Routing one website from particular ISP

oldhat · Apr 22, 2015, 6:34 AM

Hello, I have been using Microsoft TMG so far and switched over to pfsense (2.2.2-RELEASE (amd64) ) + squid3 (3.4.10_2 pkg 0.2.8) + squid guard (1.4_7 pkg v.1.9.14) recently. My requirement is to route traffic to a particular website example: google.com always via ISP 2. Can anyone please let me know how this can be done? I have tried gateway selection with floating rule but it always go through the default gateway selected.

Is it possible with pfsense? Please help. I can provide any kind of additional information required.

Thanks in advance to the community members.

doktornotor · Apr 22, 2015, 6:38 AM

Remove squid and it will work…

oldhat · Apr 22, 2015, 6:42 AM

Thanks for your reply. I need http and https filtering as well. Can squidguard work as standalone without squid? sorry for asking silly questions but I am new to pfsense.

Thanks in advance.

doktornotor · Apr 22, 2015, 6:43 AM

Let me re-iterate this. MultiWAN + proxy + policy routing -> does NOT work.

oldhat · Apr 22, 2015, 6:45 AM

Thanks for your reply. Can you suggest a solution please in which url filtering and routing can be done? Will I be able to still share internet without using squid?

Thanks in advance.

doktornotor · Apr 22, 2015, 6:46 AM

Exclude the website from proxying.

oldhat · Apr 22, 2015, 6:55 AM

Thanks for your reply. It really looks like the best solution but will I be able to block urls of same website using squidguard "Regular Expression" feature. For example: allow google.com and excluded from squidguard but disallow google.com/mail/ using mail keyword in regular expression?

Thanks in advance.

chris4916 · Apr 22, 2015, 8:48 AM

One way to achieve it is to maintain, within your proxy.pac file (in case you are using WPAD or have configured proxy.pac URL on each browser) the relevant "no proxy for" statement.

oldhat · Apr 22, 2015, 8:54 AM

Dear doktornotor,

Thanks for showing the way so far. I have been able to route traffic to the websites as required by bypassing from squid but one last part of this is to block certain url based on keyword which I was able to do using squidguard but not working anymore. Please suggest a solution for this. I will be thankful to you.

Thanks in advance.

oldhat · Apr 22, 2015, 8:57 AM

Dear chris4916,

Thanks for your reply. I am a complete beginner. Do you have any article on what you have written to read and to try on my end. I am not able to understand much out of it. However, I am using transparent proxy.

Thanks in advance.

doktornotor · Apr 22, 2015, 9:16 AM

@oldhat:

Thanks for showing the way so far. I have been able to route traffic to the websites as required by bypassing from squid but one last part of this is to block certain url based on keyword which I was able to do using squidguard but not working anymore. Please suggest a solution for this.

Policy routing does not give a damn about keywords or URL. Only destination IPs/ports are relevant. So no, I have no solution for this "problem".

chris4916 · Apr 22, 2015, 9:39 AM

@oldhat:

Thanks for your reply. I am a complete beginner. Do you have any article on what you have written to read and to try on my end. I am not able to understand much out of it. However, I am using transparent proxy.

No I don't have any pointer to such implementation based on transparent proxy.
As I definitely not push for such transparent proxy stuff which, in my opinion, brings much more drawbacks than added value, I do not investigate in this direction. Never 8)

Furthermore, I don't understand how you could achieve it easily because, proxy being transparent, you can't write any external "no proxy for" rule (this would be meaningless) and because all requests are transparently intercepted at proxy level, from pfSense viewpoint, all requests are issued from pfSense itself (local service) therefore, bypass, by default policy rules.

oldhat · Apr 22, 2015, 10:03 AM

Dear doktornotor, Thanks for your support so far. Atleast I can start using it. Thanks once again. :)

Dear chris4916,

Thanks for your message. I can stop using transparent proxy if it can serve the purpose. I need to route traffic to certain secure sites through a particular gateway and block few pages of that website based on keywords. I have been able to block url using regular expressions of squidguard but not able to send traffic via particular gateway. If I add that website to squid bypass then I am able to select a particular gateway but I loose the capability of blocking certain pages of the website.

I hope I have been able to clear my situation. Any help will be appreciated.

Thanks in advance.

chris4916 · Apr 22, 2015, 11:42 AM

Can't you try to achieve it running explicit proxy elsewhere (meaning no as pfSense located service) ?

oldhat · Apr 22, 2015, 12:11 PM

Dear chris4916,

Thanks for your reply. I dont have more hardware but I can try for a Virtual Machine if it can serve the purpose. Can you please throw more light as how keeping squid and squidguard as separate can help in achieving it?

Thanks in advance.

chris4916 · Apr 22, 2015, 1:12 PM

1 - Deny access to internet through your firewall except from proxy
2 - configure your proxy
3 - set up WPAD so that clients easily point to your proxy

With such design, you can configure policy routing that will apply and also benefit from proxy (squidguard) filtering.

BTW, from architecture standpoint, this design is better than services running on pfSense.