Proxy-ip:port bypass captive portal

woni · Feb 5, 2013, 2:09 PM

Hello,
if I configure 192.168.1.1:3128 in my browser, the cp will be bypassed and I have free access to the internet.
I have two lan-adapters in my pc. One directly connected to a WAN-router, the other conneted over pFsense.
Cause I only want to use over pFsense, I have configured to use proxy in my browser.
On pFsense I have installed squid, squidguard an havp in transparent mode.
Don't ask me why I must have this configuration on my pc. It is very important for me.

My issue is, to configure proxy in browser, use captive portal and have logs from squid.

Any idea?

mop · Feb 9, 2013, 11:55 PM

Hi!

basicially I face the same problem.

I installed on two many-users-low-bandwidth sites pfsense w captive portal and squid.

After advertising the proxy via dns/dhcp I had to realise that that renders CP useless,
as soon as you got the proxy, CP is bypassed.

Due to the low-bandwidth and the legal situation I need to have CP and quid cooperating.

Up to now I see no solution, any help would be highly appreciated.

mop

eri-- · Feb 10, 2013, 12:20 PM

The support needs to be put on the squid package to got to know the CP enabling.
Probably with some outside authenticator.

There are no plans on pfSense devs to do this presently unless some customer pushes it.

mop · Feb 10, 2013, 1:15 PM

Hi!

in my case CP does Authentication via radius.

Squid supports this too.

But transparent proxy wont support any authentication.

It seems all I can do is

block proxy port for LAN interface
use transparent proxy only
drop dhcp and dns advertising of proxy (useless, see "blocked port")

Maybe some fIrewall-guru might suggest me a solution like

CP authentication opens proxy port for this particular maschine (?)

mop

eri-- · Feb 11, 2013, 8:37 AM

Well traffic to the firewall is allowed for any client.
Even if it blocked squid your client could not do anything since it goes through a proxy anyway.

As i told you presently there are no plans to do this integration as of 2.1.

Nachtfalke · Feb 11, 2013, 1:00 PM

Did you try with squid3 package ? It hase some options to configure squid when CP is enabled.
Squid2 package does not have that.

marcelloc · Feb 11, 2013, 1:47 PM

@Nachtfalke:

Did you try with squid3 package ? It hase some options to configure squid when CP is enabled.

The steps are:

enable captive portal
enable squid3
select patch captive portal on squid and save config
got to captive portal gui and save config again

This way, captive portal rules will forward squid connections to captive portal page if not authenticated.

It works great with or without squid transparent proxy enabled including bandwidth restriction!

eri-- · Feb 11, 2013, 2:43 PM

marcello which patch is this?
Why has not been sent for merge into mainline?

marcelloc · Feb 11, 2013, 3:11 PM

@ermal:

marcello which patch is this?
Why has not been sent for merge into mainline?

It's just a patch to squid package coexist with captive portal. I did not included a gui option on captive portal to choose what ports captive portal should not allow local traffic.

and 2.0.x merge process accept only fixes, not improvements…

If you want I can push it to 2.0.3 and 2.1, after some tests, of course..

mop · Feb 13, 2013, 12:22 AM

@marcelloc:

@Nachtfalke:

Did you try with squid3 package ? It hase some options to configure squid when CP is enabled.

The steps are:

enable captive portal

enable squid3

select patch captive portal on squid and save config

got to captive portal gui and save config again

This way, captive portal rules will forward squid connections to captive portal page if not authenticated.

It works great with or without squid transparent proxy enabled including bandwidth restriction!

Hi friends,

thanks a lot for this welcome suggestion.

err…where do I find the patch?

I gave squid3 a try but 3 seems not so give HITs at all and I read some complains in the forum.

So I took sq2.

Of course I would prefer to use sq3 because of its promised feature to cache dynamic content like facebook.
(to my big surprise facebook is 99% of all traffic)

So I will let you know my experience with the suggested solution.

m.

p.s. I would like to use this opportunity to say THANK YOU to Marcelloc and nachtfalke for
the radius support, which made my mysql "solution" work.

marcelloc · Feb 13, 2013, 12:57 AM

The patch is an option on squid3 GUI. Just follow the steps.

clart · Apr 26, 2013, 10:56 PM

@marcelloc:

The steps are:

enable captive portal

enable squid3

select patch captive portal on squid and save config

got to captive portal gui and save config again

This way, captive portal rules will forward squid connections to captive portal page if not authenticated.

It works great with or without squid transparent proxy enabled including bandwidth restriction!

This not working on latest 2.1 snapshot, should it be?
I am accessing here (un-authenticated) bypassing the CP using the proxy IP and port setup in firefox