Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3 / Firewall / DMZ

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bigdaddy168
      last edited by

      Hey guys, i'm new to pfsense and want to evaluate it coming from ipfire.
      Today i successfully installed it virtually on XEN with 3 NICs.(one for LAN, one for some kind of DMZ and one for wan). After some standard configuration, i added squid3 and squidquard packages. After that i removed the "default wildcard" LAN rule on the firewall, to prevent direct access to the WAN interface. Then i created one rule to grant the web access from Lan through squid. Squid is running as explicit proxy on port 3128. I tested the SSL-Scan with clam-av (own CA on pfsense). There is one Webserver in dmz which provides a management interface via https. I created a rule which grants access via https from one single Computer in LAN Network to the Webserver in dmz. Now the Problem: PC in LAN with no proxy configured -> access to Webserver with original certificate. PC in LAN with proxy configured –> access to the Webserver with self signed certificate. For me that means that the traffic goes through squid and clam scans the traffic between DMZ and LAN. I only want Direct access between those local networks, not over the proxy Server.. Help would be very appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Most OSes allow you to specify not to use the proxy for internal networks, with an area that allows you to list those local nets.

        1 Reply Last reply Reply Quote 0
        • B
          Bigdaddy168
          last edited by

          Yes sure. I could configure it on client side not to use the proxy for local networks but i want to define it on the firewall. Squid should not listen on packets which are adressed to those local networks and the user shouldn't have the choice on how to access them.

          Thanks for your reply.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            You could try adding a directive under Advanced features - Custom ACLS like this:

            acl YourWWWServer dstdomain .YourDomain.tld
            always_direct allow YourWWWServer
            

            This assumes that you have split DNS returning www.YourDomain.tld as a LAN IP address in your DMZ.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.