Squid is blocking pages of my Wi-Fi APs [SOLVED]

[stef]

Hello,
    I am facing a very strange problem with zentyal and squid. I use zentyal as a transparent proxy for some of the computers of our network. e.g 192.168.1.8-192.168.1.70. I have setup these computers to use gateway and dns the ip of zentyal interface, e.g 192.168.1.2. My router is 192.168.1.1.
                          The rest of the network computers (which i do not want to pass-through the proxy) and the Wi-Fi access points use as gateway and dns the router (192.168.1.1).

                 The strange problem is that when i try to access the Wi-Fi access point's page (192.168.1.151) i cannot, even though my pc is not configured to use the zentyal proxy, it goes through directly to the router. When i stop the squid module from running on Zentyal, i can access the page again!!!

[robb]

How is Zentyal located in your network? With 1 interface to router and another to LAN or does it have only 1 interface and is on the same subnet as LAN?

[stef]

It has two interfaces, one for LAN, bridged and one for WAN. Zentyal is using as a gateway the router. DNS is getting from the router and the ISP. The problem is that my PC and the Wi-Fi APs do not go through zentyal, they use the router (Vigor 3300) directly for gateway and DNS, so squid should be impossible to interfere in their communication, yet it does! When i stop squid, the problem is fixed, but i need to find why squid interferes in a communication which does not go through it.

[robb]

Is there any particular reason why you choose to use bridged mode for external interface instead of static on another subnet?

[stef]

I tried static on another subnet, it was not working. The setup as i have it is working fine. All the workstations that use the proxy are accessing internet and intranet fine. The problem started yesterday, when, for no particular reason squid started to block only the IPs that belong to the Wi-Fi routers, without the routers being configured to go through the proxy.

[christian]

I suspect something weird with your network topology.
I might be totally wrong however 

My understanding is that you internet access is done via router at 192.168.1.1 and used by all devices except some being configured to use 192.168.1.2 as default gateway, this IP being your Zentyal server.
Is that correct ?

If yes, I wonder what Zentyal's external (WAN) IP is and where it points to and how does it connect to internet 
I suspect it connects to 192.168.1.1 too 

As you are using transparent proxy (BTW, your network layout is far to be the most suitable for this kind of proxy usage...), connection between any of your devices (e.g. 192.168.1.100) and 192.168.1.151 (to take your example) should not got to 192.168.1.2 as access is supposed to be direct.

- Are you sure there is no DHCP server configured somewhere that would set 1.2 as default gateway ?
- Have you configured VLAN ?
- because of your transparent proxy implementation, have you configured at 192.168.1.1 route back to Zentyal ? (I'm asking assuming Zentyal WAN interface goes there too but this is perhaps wrong)

[stef]

You are wright, wan goes through the router also, 192.168.1.1. DHCP is provided from the router, which is configured to give itselve as a gateway, so any pc with DHCP do not get through zentyal. All of the Wi-Fi routers have static IP, as all the computers of the network. I use DHCP only for visitors of the company and some laptops. I do not use vlans

[stef]

This is my routing table of zentyal:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1

I can see that the eth1 gateway is not configured as 192.168.1.1 (however in zentyal dashboard i have it configured), maybe that is a problem, what is you opinion?

[christian]

You are wright, wan goes through the router also, 192.168.1.1.

 
Do not waste time looking further for any potential problem with Zentyal. The very first problem is with your network "design".
What you try to achieve doesn't exist and doesn't work. If you want to have Zentyal server with 2 network interfaces, one being WAN and the other LAN, you can not connect both on same network.

Rather set-up Zentyal with only one single interface, configure 192.168.1.1 as default gateway for Zentyal.
This may require some fine tuning because such design works only (well... is supposed to work only) with explicit proxy but from network standpoint, the will be much better than Zentyal routing in the middle on one single subnet.

I also don't understand why you are using bridged interface 

[stef]

When i first tried zentyal, i tried with only the LAN interface, having as a gateway the router, it was not working, the client computers could not connect to internet at all. I then used the wan interface with a static ip from another subnet, the same result. Then, i followed this post: http://forum.zentyal.org/index.php?topic=5532.0 and the problem was solved, everything was working. The setup i have is identical as the photo of the post shows. I have to use transparent proxy, because i do not want to mess up with browser modifications.

[christian]

When i first tried zentyal, i tried with only the LAN interface, having as a gateway the router, it was not working, the client computers could not connect to internet at all.

This is why I was asking about some tricks at router level to be sure that requests sent from client (intercepted by proxy) return back to proxy instead of client as all are on same network.

I then used the wan interface with a static ip from another subnet, the same result.

because this "other subnet" has to connect to your default gateway, back on initial subnet unless your router supports virtual IP.

Then, i followed this post: http://forum.zentyal.org/index.php?topic=5532.0 and the problem was solved, everything was working. The setup i have is identical as the photo of the post shows. I have to use transparent proxy, because i do not want to mess up with browser modifications.

Is it really identical ? in such design, at least the one suggested by wilhat, bridge links on both sides.

Frankly I don't understand this weird design. If you set up network where Zentyal does isolate WAN side (pointing to your router) on one side and LAN on the other side, then transparent proxy will work in a transparent manner.
Drawback is that proxy will intercept all requests but this is the goal of "transparent proxy" approach. You can't get everything plus the opposite here.

If goal is to use Zentyal only for some devices, use it as explicit proxy (here again one single interface is required as your proxy will act as any server on your network.
This has 2 side effects:
- you do need to either implement WPAD or configure proxy on each client that should use it
- you need to add rules router side to prevent direct access from devices supposed to use proxy otherwise such devices can by-pass your rule.

[stef]

Ok, thank you very much for your help and advice, i will try to alter the configuration and see what happens, thanks again.

[christian]

What I think you should refine is priority that will at the end decide about your network design.
If proxy works in transparent mode, does it really matter to have it used by only few devices or by all devices ?
If your design really matches the one you point to with your link, then Zentyal is supposed to not be used by some devices but in case you shutdown this server, there is no more access to internet 
Not really cool for equipment not supposed to be in the middle isn't it?

[stef]

I was asked to restrict and/or monitor internet access to certain departments of the company, that is why i cannot have all workstations go through zentyal, but some

[christian]

based on this requirement, I would have selected another option 
Perhaps it doesn't fit your needs but just to let you know different design exist 

Goal being to filter some devices and not filter some others, il would:
- create network object group for devices with fixed IP
- set proxy with default rule that is to filter
- set "no filtering" for object group containing fixed IP (or IP I don't want to filter)

As you notice, such design doesn't aim at by-passing proxy (which means have network design built for this specific need) but to tune proxy filtering rules so that some decides are under control while others are not, this based on access rules.

From personal standpoint, I'm not 100% satisfied with such design  Well, I'm not in line with the initial requirement instead because filtering at proxy level based on device doesn't make sense if goal is to prevent people  to have unexpected behaviour. To me, proxy with access rules makes sense only for users, not for devices.
Rules for devices should rather be used only for servers or specific devices that must by-pass proxy but not when there is some user behind. However this is another debate