Correct way to block certain LAN ip addreses from certain websites?



  • What is the correct way to block certain LAN ip addreses from connecting to certain websites?

    Basically i want to restrict youtube access (for example) to only a couple of ip addresses on the lan since people use it for music/videos a lot and bandwidth gets hogged very quickly.

    I have done a fair amount of research and the most flexible and robust solution i could find was to use squid and squidguard and basically use ACLs for different ip addresses and block using the target categories.  However this caused a few things which i dont like:

    1. Traffic in firewall log and rules are no longer attributed to the originating IP.  They appear to originate from the firewall's IP instead which means its harder to know for example which machine may be compromised if i see a snort alert / pfblocker blocked ip.  Not only that the proxy appears to bypass block rules that i set on the lan (maybe because the traffic is never considered outgoing from the lan when its on the localhost (firewall + squid? - i cant explain it)

    2. Since Https is basically the norm, content filtering is not-doable except for on the requested domain without doing man-in-the-middle which i dont want to do.

    3. I cant really prevent other applications on users systems using the proxy which means tracking unwanted/malicious traffic is harder if it also uses the proxy.  Also it bypasses at least the LAN rules (See point 1).

    4. I set up wpad and dhcp auto proxy discovery but it only works on some windows machines with some browsers, and doesnt work with mac at all which i have to set manually.  I also had to switch the admin gui to http instead of https in order to be able to serve the wpad file.

    So my questions are - is there any simpler option that i can still block an entire domain on a per LAN IP basis without the downsides i listed?  Am i possibly doing something wrong? . What is the best practice for the use case i am describing?

    Clearly ip based firewall rules wont work since youtube (For example) shares ips with google in general.

    PfBlockerNg can do a Custom Domain Name Block List under dnsbl feeds which seems to work in theory , except im not sure  i can block on a per IP basis here?

    Thanks for your help



  • pfSense
    Squid with user authentication 
    SquidGuard with the Shallalist
    pfBlockerNG & DNSBL & TLD

    should be running out of the box, because you are able to set up for any user a name and MAC/IP address binding
    for each device of that user too! So it is really fast done, if we are not talking about 1000 users here.



  • You could use the ASN and block it with a simple firewall rule to a Lan Alias  or 
    Youtube Video



  • When it comes tout control HTTP flow, HTTP proxy is thé correct approach.
    If goal is tout control this "per user", then this means authentication, which implies explicit proxy (i.e. not transparent).
    As you already notices, WPAD doesn't work on allait devices n'y default but this doesn't change above logic, it just make proxy deployment slightly more painful.



  • Thank you for the replies.  It looks like the consensus is to use squid authentication and squidguard.  My question is - is there any way to make it not bypass the outgoing LAN rules?  Must I apply the rules to the WAN in order to get squid based traffic to obey rules .  For example I have a country block on outgoing LAN for a country we had an attack from so most devices cannot contact it directly, however squid bypasses this rule?

    Thanks!



  • @BlueKobold:

    pfSense
    Squid with user authentication 
    SquidGuard with the Shallalist
    pfBlockerNG & DNSBL & TLD

    should be running out of the box, because you are able to set up for any user a name and MAC/IP address binding
    for each device of that user too! So it is really fast done, if we are not talking about 1000 users here.

    For this did you mean [pfBlockerNG & DNSBL & TLD] as an alternative to [squid w/auth + squidguard] ?  Or do you mean to use them together - if so how ?

    Thanks!



  • My question is - is there any way to make it not bypass the outgoing LAN rules?

    What rules do you need here??  Squid only cares about HTTP/HTTPS.  If you want to block certain users from certain sites, use squidguard instead of trying to hack together firewall rules to block endpoints from LAN.



  • @KOM:

    My question is - is there any way to make it not bypass the outgoing LAN rules?

    What rules do you need here??  Squid only cares about HTTP/HTTPS.  If you want to block certain users from certain sites, use squidguard instead of trying to hack together firewall rules to block endpoints from LAN.

    Thats not what i mean.  I have basically everything denied on the WAN.  I have mostly allowed on the LAN, with the exception of for example a block on outbound connections to Russia from the LAN (based on a pfblockerNG country ip block alias).    When a user uses squid, it bypasses the LAN rule i just mentioned and they can still connect to machines in Russia.  I may just not being doing something right,



  • Squid is not geo-aware.  I don't use pfBlocker but it does have a geo database so you will have to figure out a solution using pfBlocker.



  • @KOM:

    Squid is not geo-aware.  I don't use pfBlocker but it does have a geo database so you will have to figure out a solution using pfBlocker.

    I dont need it to be.  I just want it to obey the LAN rules which it doesnt.  LAN rules simply are bypassed by anything going through squid.


Log in to reply