# Transparent proxy notes for zet (172.27.0.35) Summary - Squid runs on 172.27.0.35 (zet). We'll intercept HTTP traffic from selected child IPs and forward it to Squid. - Approach: configure Squid for intercepted HTTP, create a pfSense Alias for children, add a NAT port-forward (80 -> 172.27.0.35:3128) limited to that Alias, and ensure appropriate firewall rules. Prerequisites - Squid installed and reachable from pfSense (172.27.0.35). - pfSense LAN interface used by children (pfSense at 172.27.0.1). - List of children IPs or an IP range (create Alias in pfSense). Squid minimal config (intercept HTTP) ``` http_port 3128 intercept acl localnet src 172.27.0.0/24 acl children src 172.27.0.100-172.27.0.110 # replace with your child IPs/range http_access allow children http_access deny all access_log /var/log/squid/access.log ``` - Restart Squid after changes: `sudo systemctl restart squid` or `service squid restart`. pfSense steps (high level) 1. Firewall → Aliases → Add - Type: Hosts (or Network) - Name: Children_Devices - Add each child's static IP (or a range entry) - Save 2. Firewall → NAT → Port Forward → Add - Interface: LAN (or interface children use) - Protocol: TCP - Source: Children_Devices (the Alias) - Destination: any - Destination port range: HTTP (80) - Redirect target IP: 172.27.0.35 - Redirect target port: 3128 - Description: Redirect children HTTP -> Squid - Save and Apply - If prompted, allow pfSense to add the required firewall rule; otherwise add a LAN rule permitting Source=Children_Devices -> Destination=172.27.0.35 port 3128. 3. Firewall rule: ensure the Alias is allowed outbound on LAN as needed. The NAT rule will create a rule; double-check to avoid accidental blocking. Verification - Watch Squid logs on `zet`: - `sudo tail -F /var/log/squid/access.log` - From a child device, request an HTTP page and confirm the request appears in the access log. - On pfSense: Diagnostics → Packet Capture (interface LAN, filter host and port 80) to confirm redirection. - On `zet`: `sudo tcpdump -n -i any host and port 80` to see forwarded connections. Notes & caveats - This only intercepts plain HTTP (port 80). HTTPS (port 443) interception requires ssl-bump / TLS interception: - Requires creating a CA, configuring Squid SSL bump, and installing the CA on every client — this is intrusive and may break some apps. - Consider leaving HTTPS un-intercepted or using explicit proxying for HTTPS instead. - If clients have explicit proxy settings (via WPAD/DHCP 252), they will send traffic directly to the proxy and the NAT interception will not be used for those flows. - WPAD option: you can advertise a PAC via DHCP Option 252 (value `http://172.27.0.35/wpad.dat`) to auto-configure browsers instead of intercepting. Quick debug commands - Restart squid: `sudo systemctl restart squid` or `service squid restart` - Tail access log: `sudo tail -F /var/log/squid/access.log` - Test from a child: `curl -I http://example.com` - tcpdump on zet: `sudo tcpdump -n -i any host and port 80` If you want, provide the exact child IPs and I will give you the precise pfSense NAT rule fields and a ready-to-paste `squid.conf` snippet for your environment. -- notes written by assistant