camel (29th March 2011)
Arising from this thread: Amazon Kindle , in which I've been working on a way of getting devices that can't accept a proxy server setting (and that will only accept wireless connections with DHCP (Android 2.1 on an E-Pad)) working in school, I've set up a Smoothwall Express box as a transparent proxy. This is in a feasibility study / proof of concept / evaluating devices type of scenario rather than wanting anything large scale for now.
It seems to work OK, but as I've never used SW before, I'd be grateful of confirmation from those that have that I'm not doing anything silly. It's configured as follows:
Red - given a static IP in our normal school range as assigned by our RBC (10.105.xxx.xxx)
Green - assigned 192.168.0.1 and (Physically) connected straight to an unmanaged wireless access point I had lying around 192.168.0.2 (independant of the main Ruckus wireless in school, on channel 2, different SSID, and setup to only allow MAC addresses I specify).
DHCP is ON, giving out 192.168.0.3 to 192.168.0.254
Web Proxy is ON, in transparent mode, upstreaming to the RBC proxy.
I'm nervous about the DHCP bit - can someone reassure me that it's not going to start sending out duff addresses to the school network is it?
camel (29th March 2011)
I've never used DHCP on SW before so I can only offer my best guess (which comes with no warranty). I believe it only dishes DHCP out of the green interface so in theory you should be ok.
Maybe one of the smoothwall guys could shed a bit more light.
tom_newton (17th January 2011)
How you've done it it will only give out an ip via dhcp to a device connecting via that wireless access point so you are fine.
Sounds to me like you have it right already.
BatchFile (17th January 2011)
Could I set transparent proxying on a schoolguardian on just one network card and have proxy auth on the others?
Just got Smoothwall Express 3.0 configured in-house for a set of kindles that the English dept bought for improving boys reading. Smoothwall is on a iron box, not virtualised and connected directly to a spare wireless access point, private ip range for kindles going to RBC ip range and default gateway. Works great. Also works with my Android as it doesn't have proxy settings by default. Thanks BatchFile.
plexer (29th March 2011)
My initial delight was quickly scuppared by no transparent proxy for https!
What would anyone suggest as an alternative to taking home the kindles and using the home wifi to download books? Yes, I know they should have got 3g ones...
Thanks for the pointer, just working on it now. Loaded modules mod_proxy and mod_proxy_http as the first is required and the second is for handling the http, https and ftp requests, wrapping them up in a http connect method.
I've setup a new virtualhost with an IP in the RBC assigned range, connected my wireless access point to use that host as a gateay and set the upstreaming proxy to that of our RBC proxy. Am I right in thinking that the new virtualhost is a gateway for the kindle clients. I've set up each kindle with static ip, which is fine but there isn't a route out as such. Am I missing some routing or something?
I'm not at all convinced that it's possible to put SSL through a transparent proxy at all simply due to the fact that the packets don't have enough information about their destination visible...Source: Transparent Proxying with Squid - O'Reilly MediaSystem administrators are often asked to also transparently proxy FTP and SSL, but these can't be transparently proxied. FTP is a more complex protocol than HTTP, and provides fewer hints as to the original destination of the request. SSL is encrypted and contains no useful data about destinations. Attempts to decode SSL are precisely what it's designed to prevent: decoding SSL to transparent proxy -- it would be indistinguishable from a "true" man-in-the-middle attack.
...is it worth setting up apache or is the above correct?
The above is (largely) correct. It is possible to transparently proxy SSL without MITM, but I only know of one product that supports it, and its not released yet Squid3 will MITM, but I doubt it would work in transparent or for kindles.
BatchFile (31st March 2011)
Did you have any sucess with this ? I'm trying exactly the same thing for my kindles at my school ...I've setup a new virtualhost with an IP in the RBC assigned range, connected my wireless access point to use that host as a gateay and set the upstreaming proxy to that of our RBC proxy. Am I right in thinking that the new virtualhost is a gateway for the kindle clients. I've set up each kindle with static ip, which is fine but there isn't a route out as such. Am I missing some routing or something?
going to use amazon account in school and take the few kindles home and archive. should have got 3g ones!
Arthur (7th April 2011)
There are currently 1 users browsing this thread. (0 members and 1 guests)