Cannot operate with transparent option
-
Hello to all, first of all i have to declare that i am very new in pfsense etc.
So. i managed to set up a pfsense in a Hyper-V and set it appropriately, installing also Squid proxy packages. The configuration of my new proxy completed and i test it as changing the proxy settings manually in my pc and my mobile phone, and this is working properly.
But if i check the transparent option in my proxy settings and leave the settings without option of a proxy, it doesn't working and websites that i have blocked, still works.Attached you will find my settings in proxy and transparent section.
Thanks in advance.
Nick
-
@nikpony said in Cannot operate with transparent option:
But if i check the transparent option in my proxy settings
Hi,
A good Squid configuration can take several weeks of work!
If you use SSL (MITM) filtering, you must configure the client machines:-manually (installing the Squid intermediate cert.)
or
WPAD
PAC file, etc.you can read about these here:
https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html
https://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers+++edit:
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicitBTW:
and think about wanting a proxy on each of the WAN and LAN interfaces?
-
Dear @DaddyGo ,
many thanks for your quick response.I will read all your links to learn more about it.
My main purpose is to block some websites (social media) from users that connect through wi-fi (mobile phones, laptops, tablets), and why not to block them from pc's connected wirely...
Also, of course i want to avoid set manualy in every client's pc, my new proxy settings.
-
@nikpony said in Cannot operate with transparent option:
My main purpose is to block some websites (social media) from users
nothing
As I have already written, a good Squid setting causes a lot of sweating and I prefer it for an enterprise environment
In a SOHO environment, better use of pfBlockerNG-devel and / or Snort + OpenAppID+++edit:
I have to add that there are a lot of problems on the https (MITM) page, for example government and banking websites will not work in most case,s because they detect the proxy
and http will slowly be forgotten...
-
Dear @DaddyGo, many thanks for your suggestions.
As i understand, the WPAD functions are mainly for desktops and laptops, and pfBlocker for mobile apps etc, or not?
-
@nikpony said in Cannot operate with transparent option:
WPAD functions are mainly for desktops and laptops, and pfBlocker for mobile apps etc,
WPAD or PAC file for professional Squid setting.
PfBlockerNG is suitable for everything, which is on your network and requests DNS from pfSense...ergo for everything use
(like Pihole, I just think much better)
Snort + OpenAppID can be perfect for restricting social sites
BTW:
Squid is "dying" due to the evolution of https and requires a lot of administration -
Hello and sorry for retrieving this old topic.
I have managed to set Snort + Openappid etc in order to block urls, apps, but it works only if i have set in local client dns setting, my pfsense ip as dns.
How can i bypass it to all users as a default dns?Thanks in advance.
-
@nikpony said in Cannot operate with transparent option:
Hello and sorry for retrieving this old topic.
It's nothing
@nikpony "I have managed to set Snort + Openappid etc"
I am glad.@nikpony "if i have set in local client dns setting, my pfsense ip as dns."
I thought it was clear, the firewall is always the basis of DNS, otherwise unnecessary to use...
use DHCP to tell clients where they are...............
-
Thank you @DaddyGo .
It doesn't work on DHCP network, probably a mistake in settings.
Could you tell me, using Snort is it necessary to enable DNS Forwarding or Resolve?
Thanks in advance.
-
@nikpony said in Cannot operate with transparent option:
DNS Forwarding or Resolve?
I definitely recommend the Unbound resolver