pfSense 2.3.

1 Security : Explicit Squid Proxy, WPAD, SquidGuard, Lightsquid, and Static

ARP (Part 1 of 2)

Installing Squid

Go to System > Package Manager > Available Packages then click + Install aligned
with Squid. Then click Confirm.

When you see Success at the bottom of the installation log,

go to Services > Squid Proxy Server > Local Cache
set Hard Disk Cache Size to at most 60% of the storage capacity.
set Memory Cache Size to at most 50% of the installed RAM capacity then click Save.
Now click the General tab of the Proxy Server then tick Enable Squid Proxy.
Scroll down to Logging Settings and tick Enable Access Logging and
set Rotate Logs to 7 then click Save.
To test the proxy server, you need to connect to it. Using Google Chrome, go to Settings then
below click Show advanced settings... Scroll down to Network section and click Change
proxy settings...
When the Internet Properties Window comes out, click LAN settings.
Now tick Use a proxy server for your LAN and fill the Address: box with the router's
LAN Address and the Port: with the Proxy's Port number which is 3128.
You can try to browse now and see if your proxy works. You can set your firewall rules to fully
restrict your firewall rules to the proxy. This can be done by going to
Firewall > Rules > LAN. Then click the pencil or edit your Default allow LAN to any
rule. Set the Destination to any and change the Description to Default allow LAN to
LAN rule to remind you then click Save. Click Apply Settings. You can also notice here that I
removed my IPv6 default rule.
Test by browsing again. You have successfully setup your Squid Proxy Server. Now you need to
allow LAN connections to any destination again by reverting your LAN rules to Destination :
any. Then reset your proxy settings in Google Chrome by going to the proxy settings again and
removing your entries and as well as ticking Automatically detect settings.
The WPAD Mystery

Now we are going to setup WPAD. This is difficult to setup since this service is handled
differently by different browsers. First, we need to set the pfSense Webconfigurator to
HTTP to support WPAD hosting. Go to System > Advanced then set Protocol to HTTP under
webconfigurator.
You need to create a PAC or WPAD file first. 3 files will be created to support different browsers.
Go to Diagnostics > Edit File. Type this in the Edit Box:

function FindProxyForURL(url, host) {

if (isPlainHostName(host) || shExpMatch(host, "192.168.1.*")) return
"DIRECT";
return "PROXY 192.168.1.1:3128";
}

Then type the address and filename of the file /usr/local/www/proxy.pac then click Save.
Edit the filename again twice to wpad.dat and wpad.da for more browser support.
The address /usr/local/www is the web address or public_html of the webconfigurator. We are
using the internal web server of the pfsense webconfigurator to serve WPAD files to the network.

3 WPAD Files including their address.

/usr/local/www/proxy.pac
/usr/local/www/wpad.dat
/usr/local/www/wpad.da
Next step is to add the WPAD mime-type to let the web server recognize the files created. Still
at Diagnostics > Edit File, browse to /usr/local/etc/nginx then open the
mime.types file. Add the highlighted lines to this file then Save. Reboot pfSense by going
to Diagnostics > Reboot to apply the new settings.
Now you need to distribute WPAD or PAC files through DNS and DHCP. Go to Services > DNS
Resolver, then add a new host at the Host Overrides list by clicking the + Add button. Fill in
the following then click Save.

Host : wpad
Domain : yourdomain.com
IP Address : 192.168.1.1 (Your router's LAN interface IP Address)
Description : WPAD Server (Optional)

Go to Services > DHCP Server, click * Display Advanced at the Additional BOOTP/DHCP
Options item. Add 3 Options by clicking + Add then fill these in. Click Save.

252 String "http://wpad/wpad.dat"

252 String "http://wpad/wpad.da"
252 String "http://wpad/proxy.pac"

Number Type Value

WPAD Shooting Trouble

Launch a Command Prompt then try an nslookup of your WPAD to test the DNS Host
Override that you added. You can confirm the lookup by browsing
to "http://wpad/wpad.dat" in a chrome browser. If the wpad.dat file downloads then the DNS
exposure of the WPAD files work. The output may look like this.

C:\>nslookup wpad
Server: pfsense.yourdomain.com
Address: 192.168.1.1

Name: wpad.yourdomain.com
Address: 192.168.1.1

C:/>

To see if chrome successfully downloads the WPAD files, open your Chrome browser and
visit "chrome://net-internals/#proxy" and you can see the Effective proxy
settings section shows a WPAD/PAC File.
If the effective setting is Direct and not any WPAD file, you can fix this by clearing the cache of
the browser and resetting Internet Properties. If the browser drops the WPAD file or if you are
using Safari, you can manually add the configuration url "http://wpad/wpad.dat" to your
browser settings. Another issue is that some hosts fail to get the WPAD file when they are not
registered in the DHCP Server.
Installing SquidGuard

Go to System > Package Manager > Available Packages then click + Install aligned
with SquidGuard. Then click Confirm.

When the package installation succeeds, do not Enable the SquidGuard service yet but go
to Services > SquidGuard Proxy Filter > Target Categories. Add
a CustomDeny category then place the domains you want to block manually in the Domain
List box. Then put "proxy|\.exe|\.mp4|\torrent" in the Regular Expression box to
block sites with proxy or torrent in the url as well as block downloading of files ending with
.exe or .mp4 extensions. Tick the Log option at the bottom to log denies made through this
category then Save the custom category. You can also do this again to create your own custom
whitelist or any category that you may require.
Visit squidguard.org then choose a blacklist provider. I prefer the Shalla's
Blacklists among the free blacklists. Right click the download icon then choose Copy link
address. Now go to General Settings tab then set all Logging options to enable by
ticking Enable GUI log, Enable log and Enable log rotation. Tick the Blacklist option
then paste Shalla's blacklist download URL to the Blacklist URL entry then Save .
Go to the Blacklist tab then click Download then wait until the download completes.
When done, go to Common ACL then expand the Target Rules List. Set deny option
for CustomDeny and set allow to Default access [all]. You can set the other categories to
your preferred permission between deny, allow and whitelist. The sample here shows the list
from urlblacklist.com. Tick the Log option then Save .
You can also create groups at Groups ACL with different accesses. You can also set a schedule
for the groups by creating schedules in the Times tab. After setting up, go to General
Settings tab then tick Enable and click Apply. Click Apply again for any changes made
in SquidGuard to apply changes.

Now website filtering works. We need to apply strict Firewall rules. Go to Firewall > Rules >
Lan again then click the pencil or edit your Default allow LAN to any rule. Set
the Destination to any and change the Description to Default allow LAN to LAN rule to
remind you then click Save. Click Apply Settings. You can also notice here that I removed my
IPv6 default rule.
In this way, all traffic must now pass through the proxy.

DHCP and ARP

To increase the level of security internally, you can go to Services > DHCP Server > Lan then
register all MAC addresses of all devices and set their own IP. After completely registering only
the devices that are allowed in your network, tick Deny unknown clients and Static ARP.
With this setup, any unit who tries to connect will not be recognized by the firewall. Any changes
or manual change in the network settings of the devices will also block that device from the
firewall.
PROXY Bypass

By registering all devices, IPs will now be assigned for specific devices. Therefore, logs showing
IP addresses can easily be tracked to devices using the DHCP registry. This also enables pfSense
to allow certain IPs to bypass the proxy. You can do this by creating an alias first. Go
to Firewall > Aliases then add an alias. Place a recognizable name
like "bypasslocalips" then add all IPs you want to bypass the proxy.
Next, edit your PAC files by adding the IP you wanted bypassed.

function FindProxyForURL(url, host) {

if (myIpAddress() == "192.168.1.5" || myIpAddress() == "192.168.1.6") return
"DIRECT";
if (isPlainHostName(host) || shExpMatch(host, "192.168.1.*")) return
"DIRECT";
return "PROXY 192.168.8.1:3128";

You also need to add a firewall rule to allow LAN to any traffic since we have restricted LAN to
pass to LAN only. Create the rule with a Pass action for Source of
alias "bypasslocalips" and Destination of any.
You can also bypass proxy for hosts by creating a pass rule for an alias "allowedhosts". Create
the alias first then add the hosts to your CustomWhitelist category in your SquidGuard Proxy
Filter.
You now have a comprehensive Network Security. Now all you need is a good reporting tool to
easily manage logs. Install Lightsquid to create reports or monitor the proxy live. Leave a
comment or contact me for any inquiry that I may help.