Tearing out my hair. Can't get NAT rules setup to enforce DansGuardian/squid use



  • I have seen and tried to follow instructions to create NAT rules to forward ports 80 and 443 (HTTP & HTTPS) to the DansGuardian port of 8080. I've tried both with and without a port alias.

    Create port alias "Web" defined as ports 80 and 443.

    The main issue, is that there are 3 different LAN segments (2 wired, 1 wifi). DansGuardian is listening on all 3. I can't reliably set all 3 LAN segments to NAT these ports, as it creates redundant rules for the WAN segment.

    If I create a single, blanket rule, for all 3 segments, but only the LAN segment functions, since the redirect IP address is set for the LAN interface address. Despite having an allow to any rule setup last in the sequence, I have not been successful to route any packets across subnets.

    Help!



  • Forgot to mention:
    If I go into my computer's control panel, and set the proxy settings manually, the filtering works a treat. I know, for this reason, that DansGuardian and Squid are working fine. The SARG logs are also showing the sites accessed.

    All of this happens, despite a complete wipe of the SSD drive and reinstall from USB install media. I am using the Memstick embedded installer, if it matters. All of this on a netgate APU4 box. 4 GB RAM, 32 GB mSATA, Atheros Wifi mini pcie.



  • My advice is to only use dansguardian as a last resort.  It requires lots of things.

    What I would do is use a opendns account ot dyndnsaccount and set up DNS filtering there.

    It doesn't require any installs of squid or any rules on your machine.  Its simple.

    Pfsense uses opendns for its dns and then the clients all use pfsense for dns.


  • LAYER 8 Global Moderator

    where are you trying create these nats - your not in outbound nats are you?  That has nothing do with what your trying to do, your just doing a forward on the lan interface.



  • @johnpoz:

    where are you trying create these nats - your not in outbound nats are you? That has nothing do with what your trying to do, your just doing a forward on the lan interface.

    I don't quite understand what I am supposed to do. Rather, I don't understand how to implement the desired effect.

    I need to forward/redirect all traffic going from LAN, OPT1, & OPT2 to the Internet on ports 80 & 443 through DansGuardian/Squid.

    Basically, I need to enforce all users to use the Proxy.

    If I set my computer to use a proxy server manually, it works fine. I have a working wpad file, also.

    I need to be sure that nobody can turn off their proxy. Since I am planning to do a Hotspot in the future, and also since I am running a computer repair business (and thus, will be having lots of computers in & out), I want to make to make new computers use the proxy in a transparent fashion.

    So, based on that criteria, if somebody would be so kind as to point me in the right direction as to how the firewall rules should look?

    Thanks to everyone who has helped thus far.



  • @kejianshi:

    My advice is to only use dansguardian as a last resort.  It requires lots of things.

    What I would do is use a opendns account ot dyndnsaccount and set up DNS filtering there.

    It doesn't require any installs of squid or any rules on your machine.  Its simple.

    Pfsense uses opendns for its dns and then the clients all use pfsense for dns.

    I've looked into OpenDNS already. I might use it in addition to DansGuardian, but not instead of. DynDNS won't be necessary as I have a static IP.

    I will be contacting the folks responsible for DansGuardian and Shalla Blacklists to see if my use of their software requires a license.


  • LAYER 8 Global Moderator

    "Basically, I need to enforce all users to use the Proxy."

    There are multiple ways to skin this cat - you can use wpad, other manual or automatic methods to set the proxy on the clients.  And then just block 80/443 directly out on your lan interfaces.  This makes sure your users are set to use the proxy or they don't get access outbound on those ports.

    Or you could do a forward on your interfaces that are dest to 80 to your proxy port.  Pretty sure squid package has a check mark to auto do this.  I do recall discussions about squid and ssl support on pfsense, etc.  I am not sure if that is 100% viable currently - proxy of ssl comes with lots of caveats and possible issue and privacy concerns, etc. etc.

    This post should give you everything you need
    https://forum.pfsense.org/index.php?topic=72528.0



  • @johnpoz:

    "Basically, I need to enforce all users to use the Proxy."

    Or you could do a forward on your interfaces that are dest to 80 to your proxy port.

    This is what I am trying to do.

    Pretty sure squid package has a check mark to auto do this.  I do recall discussions about squid and ssl support on pfsense, etc.  I am not sure if that is 100% viable currently - proxy of ssl comes with lots of caveats and possible issue and privacy concerns, etc. etc.

    Squid does have such a checkmark, however using it would send the traffic directly to Squid, cutting DansGuardian out of the loop. DansGuardian is setup with Squid as the parent proxy. I am looking for this type of effect, but I need to send all LAN clients through DG, before going through Squid.

    This post should give you everything you need
    https://forum.pfsense.org/index.php?topic=72528.0

    Thanks. I have read several posts on the subject. I'll double-check this one, just to see if I missed something.



  • Oh! Ohhhhh! I think I've spotted the issue!! I am using the regular squid3, not the -dev version. Replacing that now, and crossing my fingers. (Kinda hard to type with all of my fingers crossed…)



  • @johnpoz:

    "Basically, I need to enforce all users to use the Proxy."

    There are multiple ways to skin this cat - you can use wpad, other manual or automatic methods to set the proxy on the clients.  And then just block 80/443 directly out on your lan interfaces.  This makes sure your users are set to use the proxy or they don't get access outbound on those ports.

    Tried this today, and actually got this method to work! Then, went to configure my Xbox 360 to use the Proxy. Surprise! Xbox 360 has no built-in support for Proxy Servers!!

    Or you could do a forward on your interfaces that are dest to 80 to your proxy port.  Pretty sure squid package has a check mark to auto do this.  I do recall discussions about squid and ssl support on pfsense, etc.  I am not sure if that is 100% viable currently - proxy of ssl comes with lots of caveats and possible issue and privacy concerns, etc. etc.

    I am trying this again. Sort of have it working. HTTP works, HTTPS does not. I really want to use DansGuardian for the filtering, and Squid3 for the proxy.

    Squid3-dev seems to have a bug that prevents it from starting. Running squid -d 5 gives a parse error on some config file. I haven't figured out how to fix this in the -dev version. I might just copy the same file from the non -dev version, if it exists, and overwrite it on the -dev package and see if that gets me anywhere.

    I am making the assumption that the Man-in-the-middle option is needed from squid3-dev in order to make https work.

    As for security and privacy - It is just myself, my brother, and all of our computers. (He has 1 computer, and 1 silly Samsung Galaxy smartphone. I have about a dozen various computers - a few servers, a few laptops, and a nice iPhone).



  • Good luck getting this to handle HTTPS for you and not break things.  HTTPS issues is why I don't bother anymore with those packages.



  • Ok, so I now have Squid & DansGuardian working properly. How do I redirect Ports 80 and 443 coming from my LAN through port 8080? I've tried setting port forwarding, but my"allow to any" rules seem to be overriding my port forwarding rules, even though my "allow to any" are listed last.



  • Does like NAT rule look like the picture below? I have a few interfaces where I redirect either squid or dansguardian running on the lan interface. To me it didn't make sense to have squid and dansguardian listening on a bunch interfaces when I can have it run on one then redirect traffic to that interface/port via NAT (make sure FW rules are opened to allow the traffic to pass thru). I mainly use wpad so i can capture https traffic (just the domain they are visiting, nothing else) but unless you do MILM kinda of setup https wont be proxy/filtered…




  • @aaronouthier:

    Ok, so I now have Squid & DansGuardian working properly. How do I redirect Ports 80 and 443 coming from my LAN through port 8080? I've tried setting port forwarding, but my"allow to any" rules seem to be overriding my port forwarding rules, even though my "allow to any" are listed last.

    You can't transparently redirect SSL traffic. You'll need to do an explicit proxy config in the browser or use an auto config file to get the proxy settings into the browser.



  • @rjcrowder:

    @aaronouthier:

    Ok, so I now have Squid & DansGuardian working properly. How do I redirect Ports 80 and 443 coming from my LAN through port 8080? I've tried setting port forwarding, but my"allow to any" rules seem to be overriding my port forwarding rules, even though my "allow to any" are listed last.

    You can't transparently redirect SSL traffic. You'll need to do an explicit proxy config in the browser or use an auto config file to get the proxy settings into the browser.

    I thought you can setup a transparent redirect for SSL traffic in NAT but it'll only work if you have a SSL man in the middle Filtering configured in squid and every  browser client has the cert added to them.



  • Yes, Squid has a transparent option for both HTTP & HTTPS. This won't work in my setup, because it would route the traffic directly to Squid, bypassing DansGuardian. I need the traffic to go through DansGuardian before being relayed through Squid. Manually setting proxies and wpad files won't work either, as my Xbox 360 and PS3 have no provision for using proxies, even with a wpad file.

    I have Squid-Dev running, and Man-in-the-Middle is working flawlessly when I do manually set the Proxy for a specific computer. The only logging being done is violations for DansGuardian. This is mostly to catch false-positives when something isn't working correctly. My brother has already had it in for me when one of his games didn't run, due to DG filtering his Marvel Heroes Test Center 2015 game updates.



  • @Cino:
    My Nat rule was identical, except that I had destination set as WAN, which didn't work. Funny thing - I just changed this to "Any". What do you know…

    Thanks Cino!



  • Your welcome… You could also set it for NOT and select the interface that it is on. By having the destination set for WAN, it would only match traffic that is trying to connect to your WAN IP.


Log in to reply