Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid filtering with MAC addresses

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 6 Posters 17.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Maxamoto
      last edited by

      Hello all. I am using the Squid package to supply transparent proxy for a single subnet. Pfsense is the firewall/router, supplying packet filtering and NAT services for a very small home network. On said network is a Cisco Aironet WAP that, for personal reasons, I wish to leave open. What I am trying to do is have Squid intercept HTTP requests from unknown clients and redirect them to a customized Squid error message. The curstom options I have added to squid.conf are as follows:

      acl allowed_clients arp "/var/squid/acl/allowed_clients.acl";
      http_access allow allowed_clients
      

      The ACL above contains the MAC addresses of known clients. I have heavilly modified the original ERR_ACCESS_DENIED with a custom error, but for some reason this is not working, and all users, whether in the ACL or not, are allowed on the Internet. I also have ad filtering rules in the custom options, so for simplicity I will post the squid.conf as pfsense sees it. I do not modify this directly!

      # Do not edit manually !
      http_port 10.0.0.1:3128
      http_port 127.0.0.1:3128 transparent
      icp_port 0
      
      pid_filename /var/run/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_directory /usr/local/etc/squid/errors/English
      icon_directory /usr/local/etc/squid/icons
      visible_hostname firewall
      cache_mgr fifth-element.lan
      access_log /dev/null
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      shutdown_lifetime 3 seconds
      # Allow local network(s) on interface(s)
      acl localnet src  10.0.0.0/255.255.0.0
      forwarded_for off
      via off
      uri_whitespace strip
      
      cache_mem 256 MB
      maximum_object_size_in_memory 32 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      cache_dir ufs /var/squid/cache 10240 16 256
      minimum_object_size 0 KB
      maximum_object_size 1048576 KB
      offline_mode off
      cache_swap_low 90
      cache_swap_high 95
      
      # No redirector configured
      
      # Setup some default acls
      acl all src 0.0.0.0/0.0.0.0
      acl localhost src 127.0.0.1/255.255.255.255
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
      acl sslports port 443 563
      acl manager proto cache_object
      acl purge method PURGE
      acl connect method CONNECT
      acl dynamic urlpath_regex cgi-bin \?
      acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
      cache deny dynamic
      http_access allow manager localhost
      
      # Allow external cache managers
      acl ext_manager_1 src 10.0.0.1
      http_access allow manager ext_manager_1
      
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports
      
      # Always allow localhost connections
      http_access allow localhost
      
      request_body_max_size 0 KB
      reply_body_max_size 0 deny all
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      delay_access 1 allow all
      
      # Custom options
      acl allowed_clients arp "/var/squid/acl/allowed_clients.acl"
      http_access allow allowed_clients
      deny_info http://10.0.0.1/4x4.gif blacklist
      # Block access to blacklist domains
      http_access deny blacklist
      # Setup allowed acls
      # Allow local network(s) on interface(s)
      http_access allow localnet
      # Default block all to be sure
      http_access deny all
      
      

      Am I missing something? Standing by with a face-palm…

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Hi,

        if I understand you correct than you will block clients by their MAC-address with squid ?
        As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

        1 Reply Last reply Reply Quote 0
        • M
          Metu69salemi
          last edited by

          Captive portal would do the job, it has the mac-list filtering capability

          1 Reply Last reply Reply Quote 0
          • M
            Maxamoto
            last edited by

            @Nachtfalke:

            Hi,

            if I understand you correct than you will block clients by their MAC-address with squid ?
            As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

            Squid has no problem using MAC addresses in ACLs. From the Squid webpage:

            	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
            	  # The arp ACL requires the special configure option --enable-arp-acl.
            	  # Furthermore, the ARP ACL code is not portable to all operating systems.
            	  # It works on Linux, Solaris, Windows, FreeBSD, and some
            	  # other *BSD variants.
            	  # [fast]
            	  #
            	  # NOTE: Squid can only determine the MAC address for clients that are on
            	  # the same subnet. If the client is on a different subnet,
            	  # then Squid cannot find out its MAC address.
            
            

            As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              @Maxamoto:

              @Nachtfalke:

              Hi,

              if I understand you correct than you will block clients by their MAC-address with squid ?
              As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

              Squid has no problem using MAC addresses in ACLs. From the Squid webpage:

              	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
              	  # The arp ACL requires the special configure option --enable-arp-acl.
              	  # Furthermore, the ARP ACL code is not portable to all operating systems.
              	  # It works on Linux, Solaris, Windows, FreeBSD, and some
              	  # other *BSD variants.
              	  # [fast]
              	  #
              	  # NOTE: Squid can only determine the MAC address for clients that are on
              	  # the same subnet. If the client is on a different subnet,
              	  # then Squid cannot find out its MAC address.
              
              

              As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.

              Hi,

              thanks for your repley and this really good information about MAC addresses in squid!

              Did you check if the acl your created has the correct rights so squid could read the file ?

              If ound this on the net:

              To use ARP (MAC) access controls, you first need to compile in the optional code.
              Do this with the --enable-arp-acl configure option:
              % ./configure --enable-arp-acl ...
              % make clean
              % make
              

              Not sure if the package is compiled this way - or did you do that for your squid installation ?

              1 Reply Last reply Reply Quote 0
              • M
                Maxamoto
                last edited by

                Yeah, the ACL is what I'm wondering about. Can't add it directly to squid.conf, as it gets rewritten after reboot, but I am adding it to the custom options box like so:

                # Custom options
                acl allowed_clients arp "/var/squid/acl/allowed_clients.acl"
                http_access allow allowed_clients
                deny_info http://10.0.0.1/4x4.gif blacklist
                # Block access to blacklist domains
                http_access deny blacklist
                

                The 'allowed_clients.acl contains the MAC addresses of allowed clients, obviously. I know it works, because the ads were getting my custom error, whereas before they were being stripped entirely from the pages. It's clearly being bungled by me somehow. Just trying to figure out the proper formatting to accomplish this.

                1 Reply Last reply Reply Quote 0
                • C
                  Cino
                  last edited by

                  Has anyone been able to get this work? I tried it and didn't work for me either. I even set it up so the default allow subnet rule would be at the end of the conf file with no luck.

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    Mac filtering will only work on same network segment squid is listening on.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cino
                      last edited by

                      @marcelloc:

                      Mac filtering will only work on same network segment squid is listening on.

                      When I tested it this morning, they were both on the same subnet

                      1 Reply Last reply Reply Quote 0
                      • R
                        rootlurker
                        last edited by

                        Hi,

                        What's the format of your MAC acl on your "allowed_clients.acl"?

                        supposed to be: your allowed_clients.acl config is:

                        acl <name1>arp <mac1>acl <name2>arp <mac2>http_access allow <name1>http_access allow <name2>and put on your squid.conf before the line of http_access deny all as:

                        include "/path/to/allowed_clients.acl"

                        Thanks</name2></name1></mac2></name2></mac1></name1>

                        1 Reply Last reply Reply Quote 0
                        • C
                          Cino
                          last edited by

                          I did it this way:

                          acl disallowed_clients arp "/var/squid/acl/allowed_clients.acl"
                          http_access deny disallowed_clients

                          then my acl had my macs as XX:XX:XX:XX:XX:XX

                          I want to use it to deny certain boxes from using the internet/proxy

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.