OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: GunShotResidue on November 14, 2020, 12:19:57 pm

Title: Newbie Web Proxy Bypass Question
Post by: GunShotResidue on November 14, 2020, 12:19:57 pm

Hi Folks,

I have a new installation complete with DNSCrypt, IDS and Virus Scanning / Web Proxy. Everything is working great except for one issue. I have configured and enabled transparent proxy for ad blocking and virus filtering and have no issue with sites that have been whitelisted to avoid the security certificate issue. But I have certain devices (Roku, SmartThings, etc...) that I would like to bypass completely as there are too many URL's that I am unfamiliar with to whitelist each one separately. I have read that this can be done by creating a no redirect rule prior to the proxy redirect rules using NAT and selecting a group of IP's (or even better hosts as I am using DHCP). The problem I have is that I'm more software developer, less network and need a step by step on how to do this. I've searched the documentation, forums and google to no avail. I've looked at the rule configuration, and groups/aliases for the IP's and it's not obvious to me on how to accomplish this.

Thank You.

Title: Re: Newbie Web Proxy Bypass Question
Post by: Amr on November 16, 2020, 01:57:37 pm

hello GunShotResidue,

Have you considered adding the devices to the "Unrestricted IP addresses" and accepting your certificate on each of them?

well anyway , to achieve what you want follow these steps:
1-give static IPs (through the DHCP) to the desired devices
2- Create an alias for these devices ( Firewall > Aliases) EX: "no-redirection" and add all of the devices IPs.
3-In port forward (Firewall > NAT) add the following rule:
 
Interface : LAN
Source / Invert : check this box (this is a logical NOT operator)
Source : no-redirection (the alias you made)
Destination : any
Destination port range : HTTP and HTTPS (you can add two rules one for HTTP and one HTTPS or create an alias for both)
Redirect target IP: the prxoy's IP
Redirect target port : the port that it listens to

Basically it tells the firewall to route traffic that does "NOT" come from the alias's ip range to the proxy

alternatively you can create an alias for all the ips that's going to be redirected and simply redirect it.