Forcing Clients to Use Squid to established internet connection



  • Hi Guys. I setup a non-transparent proxy so that i will be able to force all clients on my network to use my proxy server. I also setup Wpad and Pac to point them on my proxy server ip address and port. The problem is when auto detect proxy settings is enabled on clients browser, they can still bypass my proxy server. I tried blocking them on my LAN rules, (source internal clients, port http/https - destination wan address. But doing this will also block my entire setup regardless of desabling the auto detect settings in browsers. Please give me advice. Thanks in advance!



  • @ipis:

    Hi Guys. I setup a non-transparent proxy so that i will be able to force all clients on my network to use my proxy server. I also setup Wpad and Pac to point them on my proxy server ip address and port. The problem is when auto detect proxy settings is enabled on clients browser, they can still bypass my proxy server. I tried blocking them on my LAN rules, (source internal clients, port http/https - destination wan address. But doing this will also block my entire setup regardless of desabling the auto detect settings in browsers. Please give me advice. Thanks in advance!

    You should block lan->to any address, port 80 and source not pfsense box address.



  • Yes, you must block
    destination IP: any
    destination ports: 80,443
    source-ip: any
    source-port: any

    This should work. Your mistake seems to be that your destination address was your "WAN address"



  • Hi, Thanks for the reply. I've tried this Block rule. Source=192.168.5.0/24 port80/443 - Destination Any, port 80/443, and also allowing proxy server with a rule Source=192.168.5.1 port 80/443 to Destination Any, port 80/443. But still no luck. Please give me other idea. Thanks



  • @ipis:

    Hi, Thanks for the reply. I've tried this Block rule. Source=192.168.5.0/24 port80/443 - Destination Any, port 80/443, and also allowing proxy server with a rule Source=192.168.5.1 port 80/443 to Destination Any, port 80/443. But still no luck. Please give me other idea. Thanks

    Do not specify a port on the source - only the destination. Also, you can do this all in one rule…

    block Source=192.168.5.0/24 destination  ANY, NOT 192.168.5.1, port 80/443

    See attached for my rule...

    ![Screenshot from 2013-10-12 08:46:44.png](/public/imported_attachments/1/Screenshot from 2013-10-12 08:46:44.png)
    ![Screenshot from 2013-10-12 08:46:44.png_thumb](/public/imported_attachments/1/Screenshot from 2013-10-12 08:46:44.png_thumb)



  • @ipis:

    Hi, Thanks for the reply. I've tried this Block rule. Source=192.168.5.0/24 port80/443 - Destination Any, port 80/443, and also allowing proxy server with a rule Source=192.168.5.1 port 80/443 to Destination Any, port 80/443. But still no luck. Please give me other idea. Thanks

    your  allow proxy port rule seems to be wrong, allowed proxy port must be the port used for proxy(default 3128) not 80/443

    and if you share wpad/pac file content, more help could be available, your wpad/pac file may be wrong too



  • Hi thanks for the reply. I will try that :)



  • Hi. I manage to block direct access. But the problem is my Wpad and Pac configuration seems not working. My internet only works when I point their browser settings manually to squid Address. Is is true that using Wpad and pac will not block certain https website? Some forum clims that it can block certain https site. By the way this is my PAC configuration

    function FindProxyForURL(url,host)
    {
    return "PROXY 192.168.5.1:3128";
    }



  • @ipis:

    Hi. I manage to block direct access. But the problem is my Wpad and Pac configuration seems not working. My internet only works when I point their browser settings manually to squid Address. Is is true that using Wpad and pac will not block certain https website? Some forum clims that it can block certain https site. By the way this is my PAC configuration

    function FindProxyForURL(url,host)
    {
    return "PROXY 192.168.5.1:3128";
    }

    Your Wpad and pac file does not do anything to block websites. It is simply a file that the browser will used to figure out what proxy it should send to. if your browser gets to the internet by directly configuring the proxy, but doesn't work when you turn on proxy auto config, then something is probably wrong with your wpad/pac setup.



  • your wpad configurations seems right, do not forget to configure browser to detect it automaticly(it is set by default in IE and Chrome, but you must set the second option from up in firefox)

    wpad/pac file is not enough lonely, you should configure dhcpd and dns as described here

    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

    when you got it working, while in non-transparent proxy mode, your all connection requests including HTTPS will be forwarded to proxy as well and you will see https connections as CONNECT (not POST or GET) in squid access log.So you will be able to block https domains by squid and squidguard
    ex: https://facebook.com can be blocked but you can not allow https://facebook.com and block https://www.facebook.com/appcenter/category/games/?platform=web at the same time


Log in to reply