NethServer Version: NethServer release 7.5.1804 (final) Module: web proxy
Dear friends,
I am Vuk and I am new to nethserver. I have found that nethserver offers many functionalities so I decided to install it. However, a linux installation without any problems wouldn’t be a linux installation.
I would like to make a web proxy filter and a file server. My first installation worked as a web proxy and web content filter but when I changed the IP address of it, everything messed up so I decided to install it again and start over. The new installations are not working because squid proxy is listening only on TCP-V6 (when I set it to be gateway and dns on the user computer then it blocks everything). Editing the squid.conf doesn’t help.
My installation steps and after installation steps were absolutely the same as first time but the functionality differs. Im a bit confused…
Setup:
mikrotik as a gateway
nethserver squid is dns and proxy
Anyone knows why is this happening and how it can be solved?
Do you use transparent proxy? In this case Nethserver has to be gateway for the clients. Do you use Nethserver in gateway mode (red and green interface) behind the Microtik?
Nethserver in gateway mode allows clients to connect to the internet by default, so it should just work without proxy. Maybe there’s a network config error?
By entering following commands you can check the network config:
ip a db networks show
Be careful when editing config files directly, Nethserver uses a template system and your changes will be overwritten.
It is in transparent mode and I would like mikrotik to remain to be gateway in the network. I will configure it to redirect the 80 and 443 traffic to nethserver. Gateway for nethserver is also mikrotik so, it means only green interface. If necessary, I can make a dedicated subnet for nethserver. Is it possible this way? Let me tell you that in my first installation squid antivirus worked where the proxy was set on the host PC. Https reported wrong certificate but that was my secondary concern.
here is ip a result:
[root@nethsever ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s4f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:21:5a:99:a9:bc brd ff:ff:ff:ff:ff:ff
inet 172.16.202.31/24 brd 172.16.202.255 scope global enp3s4f0
valid_lft forever preferred_lft forever
inet6 fe80::221:5aff:fe99:a9bc/64 scope link
valid_lft forever preferred_lft forever
3: enp3s4f1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 00:21:5a:99:a9:bd brd ff:ff:ff:ff:ff:ff
Maybe first try if manual proxy works from a client.
It should work only with green interface too but to get the full function set out of Nethserver gateway mode is recommended and clients should use NS as DHCP/DNS server and gateway.
So, manual mode works… ok, so if I want it in transparent mode, then it needs to be the gateway in the network. No problem, I can do it. I need to keep DHCP on MikroTik.DHCP will tell clients where the gateway is.
Can this work that way?
INTERNET–>MikroTik(gateway for NS)–>NS(gateway for clients)
(In this scenario I get only “ERROR The Requested URL could not be retrieved” for every website)
Be aware that if Mikrotik is your gateway and you use NethServer as a proxy theoretically users can bypass your proxy by connecting directly to the mikrotik router.
You could force users to use the NethServer proxy by only allowing traffic from NethServer to your mikrotik router.
/edit: i just read mrmarkuz last post, using both mikrotik and nethserver as a router, effectively “double natting” your network. So my suggestion wouldn’t be the case.
If I understand You correctly, I need two physical interfaces on the nethserver (no problem, I have them). Means I need to insert nethserver between the internet and clients. Physically it is not going to happen because I will lose functionality of mikrotik (some users will have limited internet. I have more than one subnet to be filtered). However, I think You helped me a lot!
I will make a new subnet which will be NS RED and normal green subnet which will be available to all users. I can redirect 80 and 443 traffic to NS and also mangle the traffic and insert the NS this way. It means that I can even keep mikrotik to be the main gateway for users because NS will be the final gateway for them (done in mikrotik)
I will try it this evening or tomorrow and inform You what I achieved.
Yet, I don’t understand why it needs red interface if green interface has a place to enter gateway and it can access internet…
Slight correction: you dont have to use 2 interfaces for nethserver, only if you want to use nethserver as a gateway. If you want to keep mikrotik as a gateway, that is perfectly possible. NethServer can perfectly serve an accountprovider and other (network) services.
As soon you want to use NethServer as a gateway, you need the 2nd interface.
You mentioned that you want to use NethServer as a proxy. You can use a proxy with a simgle nic, but it would be easier to be sure the proxy is used, when you configure NethServer as a Gateway, so all trafic must go through NethServer. If you use NethServer as a proxy with only 1 interface, users could bypass your proxy and connect to the default gateway (in your case mikrotik) directly.
Users will not be able to make any traffic unless they go via proxy as I will configure mikrotik firewall like that.
WHat am I doing wrong then? This is current configuration:
Mikrotik is the main device in the network, NS is in the same subnet as users and that is a green interface in NS. NS is the DNS to all users and I want to use it as a transparent proxy…
Is this enough or I need to make different setup?
It should generally work with only one green interface.
You wrote that manual proxy is working so the problem has to be about the forwarding from the microtik to the transparent NS proxy (I never tested if this works).
Actually only 3128 port work when I choose manual in the web proxy. If i set it as transparent or transparent with ssl and add these parameters in the client machine then it doesnt work. I get the same message from squid for every website I try to open and SSL doesnt work. Redirecting and mangling the traffic from mikrotik will give the same result for port 3128…
I tried many things… didn’t help. Manual settings added in the proxy settings of the windows client also doesnt work… Please see the attachment. Thats what I get on 3129 port…
Any idea?
I made it. I just mangled the traffic from users in mikrotik and redirected it with a simple static route which means that NS is actually the gateway for them. Now, every user will access internet via proxy. It filters http traffic but not https… I dont even get wrong certificate warning. It doesnt even touch https…
To be honest, I have no idea. I have configured it as transparent with SSL. I did also configured it once last year on pfSense and it filtered http and https…
Any directions?
Hmmm… Squid ClamAV was the main reason why I wanted to ise the proxy. It won’t inspect a lot of traffic actually. I think I will just try out nethservers file server for now and email server later. Thanks guys!
