Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forcing Clients to Use Squid to established internet connection

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 4 Posters 11.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ipis
      last edited by

      Hi Guys. I setup a non-transparent proxy so that i will be able to force all clients on my network to use my proxy server. I also setup Wpad and Pac to point them on my proxy server ip address and port. The problem is when auto detect proxy settings is enabled on clients browser, they can still bypass my proxy server. I tried blocking them on my LAN rules, (source internal clients, port http/https - destination wan address. But doing this will also block my entire setup regardless of desabling the auto detect settings in browsers. Please give me advice. Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • R
        rjcrowder
        last edited by

        @ipis:

        Hi Guys. I setup a non-transparent proxy so that i will be able to force all clients on my network to use my proxy server. I also setup Wpad and Pac to point them on my proxy server ip address and port. The problem is when auto detect proxy settings is enabled on clients browser, they can still bypass my proxy server. I tried blocking them on my LAN rules, (source internal clients, port http/https - destination wan address. But doing this will also block my entire setup regardless of desabling the auto detect settings in browsers. Please give me advice. Thanks in advance!

        You should block lan->to any address, port 80 and source not pfsense box address.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Yes, you must block
          destination IP: any
          destination ports: 80,443
          source-ip: any
          source-port: any

          This should work. Your mistake seems to be that your destination address was your "WAN address"

          1 Reply Last reply Reply Quote 0
          • I
            ipis
            last edited by

            Hi, Thanks for the reply. I've tried this Block rule. Source=192.168.5.0/24 port80/443 - Destination Any, port 80/443, and also allowing proxy server with a rule Source=192.168.5.1 port 80/443 to Destination Any, port 80/443. But still no luck. Please give me other idea. Thanks

            1 Reply Last reply Reply Quote 0
            • R
              rjcrowder
              last edited by

              @ipis:

              Hi, Thanks for the reply. I've tried this Block rule. Source=192.168.5.0/24 port80/443 - Destination Any, port 80/443, and also allowing proxy server with a rule Source=192.168.5.1 port 80/443 to Destination Any, port 80/443. But still no luck. Please give me other idea. Thanks

              Do not specify a port on the source - only the destination. Also, you can do this all in one rule…

              block Source=192.168.5.0/24 destination  ANY, NOT 192.168.5.1, port 80/443

              See attached for my rule...

              ![Screenshot from 2013-10-12 08:46:44.png](/public/imported_attachments/1/Screenshot from 2013-10-12 08:46:44.png)
              ![Screenshot from 2013-10-12 08:46:44.png_thumb](/public/imported_attachments/1/Screenshot from 2013-10-12 08:46:44.png_thumb)

              1 Reply Last reply Reply Quote 0
              • M
                mendilli
                last edited by

                @ipis:

                Hi, Thanks for the reply. I've tried this Block rule. Source=192.168.5.0/24 port80/443 - Destination Any, port 80/443, and also allowing proxy server with a rule Source=192.168.5.1 port 80/443 to Destination Any, port 80/443. But still no luck. Please give me other idea. Thanks

                your  allow proxy port rule seems to be wrong, allowed proxy port must be the port used for proxy(default 3128) not 80/443

                and if you share wpad/pac file content, more help could be available, your wpad/pac file may be wrong too

                1 Reply Last reply Reply Quote 0
                • I
                  ipis
                  last edited by

                  Hi thanks for the reply. I will try that :)

                  1 Reply Last reply Reply Quote 0
                  • I
                    ipis
                    last edited by

                    Hi. I manage to block direct access. But the problem is my Wpad and Pac configuration seems not working. My internet only works when I point their browser settings manually to squid Address. Is is true that using Wpad and pac will not block certain https website? Some forum clims that it can block certain https site. By the way this is my PAC configuration

                    function FindProxyForURL(url,host)
                    {
                    return "PROXY 192.168.5.1:3128";
                    }

                    1 Reply Last reply Reply Quote 0
                    • R
                      rjcrowder
                      last edited by

                      @ipis:

                      Hi. I manage to block direct access. But the problem is my Wpad and Pac configuration seems not working. My internet only works when I point their browser settings manually to squid Address. Is is true that using Wpad and pac will not block certain https website? Some forum clims that it can block certain https site. By the way this is my PAC configuration

                      function FindProxyForURL(url,host)
                      {
                      return "PROXY 192.168.5.1:3128";
                      }

                      Your Wpad and pac file does not do anything to block websites. It is simply a file that the browser will used to figure out what proxy it should send to. if your browser gets to the internet by directly configuring the proxy, but doesn't work when you turn on proxy auto config, then something is probably wrong with your wpad/pac setup.

                      1 Reply Last reply Reply Quote 0
                      • M
                        mendilli
                        last edited by

                        your wpad configurations seems right, do not forget to configure browser to detect it automaticly(it is set by default in IE and Chrome, but you must set the second option from up in firefox)

                        wpad/pac file is not enough lonely, you should configure dhcpd and dns as described here

                        https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

                        when you got it working, while in non-transparent proxy mode, your all connection requests including HTTPS will be forwarded to proxy as well and you will see https connections as CONNECT (not POST or GET) in squid access log.So you will be able to block https domains by squid and squidguard
                        ex: https://facebook.com can be blocked but you can not allow https://facebook.com and block https://www.facebook.com/appcenter/category/games/?platform=web at the same time

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.