Squid3 pass based on MAC address vs IP address - aka Roku fix

  • Last night I set up Squid as I've done a few times only to uninstall it because pfSense chokes due to caching.  Fortunately I realized I've been watching Amazon Prime on my Roku while Squid3 was running.
    Under the Real-time View Squid was caching a ton from *cloudfront.net CDN

    Now, the fix would be to skip the proxy for Roku's IP address, am I right?
    If so, Roku's only pick DHCP addresses and their site likes to say "don't assign a static lease for Roku's MAC address."

    Well, I could ignore that I guess and go ahead and do that.  I was also wondering if Squid can ignore MAC addresses in lieu of IP addresses and then I can make even Roku support happy.

    I'd just like to get some opinion on and I could possibly see others want to pass based on MAC address vs. IP address

    possible pass MAC address solution:
    _Can I set up ACL's based on MAC address rather than IP?
    Yes, for some operating systes. The ACL type is named arp after the ARP protocol used in IPv4 to fetch the EUI-48 / MAC address. This ACL is supported on Linux, Solaris, and probably BSD variants.

    MAC address is only available for clients that are on the same subnet. If the client is on a different subnet, then Squid can not find out its MAC address as the MAC is replaced by the router MAC when a packet is router.

    For Squid-3.1 and older to use ARP (MAC) access controls, you first need to compile in the optional code.
    Do this with the –enable-arp-acl configure option:_

    % ./configure --enable-arp-acl ...
    % make clean
    % make

    If src/acl.c doesn't compile, then ARP ACLs are probably not supported on your system.
    For Squid-3.2 and newer the EUI support is enabled by default whenever it can be used.
    Add some arp ACL lines to your squid.conf:

    acl M1 arp 01:02:03:04:05:06
    acl M2 arp 11:12:13:14:15:16
    http_access allow M1
    http_access allow M2
    http_access deny all

    Run squid -k parse to confirm that the ARP / EUI supprot is available and the ACLs are going to work.

  • Maybe I'm missing something but instead of trying to get Squid working with the CDN, why not just exempt the Roku altogether?  Or are you running a transparent proxy?

  • yep.  transparent proxy.

    I think I may just make a list of CDNs to allow for various streaming services if that's possible and post a separate thread with those if it helps others

  • You're better off ditching the transparent proxy for explicit mode, which gives you a lot more flexibility.  Then you could just set your Roku to not use it and go straight out.  You also won't have to screw around with trusted pfSense certs installed on every device.


  • Thanks for the tip!  Now I'm trying to wrap my head around this WPAD solution but have a few questions…

    What would require trusted certs in what I was thinking?
    The MAC address filter or excluding caching from certain streaming CDNs?

    Also, would this WPAD have the Roku circumvent the firewall altogether?  I would still want inbound protection and .since it's a home environment. I prefer not use authentication for myself to surf the Net.

    What's funny is I have a QNAP NAS as well and since this WPAD setup says I'd have to set pfSense administration to use HTTP instead of HTTPS if Squid3 + WPAD is on the same box (and recommends not doing that) I could probably use the QNAP box as the Squid caching server instead and do this WPAD setup.

  • What would require trusted certs in what I was thinking?

    Transparent proxies will trigger your web browser's Man in the Middle warning whenever you visit an HTTPS site.

    Also, would this WPAD have the Roku circumvent the firewall altogether?

    WPAD is just a technique for devices to auto-locate your web proxy.  That's all.  It looks complicated, but it's really just a single DNS entry, a DHCP entry and a small file named wpad.dat with a proxy.pac symlink.

    Also, would this WPAD have the Roku circumvent the firewall altogether?

    No.  WPAD is just a method of auto-detecting the proxy and nothing more.

    Your wpad.dat|proxy.pac files need to be on any HTTP server you can use.  I use my pfSense box but any old Apache on *nix will do.

Log in to reply