Looking for information from some of you experts…
We're setting up a "bad monkey" network for our school district here. We run PFSense as our GW firewall, everything goes through it incoming and outgoing. Our bad monkey network is on a seperate vlan which has no access to anything internal currently. We use SQUID + Dansguardian based on AD group filtering, and when we have people using the "bad monkey" network need them to hit our proxy server in order to get to the internet. Anyone have any ideas on how we should go about doing this? Just to recap…
Squid + Dansguardian Proxy server ip:8080
PFSense gateway firewall
Segregated VLAN with no access internally but would change this to access to our proxy server only?
Need anyone connecting to VLAN 254 and accessing the web MUST use the proxy or they don't get out period. I think we're over thinking this, it seems like it should be so simple.
Its actually quite simple and you've already done 99% of the work. Push a GPO to all clients in that subnet to enforce the proxy settings (this will allow you to filter HTTPS as well as HTTP since HTTPS cannot be transparently proxy'd). Then on that pfSense interface create a rule that allows traffic from the proxy and below that, create a default deny rule that blocks all other outbound traffic. This setup assumes that your clients in that VLAN are getting DNS from somewhere inside your network. Depending on your policy, you may want to make an alias that covers all your internal networks and create a rule above the default deny rule which allows computers in the restricted VLAN to access other devices inside your network.
Hope this helps.
The problem is, because this is a public network we're going to have devices not bound to our domain, but still get DHCP leases. GPO won't effect them? Or am I mistaken?
No, you're correct, maybe I didn't catch that in your initial explanation. The way to attack this problem depends on your site policy. If all machines in that VLAN must be filtered, everything I said still applies, although you'll probably want to put together some resource to explain to users that they must use proxy settings in order to surf past your network. There are some possible modifications to Captive Portal which might help in this regard (scripts to configure proxy settings, etc). Without understanding your specific site requirements, it would be difficult to give a more specific answer.
Yea, I guess this is the best way… So, I'll block all traffic from the segregated vlan, and only allow traffic to the squid/dg box. Then writeup documents/posters or something with proxy setting information.
If you haven't already seen this, it will probably be very helpful to you. http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid