How do I isolate networks with Squid, Services still being Resolved
-
Post screens of your rules instead of text about what you think they're doing.
-
Here are screenshots of what I have going on, it might not be correct and if you guys see anything that is weird please let me know.
-
Your rules on BETA look OK although I don't know what in the alias Local_subnets. One thing to point out is that you don't need those explicit block rules at the bottom. The rules are processed top-down, first-match wins (floating rules are slightly different). At the bottom, there is a hidden Deny All rule, so traffic that isn't passed by a preceding allow rule is blocked automatically.
Lastly, the addition of a firewall rule will not block traffic if an existing state is already present. So when you are playing with your rules, make sure you go to Diagnostics - States and clear any established states that match that traffic/rule.
-
local_subnets are the vlans, Cameras, Video, Beta, Web_Server and VPN. I was holding onto explicitly stating the deny rule so I could log traffic as I was diagnosing problems. I did clear the states and reboot the router, but with Beta I am still able to access the web server with its clients (android, linux) as well as the web browser. I can not how ever ssh into it which shows that the isolate_beta rule is working to block ssh, but not the other items.
-
Oh also here are my switch settings
-
Hmm, looks OK.
Why is you 10.10.10.0 network a /27?
I've seen funny things with the negate operator. Instead of allowing to NOT Local, flip it around. Block access to local and then allow all else.
-
I removed the 10.10.10.0 network it was a mistake, I just hadn't removed it. I do know what you mean about the inverted settings they can work in strange ways sometimes. I did change that. My server is still being resolved using the beta network. I just wish I could figure out what is passing the traffic. I the only traffic I see being generated when I refresh the page is the device to squid.
-
My ultimate goal was to work on a DMZ for the webserver, that's what starts this project.
-
Ok working a little more on this today. I found a similar thread that had a solution that worked for them but it is not working for me.
https://forum.pfsense.org/index.php?topic=81331.15I also saw another thread which I can not find now talking about the machines address changing when it passes through squid.
Device ip changes to pfsense address port 3128So here are some relevant settings of my squid configuration after I had changed the bypass setting and rebooted.
-
I also just tried with Squid's ACL's to see if I could block networks 10.0.17.0/24 and 10.0.47.0/24 but it is still resolving in the web browser.
