pfBlockerNG-devel and Squid Proxy compatibility
-
Hello Community,
I'm currently evaluating the pfSense Firewall, with the Squid Proxy/pfBlockerNG/Snort combo.
This software stack is installed on a miniPC with an Intel Core i7 + 24Gb RAM.I'm having trouble with Squid and pfBlockerNG when they are running at the same time. If I only activate one at a time, each works as expected, if I activate them both, things get more complicated!
My Test Environment:
• 2 VLANs (VLAN_50 for PCs, VLAN_30 for Printers) and 1 LAN to host these VLANs.
• 1 single WAN interface connected to the internetPackages versions:
• pfBlockerNG-devel: 3.2.0_6
• Squid: 0.4.46
• Snort : 4.1.6_12
• pfSense : 2.7.0I've configured only the PRI1 IPs of pfBlockerNG:
🔒 Log in to viewWith the associated rule in the VLAN_50:
🔒 Log in to viewFrom my PC, on the VLAN_50, I enter an IP from the PRI1 list (1.25.58.63) and it is blocked : perfect !
🔒 Log in to viewI then activate Squid Proxy in transparent mode, which listens on the VLAN_50:
From my PC, on the VLAN_50, I enter the same IP from the PRI1 list (1.25.58.63) and this one is no longer blocked: Squid replaces the source IP in the request with its WAN IP and the request exits pfSense to the WAN
🔒 Log in to viewThis behavior may seem logical, since it is the principle of a proxy, it is more the order of application of the rules that is questionable: why pfBlocker filtering is not applied first before entering in the proxy ?
To solve this problem, I tried another approach:
• I use Squid proxy only on the LAN
• I add a NAT rule to forward http and https requests from the VLAN_50 to the LANFrom my PC, on the VLAN_50, I enter an IP of the PRI1 list (1.25.58.63) and it is blocked: perfect!
Authorized requests are successfully transferred to the LAN:But nothing comes out on the WAN !
-
No LAN-to-WAN trace in the system log
-
list itemNo trace with tcpdump
-
list itemSquid seems to nothing with the request, by the way in Squid's logs, we find the request with a NONE state
My questions:
Does the Squid approach, listening over LAN and NAT from VLAN_50 to LAN, make sense and should work?
If so, any idea what's stuck?Thanks for your help !
Stéphane
-