SquidGuard Package Help on 2.3.1
-
Yes, just read the options described in the Proxy GUI. There is one for source and one for destination IPs:
"Bypass Proxy for These Source IPs". So just enter the IPs which should bypass the Proxy.Thanks. I did notice that option, but I didn't see anything there I could say "Proxy only these IP and nothing else". The way it currently is, I'd have to enter many IPs as I only want to proxy about 3 IPs right now. Is there a way to do it the way I need it?
Thanks for the info about pfBlockerNG. I ended up looking into and and seeing that you need to use the pfsense DNS server which doesn't work in my case, so that option was out. :)
–Steve
-
Is there a way to enable transparent proxy only for certain hosts or IPs and not an entire subnet?
I don't use transparent mode due to the hassles with HTTPS and client certificates. I use a combination of explicit mode, WPAD and firewall rules.
-
You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".
Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser. -
You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".
Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser.I don't see how I can make an alias with some excluded IPs. For example, my LAN subnet is 192.168.1.0/24 and I only want to proxy 192.168.1.53, 192.168.1.72, and 192.168.1.83. It looks like when I go to make an alias it doesn't allow exclusions for IPs. Am I missing something? :)
Also, I was originally going to use the non-transparent proxy, but my devices that I'm trying to block things on, don't support proxy configurations, so I was forced to go the transparent route. ::)
-
I don't see how I can make an alias with some excluded IPs.
Firewall - Aliases - IP - +.
Name: Proxy Clients
Description: Blah
Type: Host(s)
Hosts: add your IP addresses here, click + for each new host, Save to save.but my devices that I'm trying to block things on, don't support proxy configurations
What device is this we're talking about?
-
@KOM:
Firewall - Aliases - I****P - +.
Name: Proxy Clients
Description: Blah
Type: Host(s)
Hosts: add your IP addresses here, click + for each new host, Save to save.The problem is when I go over to Services -> Squid Proxy Server -> Transparent Proxy Settings -> Bypass Proxy for These Source IPs, I don't see a way to make it work. If I put in my alias there, then it would only bypass the proxy for my 3 IP addresses. I want to do the opposite. I'm not sure how to negate the Alias if there is a way. (I have a feeling I'm missing something obvious that you are trying to point me to. :-\ :o ) Is there a way to negate the Alias?
What device is this we're talking about?
So far I'm trying to do some blocking on some Roku devices and Android cell phones. (I know the cell phones support proxy configs, but the Roku devices don't unfortunately.)
-
Oh, OK. I misunderstood what you wanted.
This would be so much easier with explicit proxy. Use firewall rules to block TCP access via 80/443. Configure WPAD to help devices auto-detect the proxy. Add a rule above your 80/443 block rule to allow devices like the Roku to go straight out. Done.
-
That's not quite what I wanted. :)
It's the 3 Roku's that I want to be transparently proxied and nothing else.Let's say that I have an Alias containing the 3 Rokus called "Rokus". I haven't put any firewall rules related to the proxy. Are you saying that I can have an allow rule for "NOT Rokus" allowing those IPs out and just block the "Rokus" alias on TCP 80/443 and it will just work?
I guess I'm not understanding how the transparent proxy is tied into the firewall rules. I thought If I had a rule allowing a host to go out from the LAN, then the transparent proxy would just "transparently" work and if I deny a host, then the proxy would just not work because the host is blocked.
-
You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".
Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser.I don't see how I can make an alias with some excluded IPs. For example, my LAN subnet is 192.168.1.0/24 and I only want to proxy 192.168.1.53, 192.168.1.72, and 192.168.1.83. It looks like when I go to make an alias it doesn't allow exclusions for IPs. Am I missing something? :)
Also, I was originally going to use the non-transparent proxy, but my devices that I'm trying to block things on, don't support proxy configurations, so I was forced to go the transparent route. ::)
I don't know if you are thinking to complicated or if I am missing something.
You want all clients of subnet 192.168.1.0/24 to NOT use the proxy but only these three IPs: 192.168.1.53 , .72 and .83So what I did I created an Alias which includes all IPs of the subnet BUT not the three single IPs.
To make it more clear for you I added a screenshot.Regards
-
Thank you! I see now. I didn't even think about doing it that way. I was picturing some kind of alias that has an exclusion of 3 IPs instead of the inclusion of multiple ranges.
Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that? :D
-
(…)
Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that? :DIf you know the FQDN of all other clients, then just put these clients into the alias. But to be honest. Because you can do it it is not always the best way to do this. In the thread there are mentioned other possibilities like WPAD and so on.
Other ways are to configure DHCP with static entries so that the three clients will always get the same IP address. This will make things easier.
Good luck!
