Community Forum

Resolved
0 votes
Hi

I have a problem with my set up.

I have a Clearbox running Clearos 6.3 and I have two different LANs defined.

1 LAN and 1 HotLAN

The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN.

The problem now is that the clients on the HOTLAN do not have to enter a username/password to be able to access web-content on the Internet.

User authentication is enabled
Transparent mode is disabled

The users on the normal LAN have to use username/password via the proxyserver to access web-content on the Internet.

My question is now. How to force users on HOTLAN to have to enter username/password for web-content.

I have traced the traffic from the clients on the HOTLAN an the traffic is going through the proxy.
Wednesday, February 22 2017, 01:19 PM
Share this post:

Accepted Answer

Wednesday, February 22 2017, 03:50 PM - #Permalink
Resolved
0 votes
This is by design. The proxy is NOT enabled on the HOTLAN because if it was then users on the HOTLAN could surf the LAN. Basically, the ClearOS server is trusted to the LAN and can communicate with it freely. If you use the server as a proxy then surfing is a trusted activity for the server itself and users on the HOTLAN would be able to surf the LAN. As you stated...

"The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN."

Giving HOTLAN users access to the proxy means that they would be able to see and communicate with the clients on the LAN since they would be using the server as their intermediary.

You can override this behavior, however, with custom firewall rules that override the firewall redirect of ports and with overrides on the proxy server to accept proxy connections from this extra LAN but it is not part of the design nor is it a supported method because it, quite frankly, ruins the whole security paradigm of the HOTLAN.

Having a second ClearOS server just to filter your HOTLAN is a common solution. You can even virtualize it if your hardware supports that sort of thing. A service like DNSthingy would filter both networks but currently it is an either/or between this service and the content filter.
The reply is currently minimized Show
Responses (0)
  • There are no replies here yet.
Your Reply