38f2aefecd
- Add backup-pfsense-config.sh script for automated config backups via SSH - Auto-commits backups to git with timestamped filenames - Includes validation, error handling, and troubleshooting guides - Add scripts/README.md with detailed usage and crontab examples - Add BACKUP-QUICKSTART.md for quick reference commands - Update README.md to reference automated backup workflow - Create backups/ directory structure The script tests SSH connectivity successfully to pfSense.
3.2 KiB
3.2 KiB
Transparent proxy notes for zet (172.27.0.35)
Summary
- Squid runs on 172.27.0.35 (zet). We'll intercept HTTP traffic from selected child IPs and forward it to Squid.
- Approach: configure Squid for intercepted HTTP, create a pfSense Alias for children, add a NAT port-forward (80 -> 172.27.0.35:3128) limited to that Alias, and ensure appropriate firewall rules.
Prerequisites
- Squid installed and reachable from pfSense (172.27.0.35).
- pfSense LAN interface used by children (pfSense at 172.27.0.1).
- List of children IPs or an IP range (create Alias in pfSense).
Squid minimal config (intercept HTTP)
http_port 3128 intercept
acl localnet src 172.27.0.0/24
acl children src 172.27.0.100-172.27.0.110 # replace with your child IPs/range
http_access allow children
http_access deny all
access_log /var/log/squid/access.log
- Restart Squid after changes:
sudo systemctl restart squidorservice squid restart.
pfSense steps (high level)
-
Firewall → Aliases → Add
- Type: Hosts (or Network)
- Name: Children_Devices
- Add each child's static IP (or a range entry)
- Save
-
Firewall → NAT → Port Forward → Add
- Interface: LAN (or interface children use)
- Protocol: TCP
- Source: Children_Devices (the Alias)
- Destination: any
- Destination port range: HTTP (80)
- Redirect target IP: 172.27.0.35
- Redirect target port: 3128
- Description: Redirect children HTTP -> Squid
- Save and Apply
- If prompted, allow pfSense to add the required firewall rule; otherwise add a LAN rule permitting Source=Children_Devices -> Destination=172.27.0.35 port 3128.
-
Firewall rule: ensure the Alias is allowed outbound on LAN as needed. The NAT rule will create a rule; double-check to avoid accidental blocking.
Verification
- Watch Squid logs on
zet:sudo tail -F /var/log/squid/access.log
- From a child device, request an HTTP page and confirm the request appears in the access log.
- On pfSense: Diagnostics → Packet Capture (interface LAN, filter host <child_ip> and port 80) to confirm redirection.
- On
zet:sudo tcpdump -n -i any host <child_ip> and port 80to see forwarded connections.
Notes & caveats
- This only intercepts plain HTTP (port 80). HTTPS (port 443) interception requires ssl-bump / TLS interception:
- Requires creating a CA, configuring Squid SSL bump, and installing the CA on every client — this is intrusive and may break some apps.
- Consider leaving HTTPS un-intercepted or using explicit proxying for HTTPS instead.
- If clients have explicit proxy settings (via WPAD/DHCP 252), they will send traffic directly to the proxy and the NAT interception will not be used for those flows.
- WPAD option: you can advertise a PAC via DHCP Option 252 (value
http://172.27.0.35/wpad.dat) to auto-configure browsers instead of intercepting.
Quick debug commands
- Restart squid:
sudo systemctl restart squidorservice squid restart - Tail access log:
sudo tail -F /var/log/squid/access.log - Test from a child:
curl -I http://example.com - tcpdump on zet:
sudo tcpdump -n -i any host <child_ip> and port 80
If you want, provide the exact child IPs and I will give you the precise pfSense NAT rule fields and a ready-to-paste squid.conf snippet for your environment.
-- notes written by assistant