untangle with squid

Aug · 05-06-2009, 08:57 AM

clients--firewallbridge--untanglebridge--squidbridge--router--internet
firewallbridge redirects clients to squidbridge for transparent proxy.
With this configuration untangle is not filtering web content.
Before installing the squidbridge everything was fine.

If I switch it around.
clients--firewallbridge--squidbridge--untangle--router--internet
Will Untangle only see squidbridge ip address and either filter everything or nothing depending on webfilters ip pass list?

I want to be able to webfilter some ip addresses but not all.

Anybody running squid as a bridge inline with untangle...I've read the other posts and it looks like it's an all or nothing webfiltering.

scot1967 · 05-06-2009, 11:11 AM

Ok, I have a few questions first. I have never heard of a "firewallbridge" or a "squidbridge" could explain? Technically a bridge is just a switch with only two ports. It can't work with anything beyond layer 2 in the IP stack ie. no IP addresses, routing, filtering etc...

1st: Assuming that you are using the word bridge "loosely" here. (Unangle also is technically not a bridge when configured in bridge mode) Does either the Firewall or the Squid do address translation? If so, then depending on how untangle is connected it will only see the address of the interrface on the device it is connected to. Make sure that any address translation is done on the internet side of Untangle. Otherwise Untangle should see all of the address on the subnet it is connected to.

2nd: What are you using the Squid box for? Untangle will produce nice reports of activity. If speed is an issue, personally I have never seen much of a boost with a proxy server. This is especially true when you add a content filter to the mix.

With that said... You can set up a list of IP addresses or subnets in Untangle that can by-pass the web filter.

http://wiki.untangle.com/index.php/W...Specific_Users

Also:

You can setup "no rack" commands in your policy editor to by-pass Untangle completely for specified addresses and subnets. If you have the pro version you can have multiple policies as well.

http://wiki.untangle.com/index.php/Policy_Manager

Suggested setup:

Clients - UT (bridged) - FW - Router - Internet

Aug · 05-06-2009, 12:00 PM

Thanks for the response.
Firewallbridge = Mikrotik routeros on old pc with 2 nic's. The nic's are bridged. I am blocking some ports with it, performing QOS and bandwidth limiting, as well as port dst-nat for the proxy.

Squidbridge = squid running on ubuntu with 2 nic's bridged. Used for DNS and web caching to make more efficient use of the existing internet connection.

Untangle bridge mode = Definitely not a bridge!!!

I have the ip's in the web filter pass list and they work fine when squid is not inline in the network.

I pulled the squidbridge out and connected it to a switch on the internet side of untangle. Still doing dst-nat to squid from firewallbridge. Redirect port 80 to port 3128.

If I redirect to squid, Untangle doesn't filter.
If I stop redirecting to squid, Untangle works as advertised.

My guess is that untangle doesn't look at port 3128??

If I knew how Untangle was handling the web requests, I could probably figure out a way to make things work.

dmorris · 05-06-2009, 12:02 PM

untangle transparently filters port 80 traffic

Silver Bullet · 05-06-2009, 12:04 PM

Quote:

Originally Posted by dmorris

untangle transparently filters port 80 traffic

Uhhh... I think that is impossible. It has to "store and forward" to work.

Aug · 05-06-2009, 12:18 PM

With the port redirect, Untangle would never see port 80 traffic.

I'll try this config later and see how that goes.
It'll put the port redirects after the client passes through untangle.
clients--untanglebridge--firewallbridge--squidbridge--router--internet

Aug · 05-07-2009, 10:19 AM

Well there we have it.
Can't use squid with untangle.
Having followed the traffic flow with wireshark, I'm see the request go out, gets reply, request for page, then redirect to untangle.
If squid is used transparently, I'm using port 3128, it's not seen by untangle on the return.
So the only option I've found is that I can't use squid with the clients I'm using untangle webfilter. Simple enough, I guess. Unless Somebody has a better option. I'm all ears.

hrcrawford · 06-12-2009, 04:56 AM

I'm not very sophisticated, so please explain why this doesn't work:

Redirect all internally-initiated requests to port 80, EXCEPT THOSE FROM THE SQUID MACHINE, to the internal squid proxy at port 3129. Squid then sends request out to port 80 and Untangle treats it as a regular http request because that squid IP doesn't have a port redirect.

05-06-2009, 08:57 AM	#1 (permalink)
Aug Untanglit Join Date: Apr 2009 Posts: 12	untangle with squid clients--firewallbridge--untanglebridge--squidbridge--router--internet firewallbridge redirects clients to squidbridge for transparent proxy. With this configuration untangle is not filtering web content. Before installing the squidbridge everything was fine. If I switch it around. clients--firewallbridge--squidbridge--untangle--router--internet Will Untangle only see squidbridge ip address and either filter everything or nothing depending on webfilters ip pass list? I want to be able to webfilter some ip addresses but not all. Anybody running squid as a bridge inline with untangle...I've read the other posts and it looks like it's an all or nothing webfiltering.

05-06-2009, 11:11 AM	#2 (permalink)
scot1967 Master Untangler Join Date: Jan 2008 URLs submitted: 27 Posts: 264	My thoughts... Ok, I have a few questions first. I have never heard of a "firewallbridge" or a "squidbridge" could explain? Technically a bridge is just a switch with only two ports. It can't work with anything beyond layer 2 in the IP stack ie. no IP addresses, routing, filtering etc... 1st: Assuming that you are using the word bridge "loosely" here. (Unangle also is technically not a bridge when configured in bridge mode) Does either the Firewall or the Squid do address translation? If so, then depending on how untangle is connected it will only see the address of the interrface on the device it is connected to. Make sure that any address translation is done on the internet side of Untangle. Otherwise Untangle should see all of the address on the subnet it is connected to. 2nd: What are you using the Squid box for? Untangle will produce nice reports of activity. If speed is an issue, personally I have never seen much of a boost with a proxy server. This is especially true when you add a content filter to the mix. With that said... You can set up a list of IP addresses or subnets in Untangle that can by-pass the web filter. http://wiki.untangle.com/index.php/W...Specific_Users Also: You can setup "no rack" commands in your policy editor to by-pass Untangle completely for specified addresses and subnets. If you have the pro version you can have multiple policies as well. http://wiki.untangle.com/index.php/Policy_Manager Suggested setup: Clients - UT (bridged) - FW - Router - Internet __________________ PCMonk Keeping the network safe one obsessive compulsive quirk at a time. Personal: http://www.1peacefulplace.net Last edited by scot1967; 05-06-2009 at 11:15 AM.. Reason: More info...

06-12-2009, 04:56 AM	#8 (permalink)
hrcrawford Newbie Join Date: Mar 2008 Location: Falls Church, VA Posts: 3	redirect 80 to squid? I'm not very sophisticated, so please explain why this doesn't work: Redirect all internally-initiated requests to port 80, EXCEPT THOSE FROM THE SQUID MACHINE, to the internal squid proxy at port 3129. Squid then sends request out to port 80 and Untangle treats it as a regular http request because that squid IP doesn't have a port redirect.

05-06-2009, 12:00 PM	#3 (permalink)
Aug Untanglit Join Date: Apr 2009 Posts: 12	Thanks for the response. Firewallbridge = Mikrotik routeros on old pc with 2 nic's. The nic's are bridged. I am blocking some ports with it, performing QOS and bandwidth limiting, as well as port dst-nat for the proxy. Squidbridge = squid running on ubuntu with 2 nic's bridged. Used for DNS and web caching to make more efficient use of the existing internet connection. Untangle bridge mode = Definitely not a bridge!!! I have the ip's in the web filter pass list and they work fine when squid is not inline in the network. I pulled the squidbridge out and connected it to a switch on the internet side of untangle. Still doing dst-nat to squid from firewallbridge. Redirect port 80 to port 3128. If I redirect to squid, Untangle doesn't filter. If I stop redirecting to squid, Untangle works as advertised. My guess is that untangle doesn't look at port 3128?? If I knew how Untangle was handling the web requests, I could probably figure out a way to make things work.

05-06-2009, 12:02 PM	#4 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 6,694	untangle transparently filters port 80 traffic

05-06-2009, 12:18 PM	#6 (permalink)
Aug Untanglit Join Date: Apr 2009 Posts: 12	With the port redirect, Untangle would never see port 80 traffic. I'll try this config later and see how that goes. It'll put the port redirects after the client passes through untangle. clients--untanglebridge--firewallbridge--squidbridge--router--internet

05-07-2009, 10:19 AM	#7 (permalink)
Aug Untanglit Join Date: Apr 2009 Posts: 12	Well there we have it. Can't use squid with untangle. Having followed the traffic flow with wireshark, I'm see the request go out, gets reply, request for page, then redirect to untangle. If squid is used transparently, I'm using port 3128, it's not seen by untangle on the return. So the only option I've found is that I can't use squid with the clients I'm using untangle webfilter. Simple enough, I guess. Unless Somebody has a better option. I'm all ears.