DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2820 - all traffic through proxy

  • ia76
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Sep 2010 18:45 #63701 by ia76
2820 - all traffic through proxy was created by ia76
Hi

We have a proxy server for web filtering which people are finding various ways around eg. use firefox from a USB stick etc.

How do I setup rules in our Draytek to force all internet traffic throught he proxy server?

Thanks

Please Log in or Create an account to join the conversation.

More
07 Sep 2010 18:55 #63702 by voodle
Replied by voodle on topic 2820 - all traffic through proxy
Maybe configure a firewall rule so that any port 443 or port 80 TCP traffic that's not going to the proxy server's address as the destination will be blocked? That should work for forcing internet traffic through the proxy.

Please Log in or Create an account to join the conversation.

  • ia76
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Sep 2010 18:59 #63705 by ia76
Replied by ia76 on topic 2820 - all traffic through proxy
Thats'e exactly what I want to do but I'm unsure how to set it up in the router.

Please Log in or Create an account to join the conversation.

More
08 Sep 2010 08:56 #63713 by j.baker
Replied by j.baker on topic 2820 - all traffic through proxy
This will stop all web traffic requests that does not come from your proxy server. The 2820 cannot redirect web traffic top a web server.

This will only work on 3.3.4 It does not work on 3.3.3 as you get errors when adding/editing any ip/service objects and the firewall will not block packets correctly

Backup your router configuration before making any changes.

This is a long post, but you did ask :)

To block all web traffic except from your proxy server you will need to know:
1. IP address of proxy server (EG 192.168.1.200)
2. IP subnet range (E.G. 192.168.1.0 255.255.255.0)
3. You will need to compile a list of protocols/ports that you can't blocked.

Here is a list of ports that I have seen http(s) requests use in my network
HTTPS TCP 443,8443
HTTP TCP 80-82,8080, 8080

Login to the router
go to Firewall >> General Setup
make a note of the default data filter (default is set 2)
If your default filter is set to anything other than Pass, this setup is more complicated and will not be covered by this post

You now need to create a list of ports/protocols that you wish to permit/block.
Go to Objects Setting >> Service Type Object
Locate an clear/empty Object profile and click on the index number

Enter the description/name for each port for want to block/permit.

E.G.
Name = HTTP_TCP_80-82
Protocol = TCP
Destination port = 80 - 82

Name = HTTPS_TCP_443
Protocol = TCP
Destination port = 443 - 443

repeat using unique names for each one

Afterwards you should have a list of 2+ IP Service objects.

Now go to Objects Setting >> Service Type Group.

Find a empty/clear group and click on the index.
Give the new index a name (E.G. HTTP_Traffic)

Locate the newly created service objects on the left and add them to the right. Click on the left and then the right arrow. Press OK when done.

You now need to define the IP subnet and IP address of your proxy server.
Now go to Objects Setting >> IP Object
Find an empty/clear index. Give it a name (E.G. LAN_SUBNET)
Select the interface to be LAN. Change the address type to be Subnet Address
Enter the first IP address of your network. (E.G. 192.168.1.0)
Enter the subnet mask (E.G. 255.255.255.0)
Press Ok.

You now need to create an IP object entry for your proxy server.
Find an empty/clear index. Give it a name (E.G. PROXY_SERVER)
Select the interface to be LAN. Change the address type to be Single Address
Enter the IP address of your proxy server (E.G. 192.168.1.200)


You now need to go to Firewall >> Filter Setup
locate your data filter (default is 2, but you need to make sure). If the filter set is full, find an empty data set and then change the Next Filter set drop down box to that number.

You need to create two rules. One to permit all http traffic from your proxy server, and one to block the rest. This order is very important.
Click on the data filter that you will be using.
Firewall >> Filter Setup >> Edit Filter Set
Click the check box.
Enter a comment (E.G. Allow Proxy)
Set direct LAN>WAN
Source IP need to be the IP Object for your proxy server.
Click edit, which will open a new window. Change address type to be Groups and Objects.
Change the first IP Object to be the IP object that your created for your proxy server (E.G. PROXY_SERVER) Press OK.
Leave the destination as ANY

You need to change the Service Type to be the Service Group object that you created earlier.
Click edit, which will open a new window. Change the Service type to be Groups and Objects. Change the Service Group to be the HTTP service group (E.G. HTTP_Traffic). Press OK.
Make sure that the Application filter is set to PASS

Press OK. This will take you back to Firewall >> Filter Setup >> Edit Filter Set
You now need to create a new filter rule that is after the rule you just created. This is on the same page or in a new filter.

Click on the filter rile. Enable the rule. Enter a name (E.G. Block HTTP).
Direction LAN>WAN.
You can set the source IP address to you the IP object for you LAN, or you can leave it at ANY to stop all traffic.
Set the destination to ANY (Default setting)
Change the Service Type to be the HTTP service object (E.G. HTTP_Traffic)
Change the application filter to Block Immediately. Press OK.
Press OK.

Now test.

Regards

John Baker


Vigor2820 series with firmware 3.3.5.2_RC2
ADSL

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami