Is it possible to use Firewalla products to whitelist websites before a proxy server ?
Hi,
I apologize for the naïvety of my question, but my informatics knowledge is limited.
I am a teacher and i'm searching a simple solution for my classroom to whitelist the only websites my students are allowed to browse with the school tablets.
Our school has a specific network installation managed by an academic technical service. When you connect to this network, you have to redirect all connexions to their proxy server at 172.16.0.1, that has its own firewall.
For example in our classrooms we have a PC under Windows 10, where you have to activate the proxy settings to redirect connexion to 172.16.0.1, otherwise all internet connexions are blocked.
The problem is that i can't ask this technical service to add specific firewall rules only for my classroom, so i wish to find a solution to add my own firewall rules direclty in my classroom, before the global school firewall.
I have tried different android firewall applications installed directly on the tablets, but as the tablets connexion is redirected to this proxy server, Chrome send request to the proxy url (172.16.0.1) so the firewall sees only the proxy url, but not the real url you want to browse in chrome and then the firewall doesn't filter anything.
In my classroom my little network is like that:
tablets (wifi connexion with proxy enable) --> wifi router --> proxy server at 172.16.0.1 --> academic firewall --> internet
Could you please tell me if Firewalla systems (red in particular) can manage a whitelist of websites with such a proxy connexion that wrap the real url request ?
Thank you for your help.
-
Is the WiFi router redirecting web pages to your proxy server? or it it the bigger router after it? I assume it is the wifi router doing the redirecting.
It should be possible since we don't sell the red anymore, you can use Purple SE in simple or DHCP mode. The only issue is, you will need to make sure your wifi router is compatible in simple mode, or it can be configured in DHCP mode. (https://firewalla.com/compatibility and you can check simple/dhcp mode compatible devices)
-
Thank you for your answer.
The wifi router is a D-Link 868L that i have installed in my classroom. The tablets connect to this router by wifi (with proxy settings) and the router itself is connected on its wan port by a cable to an ethernet plug they have installed in my classroom. Those plugs are wired to the proxy server placed in a room near administration office.
Yes I have read that you are not selling Red anymore, but I have found a second hand Red that i could afford. Even if it is not sold anymore, is it still possible to continue to use Red product and its application during some times ?
The purple SE is more expensive and as i live in France, the shipping cost + VAT + import fees applied by custom will make the total much bigger and not easy to estimate. But i'm still looking also in this direction, if you think red is not a good choice for my needs.
I don't see the D-Link 868L in the compatibility list, but in its administration console, you can disable the DHCP server.
If i have well undestood, when Firewalla is configured in DHCP mode, I have to disable the DHCP server of my router, to replace it with the DHCP of Firewalla. This is what allows Firewalla to intercept & filter all packets.
Also does Purple SE has a Transparent Bridge Mode like Purple (not SE), as this mode seems more easy to configure and should work whatever is the router model ?
In both cases (DHCP mode or bridge mode) can Red or Purple do a whitelist of authorized websites, even if the browser requests are send only to the same proxy ip (172.6.0.1) ?The problem is that i have no idea how the browser send to the proxy the real url it wants to reach. So i wish to be sure that in Firewalla there is some parameters somewhere to tell it that the connexion goes through a proxy and so it has to filter not the proxy url, but the website urls, probably contained somewhere in the data of the packet.
Thank you very much for those precisions.
-
If you can disable DHCP on the D-link, then DHCP mode should work. It is probably a better mode than simple mode.
Transparent bridge mode works if you can place the Firewalla unit in between something. Usually, it is a router and a wifi access point. It may work if your proxy settings are on kids' devices not on the D-Link Wifi
As of proxy settings, if the browser is hard coded to 172.6.01, then it will NOT work for firewalla. Since firewalla will only see traffic going to 172.6.01. If this is the case, I don't think any firewalla device will work.
-
I don't think the proxy is hard coded in the browser, we only use the simple proxy parameters of the connexion (under windows for PCs or android for tablets).
For example on Android, when you want to connect to a wifi router, you set the wifi password and then in the parameters you can choose "none" or "manual" Proxy. I have made a screen capture to show you what i mean by a proxy, as maybe i didn't use the good technical words to describe my situation:
https://zupimages.net/up/23/38/oj2q.jpg
I'm surprised that i can't find a firewall who can intercept a connexion with proxy redirection, as it is a very common network structure. All french schools use this to send the browser requests to this kind of proxy server before to send it to internet, in order to filter internet access and avoid students seeing content not adapted to a school environment. Are you sure Firewalla can't manage proxy redirection of this kind ?
Thank you again for your help.
-
My understanding is your devices (android or ios) may have a special certificate installed on them, and then that certificate is used to talk to the proxy. If this is the case, interception of the proxy is not possible due to the encryption part. (I don't think any software at the network layer can do that).
-
The devices are tablets Samsung Galaxy Tab A7 under Android 12.
I assure you that there is not any specific certificate or encryption to establish proxy connexion. The tablets are not modified in any way, it uses only the simple proxy connexion mode proposed by Android for tablets or Windows for PCs.
There is an example here of windows 10 proxy manual configuration that is used on our PCs :
You just have to enter the proxy ip & port (172.16.0.1:3128) and that's all. Then all trafic is redirected to this url.
It would be nice if Firewalla could manage that simple proxy mode as it is very common to protect schools & administrations.
Thank you anyway for your kind help.
-
Okay, if you do not have to install certificates, then your proxy is likely not filtering https traffic.
We do not have proxy capability on our box yet. May I ask do you want to open up more sites that's blocked by your school? or you want to block more?
Does your school filter traffic based on the end devices?
Please sign in to leave a comment.
Comments
7 comments