Direct access to (Lusca) port 3128 allows guests to bypass my Captive Portal.



  • As my thread title says. I'm having this problem a day or so, well I'm planning to deploy my setup using a WiFi AP. I'm using a VMware setup, 1 Physical NIC and a Virtual NIC. I have made a guest OS in VM to test if my Caching Proxy Server setup is working (Transparent Mode & DNS Forwarder is enabled). Well it's working as it should but I'm really worried about my guests bypassing my CP. I know for a fact that you can change the browser proxy settings in a few clicks and I do also consider that maybe someone knowledgeable would do such a thing. Then surely it'll spoil my deployment. Anyone? Ideas?

    PS: I'm not that new to networking but I do know that I must ask someone that knows enough in this field to figure something out. And try to enlighten me. Thanks!



  • known issue. block direct access to port 3128 on your lan.



  • Finally! It made sense to me now. Thanks!



  • but when i block access to port 3128 , is this mean that i will not using squid as cache for my network ?



  • @ahfaris:

    but when i block access to port 3128 , is this mean that i will not using squid as cache for my network ?

    Only if every client computer is configured to use  the squidhost:3128 config in their browser, then this won't work. If you are using squid in transparent mode it doesn't make any difference, unless you're also running a captive portal as per the original post.



  • So blocking direct access to 3128 from LAN on a Squid (transparent) + CP system, solves the issue, right?



  • Hey Des,
    You are right. I'm using it right now. I don't feel too secure with my Proxy Port (3128) is available to the public (I'm w/ a WiFi deployment.) So I want to block direct connection to it so that the DNS Forwarder service will kick in and land them right to my Captive Portal Auth Page.


Locked