How to deny internet access from clients that do not use proxy?

Hi there,

I’m facing an issue that i did not found an answer after hours of search.

I’m using Ipfire in a school, standard usage, 95% windows clients:

  • Green for LAN clients and network printers.
  • Blue for Wireless clients

I actually using the proxy in transparent and non-transparent mode (via WPAD) + forcesearch activated and everything works fine.

Anyway, wireless (blue) clients can disable proxy in their browser or in windows parameters. This is my problem.

I tried to tick the option “drop all packet that are not addressed to proxy” but:

  • it broke WPAD
  • it broke firewall rules that allowed Blue clients to access network printers on Green, they cannot access printers any more.

So my question is, how to deny internet access from clients that do not use proxy from Blue without to avoid them to reach network printers on Green network?

My English is a bit limited, sorry for that, and thanks in advance for answers.


Hi Mark,
welcome to the world of IPFire.

I think, there is no simple answer to your problem.
Many wireless clients ( 'smart’phones ) ignore proxy settings from DHCP or WPAD. You can deny HTTP(S) access to other IPs than the proxy by a firewall rule. But then these devices cannot access the internet.
Another misbehaving is the DNS requests to external name servers by these devices. This can be handled by a redirecting of these requests to the local DNS server ( IPFire ). This solution is under development. See the associated discussions in this forum.


1 Like

Thanks for your reply. Samrtphones aren’t concerned in my case as students smartphones are not allowed. Only windows clients are concerned (around 400 clients).

That’s exactly what i try to do for Windows clients.

“drop all packet that are not addressed to proxy” is ticked.

So, I made a little proxy toggle (ON/OFF) executable for clients that simply modify windows registry proxy parameters to allow clients to access internet through ipfire proxy when turned ON. It’s working as intended. clients cannot access the internet when proxy toggle is turned OFF.

But I still have the issue that wireless (blue) clients cannot access LAN (green) network printers. Perhaps I’m missing something with firewall rules?
Or, perhaps the “drop all packet that are not addressed to proxy” option breaks/overrides firewall rules between blue and green networks ?


the description of this checkbox is somewhat misleading, I believe: It actually triggers the creation of an iptables rule that drops all packets arriving on the BLUE interface not addressed to IPFire’s proxy port. (See the source code for details.)

So, indeed, ticking that checkbox will drop anything else, hence also breaking access to network printers within GREEN.

This is true. Sorry for the confusion. :slight_smile:

Yes. You can achieve the same goal by unticking the “drop all packet that are not addressed to proxy” checkbox, and create the following firewall rule:

  • Source: BLUE network
  • Destination: Any network
  • Protocol: Any
  • Action: Drop

Make sure this rule comes after the firewall rule allowing traffic from BLUE to network printers in GREEN. Depending on your configured firewall default policy, you might need another rule for permitting access from BLUE to IPFire’s proxy port on BLUE.

(The latter should be implicit, I believe, but am currently unable to check that. :expressionless: )

Thanks, and best regards,
Peter Müller


Thanks for your reply.
I’m not sure about the configured firewall default policy as i’m new in this school and I have barely no clue about the guy before me did on the ipcop/ipfire he used since a decade.
Anyway, i think I understood what you mean, so i’ll check about that till the end of week and come back to tell if it worked with firewall rules.

Thanks again for your time.
Mark A.