Help: pfsense box and squid box layout



  • Hi,

    Been searching through google, unfortunately some of the result are not clear or solutions are not satisfactory. I need help on this for my office, a bit confusing and haven't tried this kind of setup. I always setup just the pfsense and a lot of time installing squid within the pfsense breaks the captive portal. Need to setup bare metal for each.

    Please refer to attached layout image.

    Questions:

    Base on Setup 1:

    • Can pfsense distribute IP if squid is in between pfsense box and client?
    • Can I port forward from pfsense passing through the squid from WAN to client?
    • Can Captive Portal pass through squid to client?
    • Can squid hinder the communication between pfsense and client? except web filtering.

    Base on Setup 2:

    • Setting up client's gateway to 192.168.1.2 then from squid box will route gateway to 192.168.1.1?

    any suggestion? Highly appreciate for any suggestions and thank you very much in advance.
    ![pfsense and proxy.jpg](/public/imported_attachments/1/pfsense and proxy.jpg)
    ![pfsense and proxy.jpg_thumb](/public/imported_attachments/1/pfsense and proxy.jpg_thumb)



  • In what you show as "setup 1", squid would be running in transparent mode. I have no experience with that, so I can't comment on to set it up.

    Your "setup 2" would be running squid in proxy mode, which is how I've always done it. Your clients would use the IP address of the pfsense box as their default gateway. On the pfsense box, you'd block outbound port 80 and 443 for all IP addresses except the squid box. You'd need a "proxy auto config (PAC) file on a local web server. You'd tell clients how to find the PAC file via a WPAD entry in your DNS, or a DHCP option.

    The PAC file would contain a JavaScript function that looks at the URL the browser is attempting to go to, and either returns the string "DIRECT" (if the URL is an internal sites), or "proxy 192.168.1.2:3128" if the site is not internal.

    Something like:

    function FindProxyForURL(url,host)
    {
    if( isPlainHostName(host) || isInNet(host, "192.168.1.0", "255.255.255.0") ) return "DIRECT";
          return "proxy 192.168.1.2:3128"          // squid box would be 192.168.1.2 and squid is listening on 3128
    }

    More information: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

    NOTE: The one gotcha that tends to stymie people setting this up is adding the MIME type your your web server to match ".pac" files. The referenced wiki documents what needs to be done.


Log in to reply