The increasing deployment of NAT, even into provider networks (eg, ISPs), means that it is increasingly common not to be able to reach out of, or into, a given portion of network directly; the "end to end principle" of the Internet has been all but abandoned. Various forms of assistance are required to cross network boundaries and get out of, or into, a given network. For web browsing, the usual form of assistance is a web proxy server such as Squid (although things like ssh port forwarding can also be used in some cases).

Web browsers have long supported configuration of a web proxy to gain access (or caching) to a particular network (or "the Internet" if it is being used as a cache/filter at the exit to the Internet). This can be configured with the appropriate proxy settings to use to access a given network, which does work. However for "mobile" users (eg, with a laptop) one can spend quite a bit of time manually configuring and unconfiguring the web proxy settings while moving around (and as one needs to use different proxies to gain access to various issolated network segments).

The Web Proxy Auto-Config defines a method, supported by most common browsers, to select the appropriate web proxy for a given destination (thus allowing the use of multiple distinct proxies with different reach), and more importantly for a given source network (thus helping mobile user with automatic configuration). It consists of a file with a single Javascript function FindProxyForURL(url, host) that is evaluated to determine which web proxy to use; the file can be retrieved from a URL (eg, via HTTP) or loaded from the file system.

The trick to make it useful to mobile users is to classify the source location using myIpAddress() to retrieve your current IP address, and isInNet(ip,netbock,netmask) to check for membership. Assuming each mobile location has a distinctive IP address range this allows uniquely identifying the location. (If not, there may be other Javascript functions that can be used to retrieve information that may help determine the current location -- such as the local domain name.) Having done that, isInNet(ip,netblock,netmask) can be used on the host destination (IP) passed in to the function, in order to identify which web proxy to use.

Putting this together, create a file called proxy.pac containing something like:

// Proxy Auto Configuration (PAC) file for mobile user
function FindProxyForURL(url, host) {
    // Special case internal NAT network
    if (isInNet(myIpAddress(), "", "")) {
        // Special case remote internal NAT networks
        if (isInNet(host, "",  ""))    {
            return "PROXY A.B.C.D:3128";

        if (isInNet(host, "",  ""))    {
            return "PROXY E.F.G.H:3128";

    // default is to go directly
    return "DIRECT";

where A.B.C.D and E.F.G.H are the IP addresses of the web proxies that can be used as a bridge into those remote networks.

In the above example if the machine is currently on the network, then it will use the appropriate proxies when trying to access or When the machine is somewhere else, or when trying to access any other location, it will simple send the request directly. More special cases can be added for other networks, and when appropriate default proxies can be added for specific networks.

For laptop use, save this file onto the file system in some suitable location. Then go to Firefox -> Preferences -> Advanced -> Network -> Settings, and enter an appropriate URL for the file location. For instance file://full/path/to/file/location/proxy.pac. For desktop use, the file could be put on a webserver (eg, an intranet server) and the http://machine/location/proxy.pac URL specified instead. The file will be loaded when the web browser starts up, and whenever the "Reload" button next to the URL in the settings is pressed; the function will be evaluated with each URL. (In Safari, this is in the system Network settings (Apple -> System Preferences -> Network > Advanced -> Proxies), also accessible via Safari -> Preferences -> Advanced -> Proxies; tick "Proxy Auto Configuration" and enter the URL. I expect other browsers have similar support.)

Also in these configuration screens is the option "Auto-detect proxy settings for this network" which should not be used outside fixed machines in a well-run corporate, locked down, network. It enables WPAD, the Web Proxy Autodiscovery Protocol, which essentially tries to guess the URL of the PAC file, by appending "wpad" to the shorter and shorter portions of the local domain name. Unfortunately the web browsers do very poorly at identifying security boundaries and thus are quite willing to ask for a WPAD server outside the local network, such as country-wide WPAD server, leading to silent interception of all traffic. The problem is rather similar to the DNS Resolution Issues caused by arbitrarily walking up the local domain name hierachy without proper boundary checking.