PFSense as DHCP server directing to another proxy?



  • Hello everyone,

    I'm a IT manager in a branch office from a larger company. The thing is, I took over the IT section with it already up and running, and the guy who put it like that resigned. So I'm using PFSense for the first time and didn't even had a chance to install or configure it.

    Since we are in a small city, isolated from the main office, we had a local internet provider. Now the company hired a provider for all branches, and we have to direct the traffic to the company proxy.

    So I'm supposed to disable my proxy server and clear the firewall rules so the traffic would go straight to the company's proxy. As far as I can understand, my PFSense would become a DHCP server.

    Right now the services running in my pfsense are: apinger, dhcpd, dnsmasq, havp, ntpd, squid, squidGuard.

    What I need to know is:
    How to disable my proxy service, and then make the PFSense redirect to a determined proxy.



  • How to disable my proxy service

    Uninstall squid, squidguard and HAVP.

    and then make the PFSense redirect to a determined proxy

    Either use WPAD to allow your users to discover the corporate proxy on their own, or create an outbound NAT rule to direct your user's port 80/443 traffic to the corporate proxy.  WPAD is better since it won't give you any hassles with Man in the Middle attack warnings.  Redirecting their web traffic silently will trigger warnings for every HTTPS site unless you manually install a certificate in every one of your user's devices.


  • LAYER 8 Global Moderator

    There are multiple ways to get a client to use a proxy.  You could deploy the proxy to the client via group policy, you could use wpad which can be dns or dhcp for client to find what proxy to use via wpad.

    Or sure you could have no discovery of proxy to use and setup redirection of their internet traffic, or you could leave them using your proxy and just setup your proxy to forward to the upstream proxy.

    Last option is if your using explicit proxy is just go to each machine and point their browser to your pac file or proxy directly the corp wants you to use.



  • I fully share both Kom's and johnpoz's answers. WPAD is most likely the right technical answer.
    Then as described above, one aspect is the technical way to achieve HTTP redirection to company proxy but another aspect is also related to the global design you will target.

    What is not clear to me is the reason why you write:

    So I'm supposed to disable my proxy server and clear the firewall rules so the traffic would go straight to the company's proxy. As far as I can understand, my PFSense would become a DHCP server.

    1 - if goal is to provide DHCP service only, then pfSense is clearly overkill  8)
    2 - I'm really not sure, unless you are obliged to do so in order to comply with company rules, that removing your firewall is the right target. This makes sense only if network between your site and your company is fully private network with no direct internet access. And even in this situation, keeping FW in the middle with permissive rules may help in case you need, for whatever reason like virus spreading, to isolate your local network from company network.

    You do need to clarify this point before deciding about target design  ;)



  • Thank you for the answers,

    About the firewall, I may have expressed myself poorly. I meant that I'm to clear the rules that prevent access to certain websites which isn't being properly blocked by squid (like facebook).

    I'm probably going to try the WAPD package (in 2 weeks, when the proxy tests are scheduled).  Since, as KOM said, Outbound NAT rule may give me some false-positives of MitM attacks.

    The company specified that no branch office is supposed to have a proxy anymore. According to them it may interfere with the Net balancing, since we have two links, from the same provider, one for the internet and the other for the corporate net).

    And I'm definitely not going to manually configure the browser of 300 hosts. ;D

    Once again, thank you all.

    I would appreciate if this topic could remain open for 2 weeks, I may get in some trouble with WAPD.


Log in to reply