SquidGuard Package Help on 2.3.1

KOM

Is there a way to enable transparent proxy only for certain hosts or IPs and not an entire subnet?

I don't use transparent mode due to the hassles with HTTPS and client certificates. I use a combination of explicit mode, WPAD and firewall rules.

Nachtfalke

You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".

Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser.

steve1515

@Nachtfalke:

You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".

Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser.

I don't see how I can make an alias with some excluded IPs. For example, my LAN subnet is 192.168.1.0/24 and I only want to proxy 192.168.1.53, 192.168.1.72, and 192.168.1.83. It looks like when I go to make an alias it doesn't allow exclusions for IPs. Am I missing something? :)

Also, I was originally going to use the non-transparent proxy, but my devices that I'm trying to block things on, don't support proxy configurations, so I was forced to go the transparent route. ::)

KOM

I don't see how I can make an alias with some excluded IPs.

Firewall - Aliases - IP - +.

Name: Proxy Clients
Description: Blah
Type: Host(s)
Hosts: add your IP addresses here, click + for each new host, Save to save.

but my devices that I'm trying to block things on, don't support proxy configurations

What device is this we're talking about?

steve1515

@KOM:

Firewall - Aliases - I****P - +.

Name: Proxy Clients
Description: Blah
Type: Host(s)
Hosts: add your IP addresses here, click + for each new host, Save to save.

The problem is when I go over to Services -> Squid Proxy Server -> Transparent Proxy Settings -> Bypass Proxy for These Source IPs, I don't see a way to make it work. If I put in my alias there, then it would only bypass the proxy for my 3 IP addresses. I want to do the opposite. I'm not sure how to negate the Alias if there is a way. (I have a feeling I'm missing something obvious that you are trying to point me to. :-\ :o ) Is there a way to negate the Alias?

What device is this we're talking about?

So far I'm trying to do some blocking on some Roku devices and Android cell phones. (I know the cell phones support proxy configs, but the Roku devices don't unfortunately.)

KOM

Oh, OK. I misunderstood what you wanted.

This would be so much easier with explicit proxy. Use firewall rules to block TCP access via 80/443. Configure WPAD to help devices auto-detect the proxy. Add a rule above your 80/443 block rule to allow devices like the Roku to go straight out. Done.

steve1515

That's not quite what I wanted. :)
It's the 3 Roku's that I want to be transparently proxied and nothing else.

Let's say that I have an Alias containing the 3 Rokus called "Rokus". I haven't put any firewall rules related to the proxy. Are you saying that I can have an allow rule for "NOT Rokus" allowing those IPs out and just block the "Rokus" alias on TCP 80/443 and it will just work?

I guess I'm not understanding how the transparent proxy is tied into the firewall rules. I thought If I had a rule allowing a host to go out from the LAN, then the transparent proxy would just "transparently" work and if I deny a host, then the proxy would just not work because the host is blocked.

Nachtfalke

@steve1515:

@Nachtfalke:

You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".

Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser.

I don't see how I can make an alias with some excluded IPs. For example, my LAN subnet is 192.168.1.0/24 and I only want to proxy 192.168.1.53, 192.168.1.72, and 192.168.1.83. It looks like when I go to make an alias it doesn't allow exclusions for IPs. Am I missing something? :)

Also, I was originally going to use the non-transparent proxy, but my devices that I'm trying to block things on, don't support proxy configurations, so I was forced to go the transparent route. ::)

I don't know if you are thinking to complicated or if I am missing something.
You want all clients of subnet 192.168.1.0/24 to NOT use the proxy but only these three IPs: 192.168.1.53 , .72 and .83

So what I did I created an Alias which includes all IPs of the subnet BUT not the three single IPs.
To make it more clear for you I added a screenshot.

Regards

IP_ALIAS.png_thumb

steve1515

Thank you! I see now. I didn't even think about doing it that way. I was picturing some kind of alias that has an exclusion of 3 IPs instead of the inclusion of multiple ranges.

Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that? :D

Nachtfalke

@steve1515:

(…)
Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that? :D

If you know the FQDN of all other clients, then just put these clients into the alias. But to be honest. Because you can do it it is not always the best way to do this. In the thread there are mentioned other possibilities like WPAD and so on.

Other ways are to configure DHCP with static entries so that the three clients will always get the same IP address. This will make things easier.

Good luck!