Pfsense Squid wpad https mitm
-
This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.
That's exactly where I'm not in line, at least with your statement.
The point is that we have, with this screen copy, only a partial view of FW rules.However, problem is not to go through or not.
With FW rules, you define source, destination and port. It doesn't matter if you go through. If destination is "*****", then it also covers pfSense LAN interface.
What can be done, if not already applied, is to ensure that "Anti-Lockout Rule" rule (on LAN interface) already contains port 80 ;)So try the system setting way and see how you go.
I'm not using pfSense neither as HTTP proxy nor as WPAD web server ;) furthermore my anti-lockout rule already includes ports 80 and 22 ;D
On top of that, if it doesn't work like what I describe, then I will have to spend a lot of time reading documentation to better understand how iptables and netfilter work 8) -
This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.
That's exactly where I'm not in line, at least with your statement.
The point is that we have, with this screen copy, only a partial view of FW rules.However, problem is not to go through or not.
With FW rules, you define source, destination and port. It doesn't matter if you go through. If destination is "*****", then it also covers pfSense LAN interface.
What can be done, if not already applied, is to ensure that "Anti-Lockout Rule" rule (on LAN interface) already contains port 80 ;)So try the system setting way and see how you go.
I'm not using pfSense neither as HTTP proxy nor as WPAD web server ;) furthermore my anti-lockout rule already includes ports 80 and 22 ;D
On top of that, if it doesn't work like what I describe, then I will have to spend a lot of time reading documentation to better understand how iptables and netfilter work 8)I think…......... this is how the firewall rules supposed to look like based on the explanation by chris4916! :) (If i'm reading it properly!!! :P) which makes sense.
I'm yet to try it out and i don't know whether this will or not... will update later.
-
Better but not yet perfect ;D
I would suggest that source is set to "this LAN" instead of "*" so that you only authorize access to pfSense on port 80 from YOUR LAN.What do you think?
-
Better but not yet perfect ;D
I would suggest that source is set to "this LAN" instead of "*" so that you only authorize access to pfSense on port 80 from YOUR LAN.What do you think?
I already made that change chris…. 8) 8) 8). will let you guys know how this works out.
Thanks for your help guys! -
Guys i got wpad working… but can anyone help me with this..
if i set a ip on a machine manually the wpad doesn' t seem to work.. it works only through dhcp!!!
And can anyone give me info about the NAT rule that needs to be configured.?
Thanks!
-
if i set a ip on a machine manually the wpad doesn' t seem to work.. it works only through dhcp!!!
If you set the IP address manually, you will either have to manually set the proxy too, or at least ensure Automatically detect proxy is set in your client browser.
-
if i set a ip on a machine manually the wpad doesn' t seem to work.. it works only through dhcp!!!
This is most likely because you are discovering proxy using the "well known alias" that will (DNS) search for "wpad.your_domain".
"your_domain" is pushed by youyr DHCP configuration while I suspect you do not set it up or with different settings when configuring your client manually. This also could be due to use of different (or no) DNS when done manually.WPAD can rely on different mechanisms.
the "well known alias" is the one mainly used but you could also use DHCP option or DNS services definition.
Notice that nothing prevents you to use all of them ;-) because depending on clients, some will better work (or not :-[)I wrote [url=https://wiki.zentyal.org/wiki/Select_Right_HTTP_Proxy_Design]something in a previous life that may help you making right decision in term of design
-
Guys…. Thank you all for your help... I got it running perfectly.
One small issue has anyone come across with this "when using citrix receiver to connect to RDP i get the following error only through proxy. "There is no Citrix SSL Server configured on the specified address". I tried out usual troubleshooting like using "proxy server options" and "bypass proxy for local address" on IE and using newer clients and all.
Thank you for your time.
