This seems counterintuitive to the “intercept concept”. Most workstations that will use proxy servers within a web browser are on a corporate network and therefore will VPN through a device to which a peplink device will never see such a setting. ATT, Verizon, Comcast, et al do some form of transparent proxy even after it flows through the peplink device. If they have split-tunneling enabled and their proxy server is reachable from the internet, well, their admins shouldn’t be admins any longer. Cache poisoning isn’t just for DNS.
This setting should be enhanced to allow for a network without proxy settings specified to redirect (transparent proxy) to a LAN (or internet) proxy server. For example, 192.168.1.0/24 with PepLink sitting at 192.168.1.1 should be able to intercept 80/tcp traffic and forward it to 192.168.1.2/3128 a local LAN squid proxy, thereby offloading 80/tcp and sanitizing it if necessary.
This could also be accomplished if a peplink device is given the option for port forwarding on the LAN network under “Port forwarding” or Access Rules". Ideally, it should be service forwarding and Web Intercept should be reworked to proxy all 80/tcp outbound, not just if-web-proxy-set-in-browser-then-portforward-to-peplink-proxy.
On coming 6.2.0, there is Custom Service Forwarding that would fit your need. We shall have RC release for customers in coming week. Below is the screen capture for reference:
In this case If I have 03 Proxy server, this firmware 6.2 will balance it?.. What about health check to avoid redirect traffic to service server down??
Custom Service Forwarding is not used for server load balancing. It only can redirect to a server at a time. If server load balancing is important, we advise to get any server load balancer in the market.
This works fine, however if using the captive portal (with Radius in our case), the splash page never shows, because port 80 traffic which is required to trigger the login page, is redirected to the proxy instead of the Radius server.
I tried putting the proxy server’s IP address in allowed networks, but this did not help. Any suggestions?
I am using Captive Portal for Radius authentication of users.
Once users are logged in, we have a Proxy server where we redirect traffic which validates the requested URL against a blacklist, and if the site is OK, the traffic goes through, but if it is a “forbidden” site, the user gets a page saying “Sorry - this site violates the terms and conditions of use”.
When Custom Service Forwarding is Enabled, forbidden sites are blocked which is the expected behaviour, however, the Captive Portal never shows (as if it is turned off), and the user has access to the Internet without having to authenticate.
It seems that the initial HTTP request which is supposed to trigger the login page, instead gets forwarded to the proxy server, and if it is not a blocked site, the user sees the url’s webpage instead of the Login page.
I am looking for a way for this Custom Service Forwarding to only happen after authentication.
This is a very interesting use case whereby Custom Service Forwarding and Captive Portal is enabled at the same times. For current firmware, i would say this is not the expected usage as normally when service forwarding is enabled, we will expected that the forwarded traffics will handled by the remote server. We will put this as feature request and allow Engineering team to further consider the request.
