Help redirecting IP trafic (http and https) for local Zentyal squid?

[baltasar]

Ok thanks, I'll make some tests with the VLAN option.

Using this I'm hable to configure a diferent DHCP range for a second VLAN and so on? Like this I can use the Linksys router only as a normal WIFI acess point and don't use the WAN connection from him as long I can separate the IP ranges by VLAN on the switch with that feature so costumers never can see my internal working network, right?

[jbahillo]

Hello:

Yes using vlan you will be able to serve a brand new dhcp range for that vlan (which in the switch you will usually define to be  a number of interfaces (say 1-10 vlan10, 10-15 vlan20 and 15-20 vlan30).

Once done so, I think that you could set up that linksys to be a DHCP forwarder and to forward DHCP packages

[baltasar]

Ok, good.
Just two more question, setting my actual eth1 as Trunk (802.1q)  I have to recreate all confs and rules etc that I had on static eth1 before, right?

If all my internal normal working PC's are connected to a normal HUB/switch without vlan, they will work as normal default or don't work at all?
They might get confuse from which VLAN will get DHCP and so on?

[jbahillo]

Hello: If you r device (Zentyal) is sending tagged traffic (vlan) and your switch does not untag this and send to the proper port, then it would not work at all

[baltasar]

Ok I managed to do everything and my WIFI is working ok for PC's but this solution does't work since mobile phones don't do proxy autodiscover, only if I manual setup proxy ip (iphones only, android don't even have it).

So the correct solution must be really redirect correctly the trafic from port 80 and 443 to the proxy and a non transparente proxy.

This must have a solution as is by default on zentyal allready working.
I have all PC's doing https trought squid as soon I blocked port 443 on firewall, like this I even can filter https://certain_domain_name.

The question right now is really how to delivery on zentyal the right way the trafic from my WIFI router (IP 192.168.1.222) as it's allready being done inside zentyal on all normal working network trafic from eth1 to squid.

[jbahillo]

Hello

There is no way you can use at the same time an intercept and an accelerator proxy. The only proxy that can be set up  with fw rules is a transparent one, and (by default, by compiling squid3 could be possible) will not handle HTTPS


Non-transparent proxy cannot be redirected (that's why these methods of WPAD exists, although you're right, IOS nor Android cannot take profit of this)

You only option if you need  mobile devices in such network is not to use proxy for them.

[baltasar]

Thanks, I went to another simpler solution so everybody on the WIFI network can operate easy without the need for know-how of proxys and so on.

I render myself to transparent proxy, so this part solves the internet browsing http and for https I open the 443 port on the firewall.

But since I needed some https sites blocked and that will not hapend with only the squid rules I setup some cron that runs a batch script to grab all the IPs for a list of domains that I have, them manually on the firewall.postservice file I run the necessary iptable rules to block https access to those IP's. I manages to store those IP's on a created ipset iphash.

Just need now a better way to do those iptables rules, I was thinking in something like:
accept everything to destination port 443 except to these IP list, but I can't find the right iptables syntax, so for now is one rule for each IP.

This is how I create the set (iplist is the var with all IP's):

Code: [Select]

ipset destroy Blacklist
ipset -N Blacklist iphash

for ip in ${iplist[@]}; do
    ipset -A Blacklist $ip
    echo $ip
done
Them I know to use this set I could use something like this with iptables:

Code: [Select]

... -m set --match-set Blacklist dst ...
But as I said I don't know how to use it in the way I mension before... still doing more tests ; )