Could squid support for lan and wan?



  • Hello,
    I have a firewall need squid for lan and wan.
    Lan use transparent mode.
    The Internet -> wan user must login accpunt and password.
    How to do set it?
    A simple I must let LAN user can transparent to internet.
    Wan users can login and use my proxy to internet.
    Thanks a lot



  • I'm not sure that Squid can be setup to listen on its own WAN interface.  If you have access to addition public IPs, I would add an optional (third NIC or VLAN) interface.  You'll have to setup some firewall rules to allow the traffic to hit your box, but it should work.  We currently have squid listening on two interfaces (VLANs) and it works just fine, though they are both non-routeable IPs.

    As for logging in to use the proxy, try the captive portal.  Again, I think this will need an interface separate from the WAN.  One of our two interfaces runs captive portal & DHCP.  Users on this interface can login, access the internet and be proxied by squid.  As I think through issues you may encounter, setting up your ACLs may be one of them.  We use 10.21.1.* for LAN and 192.168.1.* for OPT1.  This way we can grant different access to users depending on which interface they use to connect.  If you have people coming in from the internet, you won't know their IPs.  Everyone will probably be subject to the same ACLs.



  • you could try editing
    /usr/local/etc/squid/squid.conf

    add a new entry below your existing http_port  xxx.xxx.xxx.xxx:3128 line and list your wan ip address and the port you want it to listen on.
    While this is a valid configuration for squid running on a FreeBSD box I can't make any guaranties that this is supportable under pfsense, at the very lest it will probably mean that all configuration of squid will have to be done by hand as using the GUI will definetly result in one of the http_port lines being removed.
    Visit www.squid-cache.org if you are unsure of the correct syntax of entries in the squid.conf file and before you do anything BACKUP the current squid.conf file



  • Please note that all conf files of services in pfSense are rewritten on bootup or on changes in the webgui. Manually editing conf files will most likely not last very long.



  • To edit the conf file and have the changes stick, you must edit the include file.  See this post for details.

    http://forum.pfsense.org/index.php/topic,5093.0.html



  • Hello,
    In my squid server.
    I make sure squid can support for lan and wan.
    Lan use TP mode go to internet.
    Wan can support internet users use my wan to internet by login account.
    Like a follow:

    http_port 127.0.0.1:3128 transparent  –for lan users
    http_port 0.0.0.0:7400  --for wan users

    acl inside1 src 192.168.10.0/255.255.255.0  --for lan users
    acl inside2 src 192.168.20.0/255.255.255.0  --for vpn
    acl squid_password proxy_auth REQUIRED  --for wan users with auth
    http_access allow squid_password
    http_access allow inside1
    http_access allow inside2
    http_access allow localhost
    http_access deny all

    I hope can support gui mode to setup.
    It's can let users easy to manager some function.
    Thanks a lot.



  • @akong:

    Hello,
    In my squid server.
    I make sure squid can support for lan and wan.
    Lan use TP mode go to internet.
    Wan can support internet users use my wan to internet by login account.
    Like a follow:

    http_port 127.0.0.1:3128 transparent  –for lan users
    http_port 0.0.0.0:7400  --for wan users

    acl inside1 src 192.168.10.0/255.255.255.0  --for lan users
    acl inside2 src 192.168.20.0/255.255.255.0  --for vpn
    acl squid_password proxy_auth REQUIRED  --for wan users with auth
    http_access allow squid_password
    http_access allow inside1
    http_access allow inside2
    http_access allow localhost
    http_access deny all

    I hope can support gui mode to setup.
    It's can let users easy to manager some function.
    Thanks a lot.

    ::) ::)With above edited squid proxy could be used for authenticate user from LAN and remote user from WAN to access the file server inside the LAN?? ??? ???



  • Ah, you want people to be able to access services on the LAN from the WAN?  Why not use a VPN then?



  • @Cry:

    Ah, you want people to be able to access services on the LAN from the WAN?  Why not use a VPN then?

    No,
    I am not this mean.
    Because I want give my user can use company network from WAN.
    But only use web.
    Not at all function.
    So, I won't support VPN for users.
    I only support squid for WAN users.
    Like follow it.
    WAN users –-> company wan network ---> home page.
    I support proxy only.
    I don't want WAN users can browsers LAN network.



  • Ever considered setting up something like ssl explorer http://3sp.com/showSslExplorer.do ? It would give you encryption and usercontrol/authentication and the users don't need anything more than a browser to use it from anywhere.



  • Dear GuRUs…. I noticed that our current Squid Proxy Server has an option for us to choose where we wanted to apply squid proxy server on LAN or WAN interface. So far, most of us are using squid proxy server on LAN. I'm wondering..... what is the function or usage for applying squid proxy server on WAN interface??



  • If you want to have a public proxy that users at wan can access to go back to wan (you could for example realize an anonymizer service with that, kind off). It's not meant for authenticating against servers at lan.


Log in to reply