Proxy or Squid Alternatives
-
Hello. I have a router that is exceedingly chatty even in AP mode. I captured the packets and see that it is pinging an AWS server every 20 seconds. My thinking was that I could use squid (maybe) to proxy a response, but, it looks like squid is loosing support in a future release.
The issue with the AP pinging is that, if it does not get a response, it thinks that the internet is down and reinitializes itself. When it does so, it drops the wireless clients. I do not need my AP to verify that the internet is up of course, it is poor design to be sure.
Regardless, the cost of replacing the AP is cost prohibitive, and I am looking for some alternatives. Thoughts? Thanks for looking.
-
I created a port forward NAT rule to meet this requirement (below). This rule is this in place and I see no negative side effects thus far. I have killed all the states, captured the packets, and re-monitored the states. The packets look very different, but I am still seeing things I did not expect to see. The AP appears to be pining 192.1.1.68 instead of the clients directly. But now, II still see the outbound communication via the WAN to AWS.
Here is the NAT:
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description
LAN ANY 192.168.1.246 * WAN address * 192.168.1.1 * Redirect Router for any LAN Address
WAN ANY * * 192.168.1.246 * 192.168.1.1 * Redirect Router for any WAN AddressHere is an example of the states I see now:
LAN tcp 192.168.1.246:36352 -> 54.185.135.21:443 ESTABLISHED:ESTABLISHED 1.819K / 1.82K 93 KiB / 99 KiB
WAN tcp 174.17.63.23:56928 (192.168.1.246:36352) -> 54.185.135.21:443 ESTABLISHED:ESTABLISHED 1.819K / 1.82K 93 KiB / 99 KiB
LAN icmp 192.168.1.246:31569 -> 192.168.1.1:31569 0:0 1 / 1 84 B / 84 B
LAN udp 192.168.1.246:41556 -> 192.168.1.1:137 NO_TRAFFIC:SINGLE 1 / 0 78 B / 0 B
LAN icmp 192.168.1.246:58706 -> 192.168.1.1:58706 0:0 1 / 1 84 B / 84 B
LAN icmp 192.168.1.246:26195 -> 192.168.1.1:26195 0:0 1 / 1 84 B / 84 B
LAN icmp 192.168.1.246:43092 -> 192.168.1.1:43092 0:0 1 / 1 84 B / 84 BAnd the packets:
17:59:49.728509 IP 192.168.1.246.36352 > 54.185.135.21.443: tcp 0
17:59:49.776234 IP 54.185.135.21.443 > 192.168.1.246.36352: tcp 0
17:59:50.852015 IP 192.168.1.246 > 192.168.1.1: ICMP echo request, id 9800, seq 0, length 64
17:59:50.852228 IP 192.168.1.1 > 192.168.1.246: ICMP echo reply, id 9800, seq 0, length 64
17:59:53.952113 IP 192.168.1.246 > 192.168.1.1: ICMP echo request, id 43080, seq 0, length 64
17:59:53.952259 IP 192.168.1.1 > 192.168.1.246: ICMP echo reply, id 43080, seq 0, length 64
17:59:56.477860 IP 54.185.135.21.443 > 192.168.1.246.36352: tcp 0
17:59:56.478080 IP 192.168.1.246.36352 > 54.185.135.21.443: tcp 0
17:59:57.059585 IP 192.168.1.246 > 192.168.1.1: ICMP echo request, id 60489, seq 0, length 64On the LAN, it seems to be working, but, the AP is still hitting 54.185.135.21 even with the NAT in place. Any idea why/how? Thanks for looking.
-
@ronmwhite said in Proxy or Squid Alternatives:
Here is the NAT:
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description
LAN ANY 192.168.1.246 * WAN address * 192.168.1.1 * Redirect Router for any LAN Address
WAN ANY * * 192.168.1.246 * 192.168.1.1 * Redirect Router for any WAN AddressYou might want to set the destination to any instead WAN address. I don't think that the AP uses your WAN address as destination.
The rule on WAN might be superfluous. Traffic from the AP on the LAN will not enter pfSense on the WAN.
Here is an example of the states I see now:
LAN tcp 192.168.1.246:36352 -> 54.185.135.21:443 ESTABLISHED:ESTABLISHED 1.819K / 1.82K 93 KiB / 99 KiB
WAN tcp 174.17.63.23:56928 (192.168.1.246:36352) -> 54.185.135.21:443 ESTABLISHED:ESTABLISHED 1.819K / 1.82K 93 KiB / 99 KiBNot sure, it the AP is happy with the redirection. It obviously connects to an SSL port, so it might expect to get an SSL certificate from the server. But try it out.