Transparent Squid behind pfSense
-
I had just left the port field empty.
Are you using a snapshot release? The load balancer config options have changed and it's been giving me some grief. Or it's just this dual-wan setup in general that is causing me headaches now…
-
I use this "pfSense-1.0.1-LiveCD-Installer.iso.gz"
-
More info:
Setup 1
1. I added port 80 so now my Squid box is listening on prot 80 and 3128
2. When I manually setup IE to use my Squid box as a proxy server it works perfectly both on port 80 and 3128
3. The Squid LAN routing rule still doesn't work.This means that the Squid box is running ok but there's something wrong about the way pfSense route the packet.
Setup 2
1. Same as situation(1)
2. I setup my Squid box with public IP let it access the Internet bypassing the pfSense box.
3. I use NAT port forwarding and it works.This narrow the scope of the problem to the way pfSense route the packet only.
Basically the Setup #2 is ok but not the best coz the statistics won't show the real requester it just show pfSense IP.
Anybody have any idea?
-
tonezzz: you need to install the squid-package (from the package menu). This only works on non-embedded-installs…
the squid package really works fine
-
What platform is your Squid box running on?
Mine is running on CentOS Linux and I have one firewall rule that is loaded from /etc/rc.d/rc.local after it boots up:
iptables -t nat -A PREROUTING -i eth0 -d ! <squid_ip>-p tcp –dport 80 -j REDIRECT --to-ports 3128
That rule redirects the traffic to the proper port for Squid. Kind of an important thing that I had forgotten about. :) If your Squid box is running on BSD, I'm not sure exactly how to accomplish that but that Squid FAQ on transparent proxy has some examples on how to do it:
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
My Squid is still set to my old router, so I'm not 100% sure that the redirect rule on the pfSense box will pass the HTTP traffic from the Squid box properly. The rule SHOULD pass it...</squid_ip>
-
tonezzz: you need to install the squid-package (from the package menu). This only works on non-embedded-installs…
the squid package really works fine
Personally, I'm avoiding the built-in Squid proxy because it's more load on the router and the webGUI doesn't encompass all the options that Squid has. If you want to have custom ACLs for particular workstations (based on their MAC address), you end up having to edit the Squid configuration files directly.
Plus, I also use a program called MySAR for analyzing the Squid logs that requires MySQL and a webserver. I really don't want to have that running on my router as well. I think I could run those on a separate box from the Squid proxy itself, but if I need to do that…I might as well move Squid off the router too.
-
Thanks dwadson. Mine is running on Debian GNU/Linux 3.1. I'm very new on Linux anyway. Your idea sounds good, I'll check it when I come back to work on Monday. It's 21:23 of Friday night here and I'm still setting up 2 notebooks for my colleagues. I want to go windsurfing tomorrow, it's windy everyday ;-)
Enjoy your weekend.
-
Hi dwason, I just type exactly the same command (iptables -t …....) and it works!!!
I tried to find the rc.local file but I cannot find it. I'm using Debian GNU/Linux 3.1 where should I put the command? Anybody please help. -
http://www.justlinux.com/nhf/Distribution_Specific/Debian_GNULinux/Debian__Startup_Commands.html
Or Google "debian startup script" and you'll get a steer in the right direction.
-
I followed the first link. There is an error message "You must specify –to-source" but it works anyway. Thanks dwadson.
-
The changed load balancer in the snapshot releases doesn't seem to allow this technique to work. You can no longer enter an IP address for the gateway/proxy - that capability has been replaced with the "Interface Name" menu. Tried doing it with it set as a server rather than a gateway but that doesn't seem to work either - traffic doesn't get redirected.
Looks like I'm gonna roll back to 1.0.1 so this will work. It's more important to have this working than improved load balancing…
-
You can manually edit the config.xml and exchange the interfacename with the IP-Adress and reupload the config. Just don't touch this pool with the gui again and it should work with the newer versions.