Best Practice: Web Proxy Filtering (Private Subnets)

[porigromus]

I have configured the Web Proxy utilizing HTTP Transparent. I have 3 interfaces configured (LAN, OPT1 (DMZ), OPT2 (Servers). Before configuring the proxy I only permitted specific endpoints to access specific destinations on port 80 in OPT2 as well as only permitted 1 endpoint to access the WebGUI/SSH on the firewall on port 80.

Now, all devices are able to get to these destinations due to the fact the source appears the firewall now which is always permitted. What would be the best way to permit only the devices I wish to access these endpoints on 80 now since proxy their traffic now?

One way I thought of doing this is creating a a No RDR NAT rule with a destination of RFC1918 above the present NAT redirecting the 80 traffic to the firewall.

I also thought about changing the destination from ANY to !RFC1918 on the NAT that is presently redirecting 80 traffic to 127.0.0.1.

I would prefer not to circumvent the proxy though. Is there a way to create whitelist/blacklist in the web proxy to only permit specific sources to access specific destinations on RFC1918 subnets? I wasn't sure how. What is your opinion on how to best configure what I am wanting to achieve? Thanks

[porigromus]

Would you please move this to the correct forum, Web Filtering? I did not see that category initially, my apologies.

[porigromus]

I went ahead and created a no rrd nat rule above the other for destinatin RFC1918. I haven't gotten any responses to my posts. I really hope I haven't put things in an incorrect format or worded things in a way that is affecting me getting any help.

Seems other posts have some responses. New here, please point out my mistakes if there are any. Thanks!

[hbc]

Check this thread:

https://forum.opnsense.org/index.php?topic=12551.0

I think it is about the same "problem.

[porigromus]

Thanks for the response. I did stumble upon that post. I made my post after just to get an idea of how others are accomplishing this and what the best solution is. At this point I believe that seems like the best option, deny rfc1918 in an ACL via a .conf file in squid pre-auth and then no rdr for rfc1918 in a NAT rule above the proxy NAT.