Enforce use of squid proxy in non-transparent mode?

  • Good day everyone,

    I have a squid proxy set-up for the express purpose of using squidguard filtering feature. I would like to filter traffic for about 20 computers and mobile devices on both http and https protocols. As I would rather not have to go around and install a certificate on each machine, especially since folks come to visit me, and also because I fix computers here and thus, I'm constantly getting in new computers to be fixed. Too much hassle to do all of that. I have wpad proxy auto-setup script configured on my pfSense router box, and it seems to be working so far. Now I want to enforce use of the Proxy by all users. I believe that would simply involve blocking ports 80 and 443 from the all LAN segments, without blocking folks going through the proxy. It is that last clause that I'm not certain I know how to handle. It is easy enough to just block all web traffic sourcing from LAN interface, but I think this would block all web traffic period. If so, I would need to be routing/forwarding/redirecting filtered traffic through my pfSense box's loopback interface, is this correct? If so, how would I go about doing so?

  • E.g. you can block all http traffic on LAN, but explicitly allow traffic to your pfSense IP:squid port. That's how my setup is.

    You can also use NAT to force all http(s) traffic to the squid port(s). I did this the other day for a device where the administrators disabled all proxy configuration settings and it wasn't autodiscovering my wpad. Kind of a brute force approach but it works.

    Normally I don't use NAT, I do use wpad and also configure devices' proxy settings to kind of double up. Using NAT overrides everything else and would be the most powerful. Maybe it's not recommended, I'm not sure …

  • That would certainly work, except for 2 problems:

    1. I don't know enough to make that happen. I'm not Jean-Luc Picard - I can say "Make it so" all day long, but that'll only serve to irritate my brother/roommate. It certainly won't auto-configure my pfSense firewall rules. I do certainly know how to click on the "plus" button to create a new firewall rule - I'm looking for some help as to the specific criteria I would need to fill-in.

    2. I would like to retain access to the WebGUI. I have my wpad file set to give "DIRECT" access to my local network, as well as my local domain name. In case my squid service fails/stops/etc, however, I would like to have a Plan-B in place.

    If I'm not mistaken, What I need to do, is block web traffic from being forwarded from my 3 LAN segments to the WAN segment.

    I don't know how feasible this is, but if I could redirect outgoing web traffic to an internal web page, informing users that they need to either enable proxy auto-discovery, or else manually set their proxies and then give info on what to do and how to do it, etc. I suspect the vHost package would be handy in this endeavour.

    Thanks for the help thus far, but I think I'll need a few more hints before I try to solve this puzzle. I've already had to wipe-out and reinstall from scratch my pfSense box due to locking myself out of the box, and I'd rather learn to master history than be doomed to repeat it…

  • I have my webgui using https but not port 443. You can configure it via System -> Advanced. That way you can set http and https firewall rules without worrying about losing access.

    When messing with pfsense, change things one at a time and save, save, save the config. At least if you have to reinstall you can restore state.

    The NAT stuff is via Firewall -> NAT -> Port Forward. The rule I have for the one particular computer I can't configure is like this:

    Interface: wifi
    Protocol: TCP/UDP
    Source address: one particular computer's DHCP assigned IP
    Source port: *
    Destination address: WAN address (i.e. "the internet")
    Destination port: 80 (http)
    NAT IP: my LAN, where squid resides
    NAT ports: my squid port

    So any http traffic from that one computer destined for the internet gets redirected to squid.

    Be careful with NAT. Don't just apply a blanket rule to start with or you risk making your machine inaccessible, as you guessed. Again, that's why I use https and a special port for webgui.

    NAT will supersede squid and WPAD (and your webgui access).

    You can do the redirect thing with NAT. Any tcp http traffic on a LAN not going to WPAD or squid can be redirected to an information page you are serving.

    I'm a beginner too, so take this advice with a grain of salt.

    I've reinstalled a few times too. I'll bet most on here have.

    Take things slowly and carefully!

  • @Legion
    First paragraph: Great idea! Soooo glad I thought of it! Heh-heh.

    Second paragraph: I'm guessing, by your statement, that there is a way to backup and later restore the state of the pfSense settings? I was not aware of that. I'll take a look and see if I can find that.

    Paragraphs 3-7: good to know, thanks. I'll try that (one step at a time :)

    Eighth paragraph: I'll definitely have to try that, after I get the previous working, if only for fun and for learning. I may not need this if the previous works.

    Lastly: Even the most experienced admins still make mistakes - just less often.

  • @aaronouthier:

    I'm guessing, by your statement, that there is a way to backup and later restore the state of the pfSense settings? I was not aware of that. I'll take a look and see if I can find that.

    Yeah, I'm not in front of my pfSense box right now so I can't say the exact menu location but somewhere in Diagnostics maybe? Your whole configuration is saved as XML, so you can also check things and (gulp) modify them if you really want. I have plenty of backups saved. If you make too many mistakes and have to reinstall you can install a fresh vanilla pfSense and then restore a saved XML config over the top of it and it will bring you back to how you were. You might have to reinstall packages, I don't remember. You definitely have to reinstall anything custom like WPAD.

    As a bonus, if you have custom text files, you can also install the Filer package, which is also accessed via the same parent menu as backup/restore. Filer saves its files in the XML config too, so custom scripts, config files, etc can be saved as part of system state too.

    E.g. if you have a WPAD.dat file, you can open it in Filer and save it in Filer and then it will be serialised as part of system config when you backup. You can even set permissions (I think) and it might create directories as required (I think). It's a useful package.

  • Strange, I didn't notice your response until just now. I had already found that option by that time however. Yes, it is on the diagnostics menu.

    I'm still having an issue getting this working, however. I am going to start a new thread for that, however.

Log in to reply