[SOLVED] selectively let random LAN IP bypass port forwarding to squid/DG/SG

nicknack

let's say i want all LAN from 192.168.100.0/24 http traffic
to go through squid / dansguardian / squidguard,
how do I add exception to some IP to pass through directly ?

in iptables i can just put their IP in PREROUTING and use ACCEPT taget,
But I can't find out how I should do this in Firewall - NAT - Port Forwarding menu in pfsense…

Anybody care to point me how ?

TIA...

rjcrowder

It's right on the rule creation page… When you create the "forward" rule, you just enter a "not" exception for the address or range of addresses you don't want to be forwarded...

nicknack

Thank you for replying this ….

If i understand correctly, that is for just one exception ?
i need to allow some IP to bypass the DansGuardian + squid alltogether..
What if i need to exclude some IP ?

rjcrowder

You can do a range. For example: 192.168.5.200/29 would exclude address from 192.168.5.200 though 192.168.5.207. See this online calculator http://www.subnet-calculator.com/and you can play with masks to see how it works.

You can also create an alias and then use the alias in your rule. In the alias, you can setup any combination of individual addresses or ranges of addresses.

nicknack

Yes… alias, i didn't think of that..
the IP i want to allow is not necessarily in sequence,
they're like 10.0.1.5, 10.0.1.59, 10.0.1.151 and so on...

So alias it is ...

Thank you very much !