D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: Brasse on November 23, 2010, 05:35:56 AM
-
I have squid installed and running, port 3128, on a Ubuntu Linux server. and i want to pass all HTTP traffic through that without setting up proxy on each client.
How do i configure my DFL-800 to use my Squid proxy server?
-
maybe a policy based routing rule to send the http traffic to the proxy, maybe need a NAT rule to translate source address
-
I was looking for this option for a long time.
Unfortinatly, only solution that I've found is to set proxy for each browser with GPO (i have domain with active directory).
Browsers can search for atomatic proxy configuration, but this option is usually disabled (depend on browser version). If you want to use automatic proxy detection, you have to configure your dns and www server. Browser will ask http://wpad.localdomain/wpad.dat or http://wpad.localdomain/proxy.pac and need to get back file with script like:
function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (shExpMatch(url,"*.example.com/*")) {return "DIRECT";}
if (shExpMatch(url, "*.example.com:*/*")) {return "DIRECT";}
// URLs within this network are accessed through
// port 8080 on fastproxy.example.com:
if (isInNet(host, "10.0.0.0", "255.255.248.0")) {
return "PROXY fastproxy.example.com:8080";
}
// All other requests go through port 8080 of proxy.example.com.
// should that fail to respond, go directly to the WWW:
return "PROXY proxy.example.com:8080; DIRECT";
}
You can configure proxy with dhcp options. Unfortinatly code 252 is not suported with DFL-800 dhcp server.
Navi
-
why not redirect all http traffic to the proxy using ip rules ?
-
I have just been asked this same question by some else that we deal with here locally. While I do not have this setup and know very little about Linux / Squid this is what I would try.
1: NAT rule to pass all HTTP traffic FROM the proxy Squid server to the WAN interface
2: SAT rule to pass all HTTP traffic FROM the lannet network to the Squid Server. Make sure you also translate the port number from 80 to 3128.
3. Corresponding Allow rule for the above SAT rule.
-
Yeah that sounds like what i want to do.
I have tried to set it up like this, what am i doing wrong?
(http://dump.brasse.se/http_to_squid_folder.png)
(http://dump.brasse.se/http_to_squid_sat.png)
The squid server is on the address book item i call "server_albin"
-
try this
https://forums.clavister.com/viewtopic.php?f=8&t=3422
-
Thanks. I have some progress.
Now i get "Timed out" when trying to access a web site from any browser with the rules enabled. However i cant see anything in the /var/log/squid3/*.log -files
When i manually set the proxy in a browser it works fine.
It seems that traffic is not translated to server_albin:3128
Current settings:
(http://dump.brasse.se/http_to_squid_folder_2.png)
(http://dump.brasse.se/http_to_squid_sat_2.png)
Any ideas ?
-
can you tell me where is the squid located ?
is it on the same interface than the local computer or on another interface of the DFL ?
If located on diffrent interface be sure that squid can access to internet throught that interface.
The best solution will be to locate squid on a different interface on the dfl.
Allow squid to access to internet through that interface and to redirect all outgoing traffic from the local computer to internet to that squid linux ....
-
Now I see that this solution makes sence. After SAT of destination IP and port, server with squid should get http request for example.com website.
I tied to set up this with no luck:(
Squid access.log doesn't show any requests.
I've run tcpdump on squid server and I never recive any request. It looks like SAT on DLF-800 doesn't work properly.
My configuration (set up this rules as 3 first to make sure that no other configuration affect):
1 SAT lan:10.0.0.11 *:0.0.0.0/0 "http"
SETDEST 192.0.0.20:3128 (All to one)
2 Allow lan:10.0.0.10-.100 *:0.0.0.0/0 "http"
3 NAT dmz:192.0.0.20 *:0.0.0.0/0 "http"
When I set up proxy i browser everything work just fine.
-
here is the topology I think should work.
your local network is on lan interface and has lan_ip as default gw.
your proxy is on dmz and has dmz_ip as gw
first rule to create is:
lan/lannet sat http wan1/all-nets dest :IP of squid on dmz
second rule
lan/lannet allow http dmz/dmznet
if the squid is also dns proxy then create a service object that include all squid services to redirect.
third rule
dmz/dmznet nat all_services wan1/all_nets
-
here is the topology I think should work.
your local network is on lan interface and has lan_ip as default gw.
your proxy is on dmz and has dmz_ip as gw
My proxy is on dmz but it is configure in transparent mode so it has my isp gw
as default gw.
first rule to create is:
lan/lannet sat http wan1/all-nets dest :IP of squid on dmz
second rule
lan/lannet allow http dmz/dmznet
if the squid is also dns proxy then create a service object that include all squid services to redirect.
third rule
dmz/dmznet nat all_services wan1/all_nets
DNS server is in lannet.
-------EDIT---------
This solution has an error. Theoretical example:
Localnet 10.0.0.0/24
DMZ: 192.168.0.0/24
1.Host from lannet sends a packet to google.com
10.0.0.11:1099 => 209.85.149.99:80
2. According to 1 and 2 rule the traffic would be redirected to dmz server
10.0.0.11:1099=> 192.168.0.5:3128
3. After squid complete request for google.com it sends data back to host
192.168.0.5:3128 => 10.0.0.11:1099
Because host expects on port 1099 traffic from 209.85.149.99 he ignores traffic coming from
192.168.0.5.
We can use nat instead of allow rule, but then we lose ACL posibilities on squid (we will always
see dfl-800 lannet ip as source address.
---------------------------------------------------------
I turn on logging on dfl-800 for my Sat and Allow rules with alert category and this is what I get:
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2011-01-03 12:18:39 Alert CONN 600001 wwwallow TCP lan wan1 10.0.0.11 213.180.146.27 4233
80 conn_open
satdestrule=TransparentProxy conn=open
So traffic is allowed and SAT rule (which name is "transparentProxy") is applied, but after that,
there is no traffic between dfl-800<->proxy in dmz.
My dmz server ip is not 192.0.0.20 as I written before but it has public IP address from WAN1 subnet,
and I have a switch route for group(wan1,dmz) in main routing table, so dmz is not behind NAT.
Is this a reason why I dont get any requests on proxy server ?
(DLF-800 firmware is 2.27.02.11-14417).
thanks in advance,
Navi
-
Squid is located on the same net as everything else.. Except for WAN1 of course.
DMZ is not an option here :(
-
For Brasse, I don't think you can fullfill the scénario. I will make a lab test and get back asap.
for navi : let me undersatand your topology.
from lan to wan1 : nat is applied.
from dmz to wan1 transparent mode is running.
logs refered to a trafic sent from 10.x.x.x network to internet via port 80.
and your computer is expecting reply on port 1099.
On the sat rule did you set the new port to be 1099?
Can you modify the first sat rule accordingly and let us know the result.
also please provide logs
-
for navi : let me undersatand your topology.
from lan to wan1 : nat is applied.
from dmz to wan1 transparent mode is running.
Yes:
lan to wan1 NAT
dmz to wan1 TRANSPARENT
logs refered to a trafic sent from 10.x.x.x network to internet via port 80.
and your computer is expecting reply on port 1099.
On the sat rule did you set the new port to be 1099?
That was an example to show that this configuration should not work at all.
Windows hosts use port range above 1000 for replays, thats why I said
1099 in example.
Please study this theoretical example one more time:
Localnet 10.0.0.0/24
DMZ: 192.168.0.0/24
lan to wan1 NAT
dmz to wan1 NAT
lan to dmz Allow
1.Host from lannet sends a packet to google.com
10.0.0.11:1099 => 209.85.149.99:80
2. According to 1 and 2 rule the traffic would be redirected to dmz server
10.0.0.11:1099=> 192.168.0.5:3128
3. After squid complete request for google.com it sends data back to host which made a request
192.168.0.5:3128 => 10.0.0.11:1099
Because host expects on port 1099 traffic from 209.85.149.99 he ignores traffic coming from
192.168.0.5.
BTW TCP 3-way handshake would never succeed if host A sends data to B, and gets an answer
from host C.
Please correct me if I'm wrong.
-
Try this...
Squid versions 2.6 or newer
With Squid installed on your Unix/Linux box, set the following:
http_port 192.168.1.10:3128 transparent (you can try http_port 0.0.0.0:3128 transparent)
substituting the IP address you're listening on, and the port you wish to use in the example, making sure they match the variables at the top of the router setup script below.
Important for Debian users!
The Squid3 (squid3_3.0.PRE5-5) package from Debian Etch isn't working with this kind of transparent proxy. Try using Squid3 from Debian Lenny or downgrade to Squid-2.6 in Etch.
Source: http://www.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy
**I know it`s an one+ year old post