Transparent Proxy Mode



  • Can I enforce my clients to work in transparent HTTP mode without using Squid?
    Sorry If I am sounding silly…



  • Simple - pass 80/433 ports in firewall for you clients.



  • @dvserg:

    Simple - pass 80/433 ports in firewall for you clients.

    So, Will my users be accessing the internet via pfsense? I mean whatever the filtering I have done will it be reflected on their machines?



  • @networkinggeek:

    @dvserg:

    Simple - pass 80/433 ports in firewall for you clients.

    So, Will my users be accessing the internet via pfsense? I mean whatever the filtering I have done will it be reflected on their machines?

    Pass 80/433 port in the pfSense firewall. On the user's computers firewals do not need to do anything



  • Pass 80/433 port in the pfSense firewall. On the user's computers firewals do not need to do anything

    No No No that is not what i meant. I mean if i just pass port 80/433 in my pfsense firewall and whatever the web content filtering policies I create. Will it be enforced to my users?



  • @networkinggeek:

    Pass 80/433 port in the pfSense firewall. On the user's computers firewals do not need to do anything

    No No No that is not what i meant. I mean if i just pass port 80/433 in my pfsense firewall and whatever the web content filtering policies I create. Will it be enforced to my users?

    Will be, but you must unistall squid or dont use transparent squid, and users must delete proxy settings in the browser.



  • Ok let me give you the details
    I am trying NSFilter for web content filtering and its using port 3128 for http proxy. Nsfilter requires manually configuring the browser proxy settings to point it to pfsense box. if their are hundred users then its a very tedious job. So I want to make use of pfsense and force them to use my proxy settings by default and not by manually configuring it in their system


  • Rebel Alliance Developer Netgate

    If the proxy supports a transparent mode you can forward them to it using a port forward

    Port forward on LAN, TCP, source of NOT the proxy IP, any source port, destination of any, port 80, target is the proxy IP and port 3128

    That may work for 80 but likely won't work for 443 (HTTPS cannot be transparently intercepted without a lot of extra work including placing a CA on each client PC)

    If you control all of the PCs, pushing the settings via some automated mechanism (GPO, WPAD, etc) is probably a better idea.

    To ensure they can't reach the web without the proxy you'd need a couple rules, though:

    pass TCP from the proxy IP to any port 80/443
    block TCP from the LAN subnet to any port 80/443



  • @jimp:

    If the proxy supports a transparent mode you can forward them to it using a port forward

    Port forward on LAN, TCP, source of NOT the proxy IP, any source port, destination of any, port 80, target is the proxy IP and port 3128

    That may work for 80 but likely won't work for 443 (HTTPS cannot be transparently intercepted without a lot of extra work including placing a CA on each client PC)

    Yes it works fine for HTTP. But getting problem with the HTTPS. I imported the certificate in my client PC and even then it easily bypasses the proxy.

    @jimp:

    If you control all of the PCs, pushing the settings via some automated mechanism (GPO, WPAD, etc) is probably a better idea.

    To ensure they can't reach the web without the proxy you'd need a couple rules, though:

    pass TCP from the proxy IP to any port 80/443
    block TCP from the LAN subnet to any port 80/443

    By making use of WPAD or GPO will the HTTPS pass through the proxy server?? :-\ :-\



  • I imported the certificate in my client PC and even then it easily bypasses the proxy.

    As JimP said, you need to create firewall rules to block your LAN from talking on ports 80 and 443.

    By making use of WPAD or GPO will the HTTPS pass through the proxy server??

    You would use GPO to push out a policy so your Windows LAN clients use the proxy, and WPAD handles DHCP users.

    No matter how you slice it, intercepting HTTPS is not simple.



  • know if you have transparent proxy and configure the browser with the proxy port, you can access webconfigurator of pfsense. jumping the possible firewall rule



  • Easiest way to have external proxy on another host on pfSense.

    Place this in /usr/local/www/wpad.dat on your pfSense router.

    function FindProxyForURL(url,host) {
    
        // If the requested website is hosted within the internal network, send direct.
        if (isPlainHostName(host) ||
            shExpMatch(host, "localhost") ||
            shExpMatch(host, "*.crowderfarm.local") ||
            isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
            isInNet(dnsResolve(host), "127.0.0.0", "255.255.0.0"))
            return "DIRECT";
    
        return "PROXY 192.168.10.8:3128";
    }
    ```.
    
    Add a <host override="">on DNS forwarder:
    
    Host: wpad
    Domain: crowderfarm.local
    IP addres: 192.168.1.1
    Description: WPAD Autoconfigure Host
    
    Or you can simply point your browsers to the configuration file in connection settings by clicking "Automatic Proxy Configuration URL" in Firefox for example and entering "http://192.168.1.1/wpad.dat".
    
    Of course you have to set these settings to match your network.</host>


  • @wcrowder:

    Easiest way to have external proxy on another host on pfSense.

    Place this in /usr/local/www/wpad.dat on your pfSense router.

    function FindProxyForURL(url,host) {
    
        // If the requested website is hosted within the internal network, send direct.
        if (isPlainHostName(host) ||
            shExpMatch(host, "localhost") ||
            shExpMatch(host, "*.crowderfarm.local") ||
            isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
            isInNet(dnsResolve(host), "127.0.0.0", "255.255.0.0"))
            return "DIRECT";
    
        return "PROXY 192.168.10.8:3128";
    }
    ```.
    
    Add a <host override="">on DNS forwarder:
    
    Host: wpad
    Domain: crowderfarm.local
    IP addres: 192.168.1.1
    Description: WPAD Autoconfigure Host
    
    Or you can simply point your browsers to the configuration file in connection settings by clicking "Automatic Proxy Configuration URL" in Firefox for example and entering "http://192.168.1.1/wpad.dat".
    
    Of course you have to set these settings to match your network.</host>
    

    So it means we need to manually select "Proxy Auto-Discovery" option in the browser even after placing this code in pfsense router?