I have spent many hours trying to setup this with web proxy server and without success;
if I setup without web-proxy (transparent) and just just dst-nat with src address-list; it works perfectly
however, I would like to run a transparent web-proxy for all http and yet maintain that the respective users get the respective responses.
I posted this before (when I was 100% new to my RB) and was using the wrong words to describe what I was trying to do, and also had even less of an understanding than now of how the RB works.. [still reading and learning]) everyone kept saying to dst-nat and should work, I found that regardless of what I put in as far as DNS servers it would always return the “system default dns” replies..
The reason for this is simple; I have a need that will have all local addresses “10.0.1.0/24” and a single public interface (ISP)
Two classes of users at this time; Adult and Non-Adult ip traffic on this network
Non-Adult traffic should request DNS responses from OPENDNS (Filtered) at 208.67.222.222
Adult traffic should request DNS responses from 4.2.2.1 (un-filtered)
so I have two NAT rules that are simple:
2 ;;; Not an Adult Go OpenDNS
chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=53
protocol=udp src-address-list=!Adult dst-port=53
3 ;;; Redirect DNS Adult
chain=dstnat action=dst-nat to-addresses=4.2.2.1 to-ports=53
protocol=udp src-address-list=Adult dst-port=53
and this works flawlessly!
Now add in this:
4 X ;;; Transparent Web Cache
chain=dstnat action=redirect to-ports=3128 protocol=tcp
dst-address-list=Adult in-interface=Local connection-mark=http
(with the proxy enabled and set to port 3128)
either before or after the DNS queries and here is my request for help understanding how to get around this issue.
When the proxy is enabled and and the dst-nat rule in place (regardless where I put it) regardless of
of the src. address-list of Adult or !Adult.. ALL content sent to the user is (unfiltered)..
I thought that the proxy would simply use the resolution that was provided to client… i.e. non-adult user requests
a URL that should be filtered; OpenDNS sends a reply 208.xxx.xxx.xxx which is a static banner page “BLOCKED” but
the non-adult user gets unfiltered pages.. I thought that if the dst-nat dns requests were processed that the ip proxy facility would leave it untouched but it appears that it is over-written.
So, how to you setup rules and chains that would allow for such a need? To transparently proxy maybe even cache; yet allow for two different DNS responses and make sure that the content is accordingly.
This “filtering” with two different DNS servers work perfectly without proxy or transparent-proxy..
In advance thank you for your time and assistance.