Internet Related/Filtering/Firewall Thread, BYOD Linux Server for Squid, DNS & DHCP in Technical; Hi,
I'm trying to setup a BYOD network which is separate from the main system but passes through our lightspeed ...
27th February 2013, 02:28 PM #1
BYOD Linux Server for Squid, DNS & DHCP
I'm trying to setup a BYOD network which is separate from the main system but passes through our lightspeed rocket for filtering.
I would like to keep all DHCP and DNS separate, so need to have a server within the guest vlan for this purpose. It will also need to make the upstream proxy transparent as the SEGfL are determined to force us to keep it.
So I'm looking for a simple to install and use linux build that can do Squid for transparent proxy, DNS & DHCP on a basic PC; or a hardware device that does these things.
27th February 2013, 04:39 PM #2
PfSense will be perfect for this, you can even bang on captive portal so that users have to authenticate first (or not). Pfsense can server DHCP / DNS on its interfaces and also runs proxying IDS/IPS. We have pfsense at many sites running squid transparent proxying. We just plug out access points into a switch which connects to the guest interface trunked with the guest vlan for wifi.
27th February 2013, 04:40 PM #3
27th February 2013, 04:49 PM #4
PfSense is also web based, abit like a router. Check out some of the videos on youtube. I've implemented what your on about in some coffee shops and bars using pfsense. It's free all you need is a system (virtual if needs be) to run it on.
27th February 2013, 05:14 PM #5
Another vote for PFSense 2.02. My BYOD student wifi network is built round it using some very cheap Buffalo access points, DD-WRT and some even cheaper hubs linked using spare fibre cabling dotted round the school (the BYOD network is only visible in open access IT labs, SFCR's and the Dining Hall). The captive portal works great and it hooks into active directory fairly easily using RADIUS and the web front end is easy to manage. There are several good video guides linked from their website.
The price of 0.00p fits in nicely with the strategic planning budgets
27th February 2013, 06:10 PM #6
If you did want to make your own device, take a look at dnsmasq as an easy way to provide DNS and DHCP. You cannot use a transparent proxy with SSL traffic, so depending on what devices you are using, you might be better off hosting a WPAD file for automatic proxy configuration.
28th February 2013, 09:21 AM #7
Thanks for the suggestions.
Didn't realise this. I'll try WPAD to start with. Just want it to be simple for student devices, so I don't need to configure them. I'm aware some older android devices and things like siri etc don't understand proxies.
Originally Posted by morganw
28th February 2013, 04:35 PM #8
You can, but it comes with pitfalls. Squid supports this via a function called SSL Bumping. It has to be enabled when Squid is compiled from source, and none of the packages you find in repositories has it turned on, so you'll have to install Squid from source to do this. SSL Bumping involves decrypting transparently intercepted encrypted traffic to rewrite headers. This is basically a MITM attack. You'll have to install a cert on the proxy that comes from a trusted certificate authority to keep the user's browser from complaining. The last pitfall I encountered was I got halfway done with the install and discovered a known bug in Squid 3.1.x when using SSL Bump with an upstream proxy (cache peer). After decrypting the traffic it will then send it back up to the cache peer unencrypted. This was obviously a deal breaker for me and I gave up. Supposedly this is to be fixed in 3.3. Here is a guide if you're feeling adventurous:
Originally Posted by HCC
SQUID transparent SSL interception | Dvas0004's Blog
And info on the SSL bumping with cache peer bug:
Using parent proxy with SSL Bump enabled Squid 3.2 | MyDLP | Data Leak Prevention & Protection Solution
In the end I settled for setting up Squid transparently with a captive portal page. Whenever someone connects to the guest wifi they get redirected to a terms and conditions page. Once they click the accept button Squid will allow them through. This page also comes with instructions on how to setup the proxy in most browsers so SSL will work. It's not elegant, but it's free and it works.
I went with the WPAD route at first, but it is only good for Internet Explorer (using the DHCP option) and Firefox/Chrome (using the DNS option). iOS and Android devices don't work with WPAD.
Last edited by Duke5A; 28th February 2013 at 04:38 PM.
Thanks to Duke5A from:
Arthur (28th February 2013)
28th February 2013, 09:53 PM #9
You don't want to be in position where your server is responsible for someone's online banking transaction. I'm sure there are legal ramifications to attempting this as well.
Originally Posted by Duke5A
iOS is fine (use DNS method), Android seems the more problematic.
Originally Posted by Duke5A
28th February 2013, 10:51 PM #10
Another vote for PFSense, we use it exclusively now for all internet traffic at my job.
Thanks to MordyT from:
cpjitservices (1st March 2013)
1st March 2013, 08:59 AM #11
We use it mainly for everything also, the latest version has seen some long awaited improvements.
Originally Posted by MordyT
1st March 2013, 09:22 AM #12
For those on SWGfL (and poss other GfLs) you can request a transparent proxy upstream so you can hook your BYODs onto this SWGfL New Transparent Proxy
4th March 2013, 02:09 PM #13
Looks like the best I'm going to get is an additional IP range. They say it is not possible to remove the proxy on a SEGfL connection, so I'm going to have to rely on WPAD or squid.
Am I right in thinking that I need the gateway router (which I'm not in control of) config changing to add an extra gateway address within the new ip range for it to work? If not could I use pfsense as the gateway or will I need to install my own router?
8th March 2013, 12:19 PM #14
I'm trying to setup WPAD on PFSense but can't get it to work.
I don't know how to put a file onto the box remotely, so I'm using the editor in the web interface to create the files as per WPAD Autoconfigure for Squid - PFSenseDocs
I can download the file via the browser so I know it's there and the dns is correct.
If I put the setting in manually it works so I know the settings are right
22nd April 2013, 11:22 AM #15
I've got PFSense setup and it works with NAT on. I need it to work as a router (with NAT off) because it passes though lightspeed router and I need it to see to source ip not the pfsense WAN address. I have tried turning off the block private networks option, cleared all firewall rules but still can't get it to work. I can ping though it but no http works
Has anyone else got pfsense just to work as a simple router?
By albertwt in forum Windows Server 2000/2003
Last Post: 22nd November 2010, 01:47 PM
By jamin100 in forum How do you do....it?
Last Post: 26th March 2010, 03:53 PM
By coolgeekone in forum O/S Deployment
Last Post: 3rd September 2009, 11:53 AM
By Cragzman in forum *nix
Last Post: 2nd December 2008, 09:10 AM
Last Post: 27th April 2006, 09:44 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread