Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid & Firewall Rules

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tscheese
      last edited by

      I've put in rules on my pfSense firewall to block traffic between VLANs. I'm also using pfBlockerNG to implement Talos, Emerging Threats, and DShield IPv4 blacklists.

      I would also like to implement Squid and ClamAV, but when I do this, my firewall rules are ignored; it allows HTTP/HTTPS traffic across VLANs and to IPs on the blacklists.

      It's my understanding that this is how Squid is supposed to work, however, I'm wondering if anybody has a workaround which would allow me to implement Squid and still have my firewall rules apply?

      Thank you,
      tscheese

      1 Reply Last reply Reply Quote 0
      • I
        Impatient
        last edited by

        You need to be a lot more specific on how you are trying to set this up.

        Describe your network layout and how you are setting up squid.

        I run Squid, pfBlockerNG-devel, and Suricata on my network with 3 subnet's which one
        is wireless and there is no traffic to my other 2 subnet's.

        If you enable transparent proxy Squid does enable it's own firewall rule also if you select
        Allow Users on Interface on the general setup page's all user's on that interface or interface's will be able to communicate.

        I run mine in non-transparent with browser's manualy configured and since I have 3 subnet's
        say 192.168.1.1/24 my proxy setting's in my browser setting's are 192.168.1.1 port 3128 for the system's in that subnet.
        If the second subnet is 192.168.2.1/24 the browser setting's for those system's would be 192.168.2.1 port 3128.

        My subnet's I allow are entered into the allowed subnet's box under the ACL's tab in squid.

        I am sure similar to this could be accomplished with VLans and transparent but you will
        have to find the firewall rule's squid insert's and make them work with your's, I believe
        Doktornator posted them once on the old forum's but that's been a long time ago.

        T 1 Reply Last reply Reply Quote 0
        • T
          tscheese @Impatient
          last edited by

          @Impatient

          Thank you very much for your reply; it’s greatly appreciated. I’ve provided a little more detail about my setup, below:

          I have a number of VLANs setup on different subnets: LAN, Guest, Management, Voice, and a few more.

          I have rules in-place on each interface, blocking traffic to an alias, which contains all of my local subnets. This rule works as I would expect.

          I’ve installed Squid and turned it on in transparent mode, but other than that, I’ve done no further configuration. Now, for example, users on the LAN VLAN can access the HTTP page of my switches on the management VLAN and my IP PBX in the Voice VLAN.

          I’m hoping someone could point me in the right direction, so that I can configure Squid to be transparent, but still not allow traffic between VLANs and also leverage the block lists generated by pfBlockerNG. Based on your reply, it sounds like there may be some firewall rules put in-place by Squid that I cannot see?

          1 Reply Last reply Reply Quote 0
          • T
            tscheese
            last edited by

            *Bumping this post.

            I'm surprised nobody else is having a similar issue with Squid.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Nobody else has a similar issue because there are clearly labeled and documented options in squid to prevent exactly what you are seeing.

              Check the box in squid labeled Bypass Proxy for Private Address Destination. Alternately, use your alias in the Bypass Proxy for These Destination IPs list.

              0_1542217578654_Selection_106.jpg

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              T 1 Reply Last reply Reply Quote 2
              • T
                tscheese @jimp
                last edited by

                @jimp
                Thank you very much for your reply! This solved my problem.

                I suppose I could have worded my previous comment a little differently. I've found lots of others online who are having a similar troubles. As such, I wasn't so much surprised that nobody else was having the same issue, rather, I was surprised that I hadn't yet found an answer similar to what you've provided, above.

                Thanks again for your help with this!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.