Users bypass squid



  • Hi everyone, I use pfSense as a proxy server. I installed squid on it. The problem is tha LAN users can access Internet by puting the address of pfSense server as a gateway then squid does not prompt the login box.
    Thank you for your help


  • Banned

    @atn78:

    The problem is tha LAN users can access Internet by puting the address of pfSense server as a gateway then squid does not prompt the login box.

    Eeeerm huh?! That'd be the default for anyone, no? Without need to specify any gateway manually.



  • If the gateway is not specified squid prompt for the login and password but if gateway is specified anyone can browse internet.


  • Banned

    I have no idea what you have set up there. pfSense IS the default gateway for everyone on LAN on any normal setup, and will be set as such via DHCP. If you are trying to use pfSense as a proxy appliance and have a different router elsewhere, then yeah that obviously won't work this way.



  • pfSense is used as proxy with two netork cards : one connected to the LAN and the other to the router.


  • Banned

    Yeah, you need to fix your real router settings.



  • But I can't stop users from modifiying their network settings.



  • Can you not stop your "Router" from being a router and simply use it as a Modem with PFsense being the router?



  • I can't do it. Because the router is provided by ISP and I can't modify configuration.


  • Banned

    So double NAT instead of producing completely broken network design? Let pfSense WAN get RFC1918 IP on WAN from the ISP router and set up your LAN as normal on a different subnet. What you have produced will never ever work like this if you have no access to modem config.



  • WAN address of pfSense is different from LAN address. the first one is 10.100.100.x and the second one is 192.168.0.y.


  • Banned

    OK, enough time wasted with guessing. Produce a network diagram, post ipconfig /all or equivalent output from clients that do bypass your proxy and those that do not and post screenshots of your Squid configuration.



  • This is the output of ipconfig/all result of a client that bypass the proxy :

    Suffixe DNS propre à la connexion. . . :
      Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
      Adresse physique . . . . . . . . . . . : 28-D2-44-EB-6D-55
      DHCP activé. . . . . . . . . . . . . . : Non
      Configuration automatique activée. . . : Oui
      Adresse IPv6 de liaison locale. . . . .: fe80::5d54:c541:100b:de9c%10(préféré)
      Adresse IPv4. . . . . . . . . . . . . .: 192.168.0.118(préféré)
      Masque de sous-réseau. . . . . . . . . : 255.255.255.0
      Passerelle par défaut. . . . . . . . . : fe80::c5d1:5de3:ba55:d86%10
                                          192.168.0.10
      IAID DHCPv6 . . . . . . . . . . . : 422105668
      DUID de client DHCPv6. . . . . . . . : 00-01-00-01-1C-7B-A1-4F-38-B1-DB-B3-4A-23
      Serveurs DNS. . .  . . . . . . . . . . : 8.8.8.8
      NetBIOS sur Tcpip. . . . . . . . . . . : Activé

    and this output for the one that doesn't bypass it :

    Suffixe DNS propre à la connexion. . . :
      Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
      Adresse physique . . . . . . . . . . . : 28-D2-44-EB-6D-55
      DHCP activé. . . . . . . . . . . . . . : Non
      Configuration automatique activée. . . : Oui
      Adresse IPv6 de liaison locale. . . . .: fe80::5d54:c541:100b:de9c%10(préféré)
      Adresse IPv4. . . . . . . . . . . . . .: 192.168.0.119(préféré)
      Masque de sous-réseau. . . . . . . . . : 255.255.255.0
      Passerelle par défaut. . . . . . . . . : fe80::c5d1:5de3:ba55:d86%10
      IAID DHCPv6 . . . . . . . . . . . : 422105668
      DUID de client DHCPv6. . . . . . . . : 00-01-00-01-1C-7B-A1-4F-38-B1-DB-B3-4A-23
      Serveurs DNS. . .  . . . . . . . . . . : 8.8.8.8
      NetBIOS sur Tcpip. . . . . . . . . . . : Activé

    And the squid configuration in the attachments

    ![Capture d’écran (3).png](/public/imported_attachments/1/Capture d’écran (3).png)
    ![Capture d’écran (3).png_thumb](/public/imported_attachments/1/Capture d’écran (3).png_thumb)
    ![Capture d’écran (4).png](/public/imported_attachments/1/Capture d’écran (4).png)
    ![Capture d’écran (4).png_thumb](/public/imported_attachments/1/Capture d’écran (4).png_thumb)
    ![Capture d’écran (5).png](/public/imported_attachments/1/Capture d’écran (5).png)
    ![Capture d’écran (5).png_thumb](/public/imported_attachments/1/Capture d’écran (5).png_thumb)
    ![Capture d’écran (6).png](/public/imported_attachments/1/Capture d’écran (6).png)
    ![Capture d’écran (6).png_thumb](/public/imported_attachments/1/Capture d’écran (6).png_thumb)
    ![Capture d’écran (7).png](/public/imported_attachments/1/Capture d’écran (7).png)
    ![Capture d’écran (7).png_thumb](/public/imported_attachments/1/Capture d’écran (7).png_thumb)


  • Banned

    And what the heck is 192.168.0.119? I already explicitly stated, multiple times, that you CANNOT have the ISP router and pfSense LAN on the same subnet. Would have hoped that requesting a network diagram might make you realize that your design is broken, but apparently not.



  • As I said, the pfSense is "between" the LAN and the ISP router. The pfSense server has two network cards : one that has the ip address 192.168.0.x (LAN) and one that has the ip address 10.100.10.y (WAN address and connected to the ISP router).


  • Banned

    Does not go anywhere, I give up. Still no network diagram.

    Having a default gateway configured to the IP of your router is absolutely expected and normally required. It does not result in any bypass of anything expect for utterly broken network designs.



  • This is the network diagram. I thinked I explained it by writing it.

    ![LAN internet.png](/public/imported_attachments/1/LAN internet.png)
    ![LAN internet.png_thumb](/public/imported_attachments/1/LAN internet.png_thumb)


  • Banned

    Great. Now, did you configure anything on the clients? Because, with the proxy NOT being transparent, I cannot figure out how on earth you imagine the clients to be forced to use it?!?!  (And, BTW, if going through Squid is required, you'll need to block all IPv6.)



  • I attached two screenshots showing interrnet configuration in browsers and the coniguration of network cards.

    ![options internet.png](/public/imported_attachments/1/options internet.png)
    ![options internet.png_thumb](/public/imported_attachments/1/options internet.png_thumb)
    ![carte réseau.png](/public/imported_attachments/1/carte réseau.png)
    ![carte réseau.png_thumb](/public/imported_attachments/1/carte réseau.png_thumb)


  • Banned

    Yeah. So, unless you configure the clients manually, they won't use the proxy. Cannot see the "bypass" here. And still do not see the problem and the relation with the gateway.



  • DHCP is not activated so clients are manually configurated.


  • Banned

    Yes. If you have DHCP activated, you'd have noticed that it is absolutely standard to have a default gateway configured on clients. I mean, you break the network connectivity if you don't have it configured. And no, it does not have anything in common with Squid "bypass". Not in any normal network. Yours apparently is abnormal.



  • When I desactivated the proxy in Internet Options the squid authentification is not prompted and I have access to Internet.


  • Banned

    Yes of course they are NOT!!! Because if you want to force people to use a proxy, you need to either make it transparent, or force it on clients via DHCP/DNS/WPAD/Group Policy and block the direct traffic. You do not force people to use a proxy by inventing broken network configuration on clients that's missing a default gateway.

    :o ::)



  • I have activated the transparent proxy option and I still have the same problem.


  • Banned

    As noted, you need to block IPv6 if going through Squid is a requirement. Other than that, I'd wipe everything and start from scratch, and start with fixing your completely whacky workflows. Using DHCP  and configuring clients in a way that's used by the rest of the world (which includes having a default gateway set) would be a nice start here.

    Bye.



  • Can you tell me how to do it?


  • Banned

    There really is nothing special to do, it just works for everyone with DHCP server enabled on pfSense.



  • I noticed that users can bypass squid by configuring the DNS in their network interfaces.



  • Then block their ability to do so, either via a GPO, or at the firewall.  If they are actually using the proxy (either transparently, or via wpad) then regardless of their DNS settings, the proxy will serve what the PFSense DNS looks up.



  • @doktornotor:

    Great. Now, did you configure anything on the clients? Because, with the proxy NOT being transparent, I cannot figure out how on earth you imagine the clients to be forced to use it?!?!  (And, BTW, if going through Squid is required, you'll need to block all IPv6.)

    I know this is already an old post, but can I ask for your assistance, how do we block all IPv6?

    TIA!

    ast