WPAD vs firewall rule



  • Hello folks,

    this time my interest lies on WPAD.
    I want to use Squid with Dansguardian but Squid don't goes into "transparent mode"  due to a bug (PFsense in 2.2.6). Now I have to evade to WPAD.
    Now my question:
    Why do I have to do the hokus-pokus work with WPAD when there are firewall rules? Why not simply create rules to direct all the traffic to the proxy port? Is not the same as to say to the browser:"Hi there, here is the IP und the port of the proxy!"?

    Do I make an error in reasoning?

    Best regards
    Kalle



  • No reason you can't do transparent proxy. That works fine. Transparent proxy is just automatically added redirect rules (port forwards) to send the traffic to the proxy.



  • ProxyCap
    http://www.proxycap.com/

    I've sometimes used this to get direct my client traffic around company preferences and proxies.



  • Hi guys,

    thanks for your reply.

    No reason you can't do transparent proxy. That works fine. Transparent proxy is just automatically added redirect rules (port forwards) to send the traffic to the proxy.

    The option is not functioning in Squid and you mean that this option only creates a rule to redirect he traffic?
    So if I create this rule by my self this will work? :)

    ProxyCap
    http://www.proxycap.com/

    Thank you. The link looks just promising. I will have look at it.

    edit
    ProxyCap is a cool solution! :) Because it can also handle https which Squid in transparrent mode normally it won't work. But unfortunately only for Windows and Mac. Is there anything out there for Linux compared to this?

    Best regards
    Kalle



  • @Kalle13:

    ProxyCap is a cool solution! :) Because it can also handle https which Squid in transparrent mode normally it won't work. But unfortunately only for Windows and Mac. Is there anything out there for Linux compared to this?

    Perhaps create some IP tables rules?

    Also you might post the question to ProxyCap support and see if they have any suggestions.



  • The option works fine in Squid, just need to enable it.

    If you're using limiters on LAN, the issue with limiters and NAT will break the transparent redirect. Add a rule to allow traffic to destination 127.0.0.1 port 3128 (or whatever port you're running Squid on) with no limiter to work around that. Doesn't make much sense to limit traffic to the proxy anyway since that'll limit cache speed, define bandwidth limits in Squid for that if you want.



  • Hello,

    thank you for your answer.

    If you're using limiters on LAN, the issue with limiters and NAT will break the transparent redirect.

    I'm not using any limiters but I'm using NAT. So  you mean that I need only a rule that says: any from any to any 127.0.0.1 Port 3128?

    Regards
    Kalle



  • no need for that rule if  your not using limiter, limiter you need that rule for transparent proxy to work BUT even with that limiter will break nat reflection unfortunately