External proxy question

Discussion in 'DD-WRT Firmware' started by melcahoon, Dec 8, 2007.

  1. melcahoon

    melcahoon Network Guru Member

    I am using the latest DD-WRT and have a question. I have the option of using an externally hosted proxy server DansGuardian (by my ISP) for content filtering. Right now I can go into IE settings and set it for each PC, but is there a way to set this at the router so that all web traffic goes through the filter? Their proxy address is http://www.xmission.com/filter.pac

  2. Disman_ca

    Disman_ca Super Moderator Staff Member Member

  3. melcahoon

    melcahoon Network Guru Member

    Thanks - additional questions

    Not being familiar with IPTables, I tried to access the script listed in the Wiki but that is a broken link. Can someone else offer a script that may work? Also, I am accessing not just an IP for my proxy, but www.xmission.com/filter.pac. Will this still work?

  4. melcahoon

    melcahoon Network Guru Member


    In case the script listed in the wiki IS the needed script, I was unable to get it to work for some reason.

    First off, I changed the variables to:


    I then pasted it into my ssh session (using putty) along with the rest of the directions listed in the Wiki. Still no luck. In fact, I had to restore default settings to allow wireless access again.

    Sorry to be so dumb. I am just hoping that I can have an external proxy for content filtering work with this firmware. The Wiki shows how an internal proxy (on the same subnet behind the firewall works) but doesn't indicate if an external proxy (hosted by the isp) will work.

    Thanks for any help!
  5. LLigetfa

    LLigetfa LI Guru Member

  6. mstombs

    mstombs Network Guru Member

    Your pac file says

    function FindProxyForURL(url, host)
            if (isPlainHostName(host) ||
                dnsDomainIs(host, ".xmission.com") ||
                dnsDomainIs(host, "windowsupdate.microsoft.com") ||
                dnsDomainIs(host, ".windowsupdate.microsoft.com") ||
    	    isInNet(host, "","") ||
    	    isInNet(host, " ","") ||
    	    isInNet(host, "","") ||
                shExpMatch(url, "https:*") )
                return "DIRECT";
                return "PROXY proxy.xmission.com:8083; DIRECT";
  7. melcahoon

    melcahoon Network Guru Member

    Ahhh, thanks for the tips. One last question - can I implement this using webmethod rather than ssh or telnet? I assume this is a firewall script?
  8. melcahoon

    melcahoon Network Guru Member

    Well, I tried to implement this with the webmethod.

    iptables -t nat -A PREROUTING -i br0 -s -d -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i br0 -s ! -p tcp --dport 80 -j DNAT --to
    iptables -t nat -A POSTROUTING -o br0 -s -p tcp -d -j SNAT --to
    iptables -t filter -I FORWARD -s -d -i br0 -o br0 -p tcp --dport 8083 -j ACCEPT

    This works in that it blocks sites, but it actually ends up blocking everything. It looks like it is looking for http:// in front of the proxy ip. If I put it there, it allows access to everything - even sites that should be blocked (victoriassecret.com for example).

    When attempting to view a non-blocked address, the following is returned:

    The requested URL could not be retrieved


    While trying to retrieve the URL: /business

    The following error was encountered:

    Invalid URL
    Some aspect of the requested URL is incorrect. Possible problems:

    Missing or incorrect access protocol (should be `http://'' or similar)
    Missing hostname
    Illegal double-escape in the URL-Path
    Illegal character in hostname; underscores are not allowed
    Your cache administrator is support@xmission.com.

    Any further ideas from any of the gurus here? Please ??? :)
  9. mstombs

    mstombs Network Guru Member

    The script you have followed is for the proxy server on the LAN, if your NAT router is working you must already have a POSTROUTING MASQUERADE command on the WAN port (vlan1?) so don't need command 3. If you are filtering everything by default the last command won't help and you need to change "-o br0" to "-o vlan1" (or whatever your connection uses as WAN port). Still not sure its as simple as this to setup such an external proxy - this hides the original address. When a browser knows it has a proxy it must pass on the full request, not just redirect?
  10. melcahoon

    melcahoon Network Guru Member

    Thank you so much for the response mstombs! First off, I have not changed any defaults regarding the WAN port in any other configurations. My NAT router is working as I have some port filtering going on that has no problems. I removed command 3, nothing changed.

    I am filtering all http requests only. I changed to -o vlan1 but there was no change.

    I see what you mean. My limited knowledge of scripting appears to leave me stranded. My original 4 lines got me the closest to seeing this working if I make the second command:

    iptables -t nat -A PREROUTING -i br0 -s ! -p tcp --dport 80 -j DNAT --to

    However, this results in everything being blocked and the error I posted above is returned. From what I have gathered, there is no pre-written script that supports an external proxy?

    This would be a great addition to the documentation :)
  11. mstombs

    mstombs Network Guru Member

    This suggests it should work except those connections which are http v1.00 only


    I can see how the mangle (if available on dd-wrt) would work if the proxy was on the local lan but I'm not sure about full internet routing

    Might be worth checking your WAN port name using "ifconfig" - if you use a pppoe modem it might be ppp0 for example, not vlan1...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice