Inconsistencies with Squid disallowing websites
-
So I have been tasked with setting up a firewall/IDS/Web Filter solution at work. I'm not trained in networking so a lot of this is through trial and error.
I've used pfSense in the past on my home network; nothing this advanced though, good practice I guess.
The goal is to not have any configuration done on client computers and act transparently.I've been experimenting on this for a couple weeks now and I have something that is mostly working, but I have one big problem.
Squid seems to be inconsistent with how sites are able to be accessedSome sites will just time out, others will present me with a generic Squid error page that just says "access denied".
In the logs, I see TCP_MISS/200 or TCP_MISS/500 on the sites that I can't access.
Sites I can access will give either TCP_TUNNEL/200, TAG_NONE/200, or TAG_NONE/409We use ebay to sell items that we receive and work on, and most of the TCP_MISS/200 messages come when accessing an ebay IP address (for its API). This will happen just by clicking the "My Ebay" link primarily. Other sites that are affected are ones such as digitally imported, the current, even cppreference and particular downloads from Github.
Caching is pretty much disabled with HDD size set to 0, system set to null, and max of 0 object size. Memory cache is 1M with a max of 0 object size.
as an aside, I've tried setting "cache deny all" in the advanced options area (both custom options before and after auth) for squid, but it doesn't write to squid.confAt the moment, Squidguard is only configured to block porn, drugs, hacking, and spyware. Everything else is not set with the default rule for allow.
My blocked access page is currently on a server that is hosted on the internal network, but I'm debating moving that into sgerror.php (so that I can send email alerts when pages are blocked)If I turn off squid completely, all of the pages I have problems on suddenly work. This tells me that I probably configured something incorrectly.
I have attached a copy of squid.conf (scp'd from /usr/local/etc/squid/squid.conf) for review in case I've actually screwed up the configuration.
Our network is something similar to below:
modem (provisions us some static IP addresses, most of which go to external servers we host) -> Cisco 2800 (Gateway + VPN to second site) -> Network (AD handles DNS and DHCP)I'm looking to change it so that it is something similar to:
modem -> Cisco 2800 -> pfSense (firewall/IDS/filter only) -> Network.For testing, it is configured such as this:
modem -> Cisco 2800 -> Network -> pfSense -> My Office
Here's some information about my configuration
All of these IP addresses are in a /24 subnetGW: 10.80.200.1 static
AD: 10.80.200.4 static
WAN: 10.80.200.3 static
LAN: 10.80.200.8 static dhcp and dns off- I know this configuration is not supported, but I will elaborate on this further below
PC: 10.80.200.78 GW: 10.80.200.8 to send the traffic through the firewallFirewall rules:
WAN:-
10.90.200.0/24 (second site) allow all to any destination
-
10.80.200.0/24 allow all to any destination - This one might not be needed, but this is just to allow communication from the
LAN:
-
allow all to 10.80.200.0/24 - Also might not be needed, but here to allow access to the rest of the LAN
-
allow all to 10.90.200.0/24
I will also probably need another rule on the LAN interface to block direct access to the gateway
I've created a trusted root certificate and installed it on my computer (this will be handled through AD's Group Policy when we deploy)
With this trusted root, Squid is now able to MITM the SSL traffic (splice all) on the network (so that squidguard can do url filtering by category)
However, since this is supposed to be as transparent as possible (due to boss's orders), I followed guides to setup pfSense in bridged mode.
Shortly after doing this, transparent squid does not work (as I later found, it appears to have been broken for quite some time). I have not tried the WPAD configuration method yet.
Experimenting with the console, I found that I was able to assign IP addresses in the same subnet to both the WAN and LAN interfaces (the WebUI explicitly does not allow this)
If I understand correctly, this appears to make pfSense act as if the interface was still bridged.I can leave my computer in DHCP mode and simply plug it into the pfSense box to get an IP address from the AD server (on the WAN side, but after "go live", will be on LAN side).
If I configure my computer to use 10.80.200.8 (LAN interface) as the gateway, squidguard appears to be doing its job, blocking sites and such, but then I hit the squid problem that I described above.Any help would be greatly appreciated.
Thanks,
~c0de
squid.conf.txt -