Http Proxy Filter

[arielf]

Hello list, I am using a translator

I have the following scenario

internet ---- router --- switch ---- clients
                                        |
                                        |
                                  Stand Alone cache Squid Sentyal Filter

from the router to make forwarding cache of squid (port 3128) and all the lan, passes through the proxy, which I assign filtering policies.
My question is if I can not use authentication, set different filtering profiles based on IP. as well as filtered by days and hours

thanks

[christian]

If you want HTTP flow to be forwarded by the router to proxy in transparent mode, I'm pretty sure IP based filtering will be a challenge  because source will always be router itself. 

[arielf]

LAN clients and proxies are in the same subnet

192.168.200.xx

gateway 192.168.200.1 -- router

[solarwindz]

Hello Arielf,

Here is an unsecured way. On the client side, use Zentyal IP as the gateway. On the Zentyal side, use the router as the gateway. By this, before going to the internet, Zentyal will interrupt the request. See if this works.

Thanks!

[christian]

@solarwindz
I don't understand why what you propose is "unsecured" but I also don't understand why it works 
If the only protocol used to access internet is HTTP, then using Zentyal proxy as you describe is OK but for anything else, you will have to route everything with potential impact on what is already defined at router level in term of firewalling (because I cannot imagine that arielf is running it as a router only without some extra feature).
Keep also in mind that HTTPS will not work "smoothly" using these multiple bounces 

[solarwindz]

Awts. Sorry for my english. I meant unsecured not referring to the Zentyal but to the network itself. Because the client can statically use his router as gateway, no Zentyal interrupting no filtering. ^_^

And I agree, HTTPS won't work smoothly using multiple bounces.

Thanks!

[christian]

OK, I understand better.
But this is not less secure than current design isn't it?
I mean current design uses router as default gateway  So we have to guess that some components are deployed there to ensure minimum amount of control 

Well, to make a long story short, using proxy in transparent mode when proxy is not network default gateway is a bit of non-sense.
Using Zentyal as http proxy only is somehow waste of resource (running Squid + squidguard will be much more efficient but this all depends on your hardware)
If proposed design is mandatory because of whatever constraint, the only single efficient way is to:
- block HTTP & HTTPS port at router level for the whole subnet but Zentyal
- declare Zentyal as proxy at browser level, either manually or using WPAD mechanism.

My $0.02 

[solarwindz]

internet ---- Squid Sentyal Filter --- router --- switch ---- clients

You can either do this topology too in case you really need your router for other routing purposes or any layer 3 operations.

Thanks!

[arielf]

Thank you all for responding
the idea is so

The idea is to implement in a small ISP, the idea is only uzar Zentyal as content filtering
The network is well armed

Mikrotik Router as a network gateway and behind all clients
Then do the same router from forwarding HTTP connections and there Zentyal apply content filtering.

Zentyal only applies its filters any more. It is the network firewall.

thanks

[christian]

OK, fine. Thus do it    This is your idea and you believe this is the right choice (which I respect) but is there any need to discuss further? 
I don't think so. Implement it and revert back to the forum later to let us know your feedback