[SOLVED]Wireless Ap is not filtered by Squid/Squidguard/Havp (D-link -> OPT1)



  • Hi,
    I'm confused about how to set up my OPT1 interface to be filtered by squid+squidguard like LAN interface does.
    After some work, i put a DLink DWL-7100 AP connected to OP1 ( em1: Intel(R) PRO/1000 Network Connection 6.9.6 ) w/ captive portal and all is working fine, but all traffic is not handled by squid ( bypass the rules ).
    In other way, all traffic from LAN interface is ok and squid+squidguard+havp do the job very well.
    What's wrong? Firewall rules?
    This is my current pfsense configuration:

    Distro Name: pfSense-1.2.3-RELEASE-LiveCD-Installer ( installed to hdd )

    D-Link DWL-7100AP
    Ethernet Get IP From: Manual
    IP address:  192.168.5.2
    Subnet Mask: 255.255.255.0
    Gateway:  192.168.5.1
    Wireless (802.11g)
    SSID: ertcp-mbv
    Channel: 6
    Super Mode:Disabled
    Rate: Auto
    Security Level: WPA / Encryption Enabled

    –----------------------------------------------------------------------------

    OPT1 ( Interface to connect D-Link )
    Enable Optional 1 interface: checked ( of course  :) )

    General configuration
    Type: static

    IP configuration
    Bridge with: none
    IP address:  192.168.5.1 /24
    Gateway:  ( blank )

    Firewall: Rules
    Action: pass
    Interface: OPT1
    Protocol: Any
    Source: OPT1 Subnet
    Destination: any
    Log packets that are handled by this rule ( checked )
    Gateway: default
    Description: OPT1 subnet

    Proxy server: General settings
    Proxy interface: LAN and OPT1 (both selected)
    Allow users on interface: checked
    Transparent proxy: not checked ( working w/ HPAV)
    Enabled logging: checked
    Proxy port: 3128
    What to do with requests that have whitespace characters in the URI: strip

    All the rest tabs was left as default


    Proxy filter SquidGuard: General settings Tab
    Enable: checked
    Blacklist: checked
    Blacklist URL: /tmp/shallalist.tar.gz

    Default Tab:
    Destination ruleset: configured (ACCESS: 'white' - always pass; 'deny' - block; 'allow' - pass, if not blocked.)
    Not to allow IP addresses in URL: checked
    Redirect info: http://www.google.com/tisp/notfound.html
    Enable log: checked

    All the rest tabs was left as default
    Squid.conf

    Do not edit manually !

    http_port 192.168.1.1:3128
    http_port 192.168.5.1:3128
    icp_port 0

    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    icon_directory /usr/local/etc/squid/icons
    visible_hostname localhost
    cache_mgr
    access_log /var/squid/log/access.log
    cache_log /var/squid/log/cache.log
    cache_store_log none
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src  192.168.1.0/255.255.255.0 192.168.5.0/255.255.255.0
    httpd_suppress_version_string on
    uri_whitespace strip

    cache_mem 100 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir aufs /var/squid/cache 3000 16 256
    minimum_object_size 0 KB
    maximum_object_size 512000 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95

    No redirector configured

    Setup some default acls

    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 443 3128 1025-65535
    acl sslports port 443 563 443
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    request_body_max_size 0 KB
    reply_body_max_size 0 allow all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow all

    Allow local network(s) on interface(s)

    http_access allow localnet

    Custom options

    refresh_pattern windowsupdate.com/..(cab|exe) 4320 100% 43200 reload-into-ims
    refresh_pattern download.microsoft.com/.
    .(cab|exe) 4320 100% 43200 reload-into-ims
    refresh_pattern au.download.windowsupdate.com/.*.(cab|exe) 4320 100% 43200 reload-into-ims
    range_offset_limit -1

    redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    redirector_bypass on
    redirect_children 3

    Default block all to be sure

    http_access deny all

    After 3 days looking for any clue on this forum, net, blogs i really need of your help.
    Thanks in advance

    SOLVED:

    Sorry by this mess.
    I forgot to enable OPT1 interface in HAVP settings  :-[
    All is working like a charm!!
    I just leave my config to help others.
    I love Pfsense :)

    Thank you


Log in to reply