Topic: Gateway Router + SME server for Proxy (transparent?)

[rtandon]

Hi, Though I did try to read the docs and explored the forums. I think I am yet to find the clue.

We do have a SME server in Gateway/Firewall mode. Additionally we are also using it as VPN router.

Now we intend to replace this and place an embedded (pfsense like) device for VPN router + Gateway. Nevertheless, we want to have squid+DG as proxy for web content filtering. Now my questions is - can we have this set up while retaining proxy as transparent ? The diagram is as below


                               (WAN Public I.P.)
                                    |
                [ROUTER (VPN)/GATEWAY]
                                    |
                           (LAN   Pvt. I.P. 192.168.1.1) 
                                    |
                                    |
    +---------------------+--------+----------+
    |                              |            |              |
[SME SERVER]            [ OTHER CLIENTS 192.168.1.X)
  (192.168.1.10)



Can anyone point me as to how this can be achieved?
Using router as main gateway and be able to use SME as trans-proxy ?

==================================================

Alternatively, other mechanism / topology which can be used to use router as VPN and SME for Proxy (Transparent)

TIA

[janet]

rtandon

IIUC
Configure SME server in server only mode and configure SME to use the new gateway at 192.168.1.1 (in Configure this server) for Internet access
Then point all workstations at SME server (192.168.1.10) as gateway

[rtandon]

Thanks mary.

Only apprehension is -

The non http traffic will also go via SME (though we are using SME for squid / dansguard only)

The vpn traffic for other networks 192.168.2.X will also be via SME (which might be inter network traffic)

and in both these, are we not overloading the SME with unwanted traffic routing?

TIA

Best Regards,

[rtandon]

Then point all workstations at SME server (192.168.1.10) as gateway

And yes... I just happened to realize

that above "suggestion" won't work (IMHO), as you have suggested to use SME in server only mode so how will it act as gateway?

(remember - thinking of transparent proxy solution)

[janet]

rtandon

I said "... and configure SME to use the new gateway at 192.168.1.1 (in Configure this server) for Internet access"

This will send all Internet requests to the "real" (pfsense) gateway.

I also refer you to
http://wiki.contribs.org/Dansguardian#Modifying_Firewall_and_Proxy
where it says
"If your server is configured in server only mode, then you will need to point your browser at that machine to find the squid proxy rather than the default gateway. "

[rtandon]

Thanks Mary for updates.

I said "... and configure SME to use the new gateway at 192.168.1.1 (in Configure this server) for Internet access"

This will send all Internet requests to the "real" (pfsense) gateway.

Very correct. Fair enough and this will create a route between SME and "real" router.

However...

I also refer you to
http://wiki.contribs.org/Dansguardian#Modifying_Firewall_and_Proxy
where it says
"If your server is configured in server only mode, then you will need to point your browser at that machine to find the squid proxy rather than the default gateway. "

The above refers to pointing the "browser".... i.e. for http request (that implies, settings in browser only) and IMHO not referring to setting up default "internet" gateway, in general.

So, what I understand is that the scheme refers to only changing browsers gateway rather than clients' gateway for all traffic... So that wont be transparent proxy.

Have I made my point clear or I am mistaken?

[janet]

rtandon

You do not seem to be reading and absorbing everything that I said.

I also said earlier "....Then point all workstations at SME server (192.168.1.10) as gateway"

This is in the network setup for each workstation, instead of using the default gateway 192.168.1.1, then you would set each workstation (and I am NOT referring to the web browser settings here), to use the gateway at 192.168.1.10
Does that not make sense to you ?

The dansguardian article just referred to web browsers only, and I only provided that link to "convince" you about the idea using already published information, as you seemed not to accept or believe my advice.

[mmccarn]

...or, configure your "pfsense like" device to provide transparent proxying, and configure it to use the SME server as the "upstream" proxy.

...or, leave the SME server in server-gateway mode:

Code: [Select]

          (WAN Public I.P.)
               |
 [ROUTER (VPN)/GATEWAY]
               |
 (LAN   Pvt. I.P. 10.1.10.1)
               |
         WAN=10.1.10.2
           [SME Server]
         LAN=192.168.1.1
               |
      +--------+----------+
      |        |          |
 [ OTHER CLIENTS 192.168.1.X]

[rtandon]

Thanks mmccarn and mary

...or, configure your "pfsense like" device to provide transparent proxying, and configure it to use the SME server as the "upstream" proxy.

This is understood... but may be more complex, therefore seeking simpler route...

...or, leave the SME server in server-gateway mode:

Code: [Select]

          (WAN Public I.P.)
               |
 [ROUTER (VPN)/GATEWAY]
               |
 (LAN   Pvt. I.P. 10.1.10.1)
               |
         WAN=10.1.10.2
           [SME Server]
         LAN=192.168.1.1
               |
      +--------+----------+
      |        |          |
 [ OTHER CLIENTS 192.168.1.X]

Ah... here is the problem.

The VPN is configured between 192.168.1.X and 192.168.2.X and therefor IMHO this wont work as router now has 10.X.Y.Z series

The solution given by Mary would have been okay (need to test it) but i do hold my doubt if server is set up as "Server Only" mode, it wont forward (route) the traffic, I guess. It will route http traffic only, being a proxy (not a router)