Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense as DHCP server directing to another proxy?

    General pfSense Questions
    4
    5
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rdvc
      last edited by

      Hello everyone,

      I'm a IT manager in a branch office from a larger company. The thing is, I took over the IT section with it already up and running, and the guy who put it like that resigned. So I'm using PFSense for the first time and didn't even had a chance to install or configure it.

      Since we are in a small city, isolated from the main office, we had a local internet provider. Now the company hired a provider for all branches, and we have to direct the traffic to the company proxy.

      So I'm supposed to disable my proxy server and clear the firewall rules so the traffic would go straight to the company's proxy. As far as I can understand, my PFSense would become a DHCP server.

      Right now the services running in my pfsense are: apinger, dhcpd, dnsmasq, havp, ntpd, squid, squidGuard.

      What I need to know is:
      How to disable my proxy service, and then make the PFSense redirect to a determined proxy.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        How to disable my proxy service

        Uninstall squid, squidguard and HAVP.

        and then make the PFSense redirect to a determined proxy

        Either use WPAD to allow your users to discover the corporate proxy on their own, or create an outbound NAT rule to direct your user's port 80/443 traffic to the corporate proxy.  WPAD is better since it won't give you any hassles with Man in the Middle attack warnings.  Redirecting their web traffic silently will trigger warnings for every HTTPS site unless you manually install a certificate in every one of your user's devices.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          There are multiple ways to get a client to use a proxy.  You could deploy the proxy to the client via group policy, you could use wpad which can be dns or dhcp for client to find what proxy to use via wpad.

          Or sure you could have no discovery of proxy to use and setup redirection of their internet traffic, or you could leave them using your proxy and just setup your proxy to forward to the upstream proxy.

          Last option is if your using explicit proxy is just go to each machine and point their browser to your pac file or proxy directly the corp wants you to use.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • C
            chris4916
            last edited by

            I fully share both Kom's and johnpoz's answers. WPAD is most likely the right technical answer.
            Then as described above, one aspect is the technical way to achieve HTTP redirection to company proxy but another aspect is also related to the global design you will target.

            What is not clear to me is the reason why you write:

            So I'm supposed to disable my proxy server and clear the firewall rules so the traffic would go straight to the company's proxy. As far as I can understand, my PFSense would become a DHCP server.

            1 - if goal is to provide DHCP service only, then pfSense is clearly overkill  8)
            2 - I'm really not sure, unless you are obliged to do so in order to comply with company rules, that removing your firewall is the right target. This makes sense only if network between your site and your company is fully private network with no direct internet access. And even in this situation, keeping FW in the middle with permissive rules may help in case you need, for whatever reason like virus spreading, to isolate your local network from company network.

            You do need to clarify this point before deciding about target design  ;)

            Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

            1 Reply Last reply Reply Quote 0
            • R
              rdvc
              last edited by

              Thank you for the answers,

              About the firewall, I may have expressed myself poorly. I meant that I'm to clear the rules that prevent access to certain websites which isn't being properly blocked by squid (like facebook).

              I'm probably going to try the WAPD package (in 2 weeks, when the proxy tests are scheduled).  Since, as KOM said, Outbound NAT rule may give me some false-positives of MitM attacks.

              The company specified that no branch office is supposed to have a proxy anymore. According to them it may interfere with the Net balancing, since we have two links, from the same provider, one for the internet and the other for the corporate net).

              And I'm definitely not going to manually configure the browser of 300 hosts. ;D

              Once again, thank you all.

              I would appreciate if this topic could remain open for 2 weeks, I may get in some trouble with WAPD.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.