Transparent Proxy bypasses WAN reject rule

Started by Cuffs, February 25, 2021, 09:26:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 25, 2021, 09:26:52 PM
Hi

I thought after using OPNSense for a year and being very happy with it I'll register here.
Maybe my post is of help/contribution, or maybe I'm just misunderstanding something..

I use Web Proxy in transparent mode - so far so good.
I also added a Rule to reject outgoing IPv4 TCP/UDP any to a Blocklist of DNS via HTTPS servers to port 443.

When doing telnet 9.9.9.9 443 on OPNSense itself the rule kicks in and blocks traffic.
But from a client via the proxy this works. So it seems Squid is bypassing outgoing rules on the WAN interface.


Is this as intended?


Thank you
Christian
February 26, 2021, 12:29:56 AM #1
It doesn't "bypass" it, It's never even evaluated because the proxy is not behind the LAN firewall. 

If you make the destination the opnsense ip with the proxy port then it should work, because then the firewall rule is sitting between the enduser and the proxy.
February 26, 2021, 09:00:43 PM #2
I meant on the WAN side.

I would have imagined:
Client - NAT/Redirect - Proxy - WAN Rules - Internet

It seems to be:
Client - NAT/Redirect - Proxy - Internet
March 06, 2021, 07:32:45 AM #3
Just to close this in case someone finds it via google.

False positive.
Our company's IT department implemented DAC via tunnel on our notebooks without me knowing.

That was why WAN block rules didn't seem to work on OPNSense - my laptop was using the company proxy.
Print
Go Up Pages1
User actions