Questions about proxy/gateway

jfernandez (Juan Carlos Fernandez) 2018-03-14 19:54:54 UTC #1

NethServer Version: 7.4.1708 (Final)
Module: nethserver-firewall-base DHCP

I’m trying to setup a proxy/gateway with nethserver7. I have several PCs joined to an Active Directory (Win2012R2) domain and several smartphones, tables, and the like which also must also use the proxy. I would like the following features:

Authentication for domain computers.
IP/MAC binding for domain computers, smartphones, tables, and the like.
Traffic shaping for several IP, AD group, and DNS (set low priority to youtube, facebook and the like).
Block content for porn sites and sites custom list.
Generate web proxy stats.

I have read the docs and right now I have a rough idea on the howto, but I have several questions:

To enable IP/MAC binding, do I have to enable DHCP service on nethserver or just type the host info on the IP reservation tab?
I can set the proxy to Authenticated mode for green zones and trusted networks and also set Block HTTP and HTTPS ports to enforce Internet access through the proxy for my domain PC, but what about the smartphones and the like?

mrmarkuz (Markus Neuberger) 2018-03-15 09:50:36 UTC #2

I tested it with Android, you just have to setup proxy for the WLAN connection.
You may simply put your smartphones to green zone or to be more safe and to control the traffic between your smartphones and the internal network, you may put them to blue zone.

jfernandez (Juan Carlos Fernandez) 2018-04-17 20:08:14 UTC #3

Sorry for leaving this unattended, I was doing other tasks. Right now my NS7 proxy works like a charm, tough I’m having an issue with whatsapp been able to bypass proxy, but I set firewall rules to deny use of whatsapp to a limited number of terminals.

Right now my NS7 proxy server has 2 NIC, eth0 is green and eth1 is red. My proxy setup is set to Manual to both green and blue zones. This setting has some limitations, since my company has 2 shift, I cannot know which user browsed which URL. Not all my terminals (smartphones, industrial PC and the like) are domain joined. @mrmarkuz you suggest me to put this terminals to blue zone, I assume that you are telling me to create a new logical interface, presumingly a VLAN on eth0. However, I have some doubts, I need those terminals to be on my subnet (192.168.9.0/24) as I have other services beside proxy (ERP, mail …), I only setting this because most smart-phones don’t have a way to set up an authenticated proxy.

robb (Rob Bosch) 2018-04-17 20:17:35 UTC #4

AFAIK you have to enable DHCP, since you set reservations for IP’s in DHCP for those mac addresses.

mrmarkuz (Markus Neuberger) 2018-04-17 20:42:49 UTC #5

I recommended it because you have a possiblity to have different proxy config on green and blue so you have authentication, proxy stats and all devices using a proxy:

grafik

You may enable access from blue to green with firewall rules.

What about the compromise to don’t set “Block HTTP/HTTPS Ports” and use auth proxy. This way you could enforce using the proxy on joined devices by group policy. The other devices not able to use the proxy still can access internet without proxy. No proxy for some devices but auth.

Or just use “Tansparent SSL proxy” and filter by devices instead of users. No authentication but proxy for all devices.

jfernandez (Juan Carlos Fernandez) 2018-04-17 23:45:28 UTC #6

Ok, so right now all my network terminals (PC, servers, smartphones …) are on 192.168.9.0/24, so this CIDR is my subnetwork.

joined domain PC are on 100-250
smartphones, other PC (industrial, guest …) are on 50-99
managed switches, routers and servers are on 1-50

I want those on 100-250 to use [Authenticated] mode, the rest would use [Manual] mode or [Tansparent SSL proxy] mode. How can I set a blue zone for 1-99? I think it is on [Network] -> [New logical interface] -> [Role] = [Guest (blue)] / [Type] = [VLAN] / [Interface] = [eth0] / [Tag] = [9] -> And I’m stuck on next step

mrmarkuz (Markus Neuberger) 2018-04-18 00:45:50 UTC #7

I thought you just add another network interface. Your switches have to support and be configured for VLANs:

http://docs.nethserver.org/en/v7/base_system.html#logical-interfaces

You may use DHCP servers for the VLANs to assign IPs to clients or let them use static IP.

jfernandez (Juan Carlos Fernandez) 2018-04-18 15:34:48 UTC #8

Rob, long time not seeing you, hope everything is OK. As matter of fact, you don’t need to enable DHCP, you just go to IP reservation tab and put those the MAC/IP of those network terminals (PC, smartphones …) you want to grant access to.

jfernandez (Juan Carlos Fernandez) 2018-04-18 19:49:09 UTC #9

I still have a long run to get to start using VLAN on switch, since we don’t even have an updated network map. Could it be possible to create a template set manual proxy for an IP range ? Since I already have all my network terminals on 3 IP range. Tough if someone has a better idea please share.

mrmarkuz (Markus Neuberger) 2018-04-18 22:45:36 UTC #10

It may be possible but you’ll need to customize squid:

http://www.squid-cache.org/mail-archive/squid-users/200802/0094.html