[SOLVED]Wireless Ap is not filtered by Squid/Squidguard/Havp (D-link -> OPT1)

  • Hi,
    I'm confused about how to set up my OPT1 interface to be filtered by squid+squidguard like LAN interface does.
    After some work, i put a DLink DWL-7100 AP connected to OP1 ( em1: Intel(R) PRO/1000 Network Connection 6.9.6 ) w/ captive portal and all is working fine, but all traffic is not handled by squid ( bypass the rules ).
    In other way, all traffic from LAN interface is ok and squid+squidguard+havp do the job very well.
    What's wrong? Firewall rules?
    This is my current pfsense configuration:

    Distro Name: pfSense-1.2.3-RELEASE-LiveCD-Installer ( installed to hdd )

    D-Link DWL-7100AP
    Ethernet Get IP From: Manual
    IP address:
    Subnet Mask:
    Wireless (802.11g)
    SSID: ertcp-mbv
    Channel: 6
    Super Mode:Disabled
    Rate: Auto
    Security Level: WPA / Encryption Enabled


    OPT1 ( Interface to connect D-Link )
    Enable Optional 1 interface: checked ( of course  :) )

    General configuration
    Type: static

    IP configuration
    Bridge with: none
    IP address: /24
    Gateway:  ( blank )

    Firewall: Rules
    Action: pass
    Interface: OPT1
    Protocol: Any
    Source: OPT1 Subnet
    Destination: any
    Log packets that are handled by this rule ( checked )
    Gateway: default
    Description: OPT1 subnet

    Proxy server: General settings
    Proxy interface: LAN and OPT1 (both selected)
    Allow users on interface: checked
    Transparent proxy: not checked ( working w/ HPAV)
    Enabled logging: checked
    Proxy port: 3128
    What to do with requests that have whitespace characters in the URI: strip

    All the rest tabs was left as default

    Proxy filter SquidGuard: General settings Tab
    Enable: checked
    Blacklist: checked
    Blacklist URL: /tmp/shallalist.tar.gz

    Default Tab:
    Destination ruleset: configured (ACCESS: 'white' - always pass; 'deny' - block; 'allow' - pass, if not blocked.)
    Not to allow IP addresses in URL: checked
    Redirect info: http://www.google.com/tisp/notfound.html
    Enable log: checked

    All the rest tabs was left as default

    Do not edit manually !

    icp_port 0

    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    icon_directory /usr/local/etc/squid/icons
    visible_hostname localhost
    access_log /var/squid/log/access.log
    cache_log /var/squid/log/cache.log
    cache_store_log none
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src
    httpd_suppress_version_string on
    uri_whitespace strip

    cache_mem 100 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir aufs /var/squid/cache 3000 16 256
    minimum_object_size 0 KB
    maximum_object_size 512000 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95

    No redirector configured

    Setup some default acls

    acl all src
    acl localhost src
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 443 3128 1025-65535
    acl sslports port 443 563 443
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    request_body_max_size 0 KB
    reply_body_max_size 0 allow all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow all

    Allow local network(s) on interface(s)

    http_access allow localnet

    Custom options

    refresh_pattern windowsupdate.com/..(cab|exe) 4320 100% 43200 reload-into-ims
    refresh_pattern download.microsoft.com/.
    .(cab|exe) 4320 100% 43200 reload-into-ims
    refresh_pattern au.download.windowsupdate.com/.*.(cab|exe) 4320 100% 43200 reload-into-ims
    range_offset_limit -1

    redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    redirector_bypass on
    redirect_children 3

    Default block all to be sure

    http_access deny all

    After 3 days looking for any clue on this forum, net, blogs i really need of your help.
    Thanks in advance


    Sorry by this mess.
    I forgot to enable OPT1 interface in HAVP settings  :-[
    All is working like a charm!!
    I just leave my config to help others.
    I love Pfsense :)

    Thank you

Log in to reply