OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: spien on September 09, 2022, 09:06:32 am
-
Hey,
I have activated the captive portal for the network "guest network", without authentication, just a click on login. This works without any further problems.
I have now enabled the web proxy (as transparent proxy, without authentication) in the guest network. This also works without problems, if I deposit it directly in the browser.
But now I want (so that I can block some URLs for the guest network) to switch the captive portal and the proxy together. The login window from the captive portal comes up, but calls to the web then don't work (the request shows up in the access logs from the proxy, but the browser times out).
Both the captive portal and the proxy are bound only on the interface of the guest network. I have not temporarily blocked anything in the firewall.
I have found various similar problems on the net, but never a suitable answer. Has anyone here ever successfully set it up this way?
I would be grateful if someone could help me.
-
Without any further configuration specification from you I can only say that the captive portal options
Transparent proxy (HTTP)
Transparent proxy (HTTPS)
had been introduced for that reason.
Cheers,
Franco
-
Thanks for your answer Franco.
I have an OPNsense in version 22.1.8.
On the OPNsense I have a WAN GW and 3 LAN interfaces. 2 of them are VLANs.
One of the VLANs will be the guest network for visitors in the future. Here I need the captive portal for the consent of the terms of use and I need the possibility to block single websites.
The guest network has as IP configuration 192.168.12.x/22. The OPNsense has the fixed IP 192.168.15.254 in this LAN.
The captive portal and the web proxy are only bound to this guest network.
I have created firewall rules only for the guest network. I allow ports 3128 and 3129 (TCP) to 127.0.0.1 (proxy) (but have also tried 192.168.15.254). For testing purposes, I also set nothing to be blocked on a trial basis.
In Captive Portal I have enabled Transparent Proxy HTTP and HTTPS.
The client requests also show up in the Squid log file, but the clients don't seem to get the web pages back (timeout).
Example from the Squid log file:
56 192.168.12.50 TCP_REFRESH_MODIFIED/200 329 GET http://ping.archlinux.org/nm-check.txt - ORIGINAL_DST/95.216.195.133 text/plain
Could it be that I am missing a firewall rule here that allows the proxy to deliver the web pages to the client?
What other information do you need to help me?
-
Hi!
I found something: http-traffic (80) works fine with captive -> proxy. https-traffic (443) is running into timeout.
My Proxy-Config is:
- Proxy Port 3128
- SSL Proxy port: 3129
- Enable Transparent HTTP proxy: activated
(is there no transparent for SSL?)
In captive-conf i've activated Transparent proxy (HTTP) and Transparent Proxy (HTTPS).
i have one firewall rule to allow traffic (TCP) to 127.0.0.1 3128-3129 and for testing allow traffic (TCP) to 192.168.15.254 (OPNsense) 1328-3129.
For HTTP it works fine now. For SSL not.