kenjim/appa-net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
22d17d39f9522683bf37278c3f22d8d2d8c47dab
appa-net/zet.home.arpa/PROXY-SETUP.md
Kenji Morishige 38f2aefecd Add pfSense backup utility and documentation 
- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.
2026-04-22 14:42:43 -05:00

67 lines
3.2 KiB
Markdown
Raw Blame History

# Transparent proxy notes for zet (172.27.0.35)
Summary
- Squid runs on 172.27.0.35 (zet). We'll intercept HTTP traffic from selected child IPs and forward it to Squid.
- Approach: configure Squid for intercepted HTTP, create a pfSense Alias for children, add a NAT port-forward (80 -> 172.27.0.35:3128) limited to that Alias, and ensure appropriate firewall rules.
Prerequisites
- Squid installed and reachable from pfSense (172.27.0.35).
- pfSense LAN interface used by children (pfSense at 172.27.0.1).
- List of children IPs or an IP range (create Alias in pfSense).
Squid minimal config (intercept HTTP)
```
http_port 3128 intercept
acl localnet src 172.27.0.0/24
acl children src 172.27.0.100-172.27.0.110 # replace with your child IPs/range
http_access allow children
http_access deny all
access_log /var/log/squid/access.log
```
- Restart Squid after changes: `sudo systemctl restart squid` or `service squid restart`.
pfSense steps (high level)
1. Firewall → Aliases → Add
- Type: Hosts (or Network)
- Name: Children_Devices
- Add each child's static IP (or a range entry)
- Save
2. Firewall → NAT → Port Forward → Add
- Interface: LAN (or interface children use)
- Protocol: TCP
- Source: Children_Devices (the Alias)
- Destination: any
- Destination port range: HTTP (80)
- Redirect target IP: 172.27.0.35
- Redirect target port: 3128
- Description: Redirect children HTTP -> Squid
- Save and Apply
- If prompted, allow pfSense to add the required firewall rule; otherwise add a LAN rule permitting Source=Children_Devices -> Destination=172.27.0.35 port 3128.
3. Firewall rule: ensure the Alias is allowed outbound on LAN as needed. The NAT rule will create a rule; double-check to avoid accidental blocking.
Verification
- Watch Squid logs on `zet`:
- `sudo tail -F /var/log/squid/access.log`
- From a child device, request an HTTP page and confirm the request appears in the access log.
- On pfSense: Diagnostics → Packet Capture (interface LAN, filter host <child_ip> and port 80) to confirm redirection.
- On `zet`: `sudo tcpdump -n -i any host <child_ip> and port 80` to see forwarded connections.
Notes & caveats
- This only intercepts plain HTTP (port 80). HTTPS (port 443) interception requires ssl-bump / TLS interception:
- Requires creating a CA, configuring Squid SSL bump, and installing the CA on every client — this is intrusive and may break some apps.
- Consider leaving HTTPS un-intercepted or using explicit proxying for HTTPS instead.
- If clients have explicit proxy settings (via WPAD/DHCP 252), they will send traffic directly to the proxy and the NAT interception will not be used for those flows.
- WPAD option: you can advertise a PAC via DHCP Option 252 (value `http://172.27.0.35/wpad.dat`) to auto-configure browsers instead of intercepting.
Quick debug commands
- Restart squid: `sudo systemctl restart squid` or `service squid restart`
- Tail access log: `sudo tail -F /var/log/squid/access.log`
- Test from a child: `curl -I http://example.com`
- tcpdump on zet: `sudo tcpdump -n -i any host <child_ip> and port 80`
If you want, provide the exact child IPs and I will give you the precise pfSense NAT rule fields and a ready-to-paste `squid.conf` snippet for your environment.
-- notes written by assistant
Reference in New Issue View Git Blame Copy Permalink