN?
kind regards
-
"Do not forward traffic to Private Address Space (RFC 1918) destination through the proxy server but directly through the firewall. "
This would be the setting you would want - that should work. I could simulate your setup when I get a chance - but that should work.
-
It worked after a system reboot. Thanks!!