Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3 pass based on MAC address vs IP address - aka Roku fix

    Cache/Proxy
    2
    6
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jawz101
      last edited by

      Last night I set up Squid as I've done a few times only to uninstall it because pfSense chokes due to caching.  Fortunately I realized I've been watching Amazon Prime on my Roku while Squid3 was running.
      Under the Real-time View Squid was caching a ton from *cloudfront.net CDN

      Now, the fix would be to skip the proxy for Roku's IP address, am I right?
      If so, Roku's only pick DHCP addresses and their site likes to say "don't assign a static lease for Roku's MAC address."

      Well, I could ignore that I guess and go ahead and do that.  I was also wondering if Squid can ignore MAC addresses in lieu of IP addresses and then I can make even Roku support happy.

      I'd just like to get some opinion on and I could possibly see others want to pass based on MAC address vs. IP address

      possible pass MAC address solution:
      http://wiki.squid-cache.org/SquidFaq/SquidAcl#Can_I_set_up_ACL.27s_based_on_MAC_address_rather_than_IP.3F
      _Can I set up ACL's based on MAC address rather than IP?
      Yes, for some operating systes. The ACL type is named arp after the ARP protocol used in IPv4 to fetch the EUI-48 / MAC address. This ACL is supported on Linux, Solaris, and probably BSD variants.

      MAC address is only available for clients that are on the same subnet. If the client is on a different subnet, then Squid can not find out its MAC address as the MAC is replaced by the router MAC when a packet is router.

      For Squid-3.1 and older to use ARP (MAC) access controls, you first need to compile in the optional code.
      Do this with the –enable-arp-acl configure option:_

      
% ./configure --enable-arp-acl ...
% make clean
% make

      If src/acl.c doesn't compile, then ARP ACLs are probably not supported on your system.
      For Squid-3.2 and newer the EUI support is enabled by default whenever it can be used.
      Add some arp ACL lines to your squid.conf:

      
#squid.conf
acl M1 arp 01:02:03:04:05:06
acl M2 arp 11:12:13:14:15:16
http_access allow M1
http_access allow M2
http_access deny all

      Run squid -k parse to confirm that the ARP / EUI supprot is available and the ACLs are going to work.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Maybe I'm missing something but instead of trying to get Squid working with the CDN, why not just exempt the Roku altogether?  Or are you running a transparent proxy?

        1 Reply Last reply Reply Quote 0
        • J
          jawz101
          last edited by

          yep.  transparent proxy.

          I think I may just make a list of CDNs to allow for various streaming services if that's possible and post a separate thread with those if it helps others

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            You're better off ditching the transparent proxy for explicit mode, which gives you a lot more flexibility.  Then you could just set your Roku to not use it and go straight out.  You also won't have to screw around with trusted pfSense certs installed on every device.

            https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

            1 Reply Last reply Reply Quote 0
            • J
              jawz101
              last edited by

              Thanks for the tip!  Now I'm trying to wrap my head around this WPAD solution but have a few questions…

              What would require trusted certs in what I was thinking?
              The MAC address filter or excluding caching from certain streaming CDNs?

              Also, would this WPAD have the Roku circumvent the firewall altogether?  I would still want inbound protection and .since it's a home environment. I prefer not use authentication for myself to surf the Net.

              What's funny is I have a QNAP NAS as well and since this WPAD setup says I'd have to set pfSense administration to use HTTP instead of HTTPS if Squid3 + WPAD is on the same box (and recommends not doing that) I could probably use the QNAP box as the Squid caching server instead and do this WPAD setup.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                What would require trusted certs in what I was thinking?

                Transparent proxies will trigger your web browser's Man in the Middle warning whenever you visit an HTTPS site.

                Also, would this WPAD have the Roku circumvent the firewall altogether?

                WPAD is just a technique for devices to auto-locate your web proxy.  That's all.  It looks complicated, but it's really just a single DNS entry, a DHCP entry and a small file named wpad.dat with a proxy.pac symlink.

                Also, would this WPAD have the Roku circumvent the firewall altogether?

                No.  WPAD is just a method of auto-detecting the proxy and nothing more.

                Your wpad.dat|proxy.pac files need to be on any HTTP server you can use.  I use my pfSense box but any old Apache on *nix will do.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.