1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Forcing all Internet traffic on LAN through transparent proxy server

Discussion in 'Networking' started by imekul, Jun 27, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. imekul

    imekul Thread Starter

    Joined:
    Oct 14, 2007
    Messages:
    29
    I want to be able to force all of the Internet traffic on my LAN through a PC running some UTM distribution, or something like Smoothwall. My main goal is URL filtering and stuff like that.

    I have a Linksys router with a DHCP server. The router's IP is 192.168.0.1.

    If I have my UTM box with an IP of 192.168.0.2 and a transparent proxy server running on port 80, how can I have all traffic automatically go through the UTM box?

    I know I can manually set the proxy settings on each computer, but I don't want to do that. I want the IP info given from the DHCP server to be such that any new computer connecting to this network would be forced through the UTM box.

    So to recap, my goal is to have some automatic way to force all Internet traffic through another device for filtering. I think I can set up the filter myself, but the part I'm struggling with is forcing all the traffic to go there automatically.

    Thanks!
     
  2. Squashman

    Squashman Trusted Advisor

    Joined:
    Apr 4, 2003
    Messages:
    19,783
    Does the Linksys DHCP settings allow you to change the Gateway Address it pushes to the client computer requesting an IP address?

    Of course if you don't have the computers locked down the user could just change their IP address settings to get around it.
     
  3. imekul

    imekul Thread Starter

    Joined:
    Oct 14, 2007
    Messages:
    29
    Actually, I should have been more specific... it is a Linksys router running DD-WRT firmware.

    I would think that I must be able to change the gateway IP that is pushed. I'll check into that.

    Assuming I CAN do that, then is my thinking correct here? I would then:

    Have the Linksys DD-WRT router push a gateway IP of 192.168.0.2 to all of the clients, and then on the UTM box, that would have a gateway of 192.168.0.1, and the UTM box would be the only device with a gateway of 192.168.0.1, and everything else would be going through the UTM box for filtering. Does this sound right?

    That's a good point about people being able to change their IP settings, but I think this would take care of 99 percent of my problems. Most people probably wouldn't think to do that.

    Thanks!
     
  4. Squashman

    Squashman Trusted Advisor

    Joined:
    Apr 4, 2003
    Messages:
    19,783
    I have only ever set something like that up many years ago in school. We setup a Windows 2000 Server to be a DHCP server and NAT router. All traffic went thru the server. But we had to have 2 NICs to make it work. One NIC was connected to the LAN's Switch and the other nic connected to our main Internet Connection.

    Hopefully zx10guy will be along today. He is the expert on this stuff. I mostly focused on Netware and Linux when I was in school.
     
  5. imekul

    imekul Thread Starter

    Joined:
    Oct 14, 2007
    Messages:
    29
    With having two NICs installed for something like this, I was never clear on what the IP settings would be for each NIC. In a case like this, would I have my second NIC just set to 192.168.0.3, do you know?

    I'm not in a huge rush, so I'll hope to see if he (or anyone else) comes along and has any input. Thanks again.
     
  6. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,965
    What's the environment where you want to set this up? Why are you implementing this? Based on the general design goal will dictate how the network should be set up or whether different equipment would need to be procured.
     
  7. imekul

    imekul Thread Starter

    Joined:
    Oct 14, 2007
    Messages:
    29
    Just like a content filter for a home or small business. Understanding that people could theoretically get around it with using a proxy server or something, but I'm just trying to have something that would cover most users.
     
  8. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,965
    The simplest and best way to do this is to have two NICs on the UTM box. One NIC would plug into one of the LAN ports of the Linksys router. The other NIC on the UTM box would plug into a switch to support the wired clients. To have wireless you'll need to add an AP. Also you'll have to set up a DHCP server on the inside/protected zone of the network since the DHCP server of the Linksys will not be able to see DHCP request nor respond to them with the UTM device in between. You will also need to redo your IP schema. You can have the IP network between the Linksys and UTM be on the 192.168.1.0 space and using a subnet mask of 255.255.255.252, would make available two valid IPs. You would set the UTM to say 192.168.1.2 and the Linksys to 192.168.1.1. The UTM would have a default gateway of 192.168.1.1---the Linksys router. On the protected side, the IP setup would be just 192.168.0.0 with a subnet mask of your choosing to support the number of IP addresses you'll need. To make things easy, I would just set it up as a /24 or 255.255.255.0. You would set up the UTM to have an IP of 192.168.0.1.

    Doing it this way will force the client devices to have to go through the UTM device. If you put everything on the same subnet, you can have some enterprising user figure out what is going and easily bypass the UTM device by manually configuring the IP settings to use the Linksys as the default gateway.

    Now per the above, you'll need to purchase a new switch and a wireless access point if you need wireless services. Also a new DHCP server would need to be set up on the network. You can consolidate the AP and DHCP devices by just purchasing a wireless router, convert it to be an AP only setup which will give you the wireless and DHCP services you need.
     
  9. imekul

    imekul Thread Starter

    Joined:
    Oct 14, 2007
    Messages:
    29
    That makes great sense! Thanks for the detailed explanation.

    Out of curiosity, do you have any recommendation for a free UTM with good filtering? I've used Smoothwall before, so I might try that or Endian.

    Thanks again!
     
  10. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,965
    Sorry, I don't. The problem with using a UTM is the performance, detection/miss ratio, and frequency of signature updates considerations. When you go free, you don't know how well it address those points of concern I brought up.
     
  11. bobthehippy

    bobthehippy

    Joined:
    Jun 22, 2013
    Messages:
    97
    "I know I can manually set the proxy settings on each computer, but I don't want to do that"

    Are the computers on an AD network? You can use Group Policy to make the computers browser go via the proxy.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1102242

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice