Securing Guest Zone (techniques to limit abuse)

squid handles HTTPS passthrough just fine. that's basically where your browser connects and says "I want an https connection to" and then squid gives it to you, your browser negotiates TLS through it, and then all the remaining HTTP transaction is hidden from squid. Under that scenario you can only use the domain name in your ACL, but you can catch things like where is actually a CNAME for some server or server or whatever.

So in that sense you lose a lot of the fine-tuned control but you still have more than just with ipsets.

I run an x86 router with 16 Gigs of RAM so I don't worry too much about things like ipsets with 500 entries :wink: Call me when it hits over 10 Million entries (though seriously, it's good to know how big the ipset is so you can set the ipset hash size when you create it so hashing remains appropriately fast)