+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
Internet Related/Filtering/Firewall Thread, BYOD Linux Server for Squid, DNS & DHCP in Technical; Hi, I'm trying to setup a BYOD network which is separate from the main system but passes through our lightspeed ...
  1. #1
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    13

    BYOD Linux Server for Squid, DNS & DHCP

    Hi,
    I'm trying to setup a BYOD network which is separate from the main system but passes through our lightspeed rocket for filtering.
    I would like to keep all DHCP and DNS separate, so need to have a server within the guest vlan for this purpose. It will also need to make the upstream proxy transparent as the SEGfL are determined to force us to keep it.

    So I'm looking for a simple to install and use linux build that can do Squid for transparent proxy, DNS & DHCP on a basic PC; or a hardware device that does these things.

    Any suggestions?

  2. #2
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,605
    Thank Post
    544
    Thanked 301 Times in 277 Posts
    Rep Power
    85
    PfSense will be perfect for this, you can even bang on captive portal so that users have to authenticate first (or not). Pfsense can server DHCP / DNS on its interfaces and also runs proxying IDS/IPS. We have pfsense at many sites running squid transparent proxying. We just plug out access points into a switch which connects to the guest interface trunked with the guest vlan for wifi.

  3. #3
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,605
    Thank Post
    544
    Thanked 301 Times in 277 Posts
    Rep Power
    85

  4. #4
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,605
    Thank Post
    544
    Thanked 301 Times in 277 Posts
    Rep Power
    85
    PfSense is also web based, abit like a router. Check out some of the videos on youtube. I've implemented what your on about in some coffee shops and bars using pfsense. It's free all you need is a system (virtual if needs be) to run it on.

  5. #5
    AJWhite1970's Avatar
    Join Date
    Sep 2012
    Location
    Wiltshire
    Posts
    355
    Thank Post
    96
    Thanked 82 Times in 62 Posts
    Rep Power
    18
    Another vote for PFSense 2.02. My BYOD student wifi network is built round it using some very cheap Buffalo access points, DD-WRT and some even cheaper hubs linked using spare fibre cabling dotted round the school (the BYOD network is only visible in open access IT labs, SFCR's and the Dining Hall). The captive portal works great and it hooks into active directory fairly easily using RADIUS and the web front end is easy to manage. There are several good video guides linked from their website.

    Andrew

    The price of 0.00p fits in nicely with the strategic planning budgets

  6. #6
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    818
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40
    If you did want to make your own device, take a look at dnsmasq as an easy way to provide DNS and DHCP. You cannot use a transparent proxy with SSL traffic, so depending on what devices you are using, you might be better off hosting a WPAD file for automatic proxy configuration.

  7. #7
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    13
    Thanks for the suggestions.

    Quote Originally Posted by morganw View Post
    You cannot use a transparent proxy with SSL traffic
    Didn't realise this. I'll try WPAD to start with. Just want it to be simple for student devices, so I don't need to configure them. I'm aware some older android devices and things like siri etc don't understand proxies.

  8. #8
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    859
    Thank Post
    88
    Thanked 154 Times in 124 Posts
    Blog Entries
    8
    Rep Power
    36
    Quote Originally Posted by HCC View Post
    Thanks for the suggestions.


    Didn't realise this. I'll try WPAD to start with. Just want it to be simple for student devices, so I don't need to configure them. I'm aware some older android devices and things like siri etc don't understand proxies.
    You can, but it comes with pitfalls. Squid supports this via a function called SSL Bumping. It has to be enabled when Squid is compiled from source, and none of the packages you find in repositories has it turned on, so you'll have to install Squid from source to do this. SSL Bumping involves decrypting transparently intercepted encrypted traffic to rewrite headers. This is basically a MITM attack. You'll have to install a cert on the proxy that comes from a trusted certificate authority to keep the user's browser from complaining. The last pitfall I encountered was I got halfway done with the install and discovered a known bug in Squid 3.1.x when using SSL Bump with an upstream proxy (cache peer). After decrypting the traffic it will then send it back up to the cache peer unencrypted. This was obviously a deal breaker for me and I gave up. Supposedly this is to be fixed in 3.3. Here is a guide if you're feeling adventurous:

    SQUID transparent SSL interception | Dvas0004's Blog

    And info on the SSL bumping with cache peer bug:
    Using parent proxy with SSL Bump enabled Squid 3.2 | MyDLP | Data Leak Prevention & Protection Solution

    In the end I settled for setting up Squid transparently with a captive portal page. Whenever someone connects to the guest wifi they get redirected to a terms and conditions page. Once they click the accept button Squid will allow them through. This page also comes with instructions on how to setup the proxy in most browsers so SSL will work. It's not elegant, but it's free and it works.

    I went with the WPAD route at first, but it is only good for Internet Explorer (using the DHCP option) and Firefox/Chrome (using the DNS option). iOS and Android devices don't work with WPAD.
    Last edited by Duke5A; 28th February 2013 at 05:38 PM.

  9. Thanks to Duke5A from:

    Arthur (28th February 2013)

  10. #9
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    818
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40
    Quote Originally Posted by Duke5A View Post
    You can, but it comes with pitfalls.
    You don't want to be in position where your server is responsible for someone's online banking transaction. I'm sure there are legal ramifications to attempting this as well.

    Quote Originally Posted by Duke5A View Post
    iOS and Android devices don't work with WPAD.
    iOS is fine (use DNS method), Android seems the more problematic.

  11. #10
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    506
    Thank Post
    44
    Thanked 75 Times in 70 Posts
    Rep Power
    22
    Another vote for PFSense, we use it exclusively now for all internet traffic at my job.

  12. Thanks to MordyT from:

    cpjitservices (1st March 2013)

  13. #11
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,605
    Thank Post
    544
    Thanked 301 Times in 277 Posts
    Rep Power
    85
    Quote Originally Posted by MordyT View Post
    Another vote for PFSense, we use it exclusively now for all internet traffic at my job.
    We use it mainly for everything also, the latest version has seen some long awaited improvements.

  14. #12
    markwilfan's Avatar
    Join Date
    Feb 2009
    Posts
    165
    Thank Post
    35
    Thanked 21 Times in 17 Posts
    Rep Power
    15
    For those on SWGfL (and poss other GfLs) you can request a transparent proxy upstream so you can hook your BYODs onto this SWGfL New Transparent Proxy

  15. #13
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    13
    Looks like the best I'm going to get is an additional IP range. They say it is not possible to remove the proxy on a SEGfL connection, so I'm going to have to rely on WPAD or squid.

    Am I right in thinking that I need the gateway router (which I'm not in control of) config changing to add an extra gateway address within the new ip range for it to work? If not could I use pfsense as the gateway or will I need to install my own router?

  16. #14
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    13
    I'm trying to setup WPAD on PFSense but can't get it to work.
    I don't know how to put a file onto the box remotely, so I'm using the editor in the web interface to create the files as per WPAD Autoconfigure for Squid - PFSenseDocs
    I can download the file via the browser so I know it's there and the dns is correct.

    If I put the setting in manually it works so I know the settings are right

    Any suggestions?

  17. #15
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    117
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    13
    I've got PFSense setup and it works with NAT on. I need it to work as a router (with NAT off) because it passes though lightspeed router and I need it to see to source ip not the pfsense WAN address. I have tried turning off the block private networks option, cleared all firewall rules but still can't get it to work. I can ping though it but no http works

    Has anyone else got pfsense just to work as a simple router?



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. DHCP not updating DNS server for non windows machine ?
    By albertwt in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 22nd November 2010, 02:47 PM
  2. Replies: 3
    Last Post: 26th March 2010, 04:53 PM
  3. Boot CD for FOG usage without DHCP server access
    By coolgeekone in forum O/S Deployment
    Replies: 2
    Last Post: 3rd September 2009, 12:53 PM
  4. Which Linux distro shall I use for Squid?
    By Cragzman in forum *nix
    Replies: 18
    Last Post: 2nd December 2008, 10:10 AM
  5. RDP Server for Linux
    By fooby in forum *nix
    Replies: 4
    Last Post: 27th April 2006, 10:44 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •