Help redirecting IP trafic (http and https) for local Zentyal squid?

[baltasar]

Hi, I have this situation:

eth1 (internal network range 192.168.1.xxx) with all PC's and connected here also a router for giving free WIFI for customers.
I setup this router with a fixed IP on WAN (192,168.1.222) and internal router IP with 10.0.0.1 and DHCP range from him at 10.0.0.100 to 10.0.0.254 so all connecting WIFI customers will get one IP from this range.

1st problem, since I have proxy enable on zentyal for http and https with wpad auto discover and I can't setup this proxy on the router WAN all customers connected can't browse the web.

Because of this I though of a fixed iptables rule redirecting all source from the router IP to local zentyal squid port, so I create a firewall.postservice file inside hooks directory with thi rule:

iptables -t nat -A PREROUTING -s 192.168.1.222/32 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 3128

It works and the squid get's the trafic but can't handle properly since I'm not runnig a transparent proxy because of HTTPS, so I get the squid error message of protocol missing, header missing, domain missing and so on.

So my question, is there a way of do the proper redirecting so this works?
Is there other way of achive this customers WIFI isolation from my normal internal work range?

NOTE: I can't install another network card since I don't have more free slots on the PC mainboard, the only way is with a vistual interface on tope of eth1, but O tried that also without sucess since I can't see it after for doins firewall configuratins (I also reported this here on another post).

Any solution or sugestion is welcome, thanks.

[jbahillo]

Hello:

Redirecting as you said does not work on HTTP non-transparent proxy. Instead, you have to configure the proxy on the clients, and additionally  ban traffic from that network to 80/443  port (so they cannot browse the Internet without proxy)



Reading your environment I would suggest that based on 2 situations you could do so your customers do not use proxy:

The "customers" router does masquerading. Deny 80/443 for your network, and place ABOVE this a rule allowing these ports for traffic coming from router IP
The "customers" router does not masquerading Deny 80/443 for your network, and add a rule allowing these ports for traffic coming from customers network

[baltasar]

Yes I know that, but I really need proxy because of content filtering of video streaming and others for bandwith sake and quantity, since more than 15Gb a monthe and they tax us extra.

But if the proxy works ok for the eth1 range with auto discovery WPAD the is some ports or things that zentyal redirects the trafic to squid, no?
Why can't I do the same rules for all trafic caming from the 192.168.1.222.

I know if in the browsers of those costumers I put the fixed proxy configuration all works without problem, but is a bit pain in #$$#... for them and I can't put a uge sign on the room saying, do you want to use our WIFI, setup up this on this port and so on, most of them they don't know what is a proxy ; )...

[jbahillo]

WPAD Does not "redirect" but instead transparently sets up proxy:

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol


It could be nice if you could share your wpad.dat file

[baltasar]

This is the content of my wpad.dat file:

function FindProxyForURL(url, host) {

    if (isPlainHostName(host))
        return "DIRECT";
    else
        return "PROXY 192.168.1.1:3128";

}

Also in the same directory (/var/www) I have an .htaccess file with this:

AddType application/x-ns-proxy-autoconfig .pac

[jbahillo]

Hello:

Ok, so how do you deploy WPAD, by DNS or by DHCP?

[baltasar]

On zentyal by both I think, since I have wpad.MYDOMAIN alias so I think also it pass with DHCP, but the problem is that the WIFI costumers are getting they dhcp from the WIFI router, so that info doesn't go I think and I can't specify anything regarding that on the router (is a Linksys WRT54G3G).

[jbahillo]

Hello:

Which DNS server are these clients using? Can you change it?

[baltasar]

The Linksys router one and not the Zentyal, I need a difrente range for them to isolate from our internal normal working range.

If you see my first post you understand the connections.

Just a small sumary again of connections:


Zentyal eth1 (range 192.168.1.xxx from Zentyal DHCP) |
                                                    |
                                                    | -> PC1, PC2... PCxx
                                                    |
                                                    | -> Linksys router WAN (fixed IP 192.168.1.222)  ^^^ WIFI to costumers
                                                                                                                              (Linksys router internal DHCP range 10.0.0.xxx)

[jbahillo]

Hello:

IN order to provide WPAD you will need management of DHCP/DNS server that serves that subnetwork. Eeven if you configured a vlan (802.1q) I think you would need t be able to serve DHCP /DNS for it to work

[baltasar]

Ok, but how can I create a vlan on top of eth1? IS this possible on zentyal?

[jbahillo]

Yes, you just need to select the appropriate option on the dropdown, then create the vlan and you're done . On the other hand the "more " complex thing of this is just setting up switch config (you will need a managed one)

[baltasar]

Sorry but I can't see nay VLAN option on the networks setup.

Also you are saying that I need a switch with vlan capabilities to achive this?
My switchs are all just normal gibabit HUB type.

[jbahillo]

Hello VLAN = Trunq (802.1q) in the Method Dropdown.

And yes, you will need a managed switch (with web/telnet/ssh access) which supports this (VLAN/802.1q) as you need to tag /Untag  traffic depending on the interface and the vlan assigned to it

[jbahillo]

http://en.wikipedia.org/wiki/IEEE_802.1Q