Redirect web traffic to Squid on internal LAN

NovceGuru

Hello

After searching for a while it seems this topic has been beat to death, but I can't seem to get anything working. I have a very basic setup,

WAN IP (static)–--->pfSense(NAT/Firewalling)--->192.168.5.0/24 LAN

I have a Squid proxy running on the internal LAN @ 192.168.5.10, I need to be able to redirect traffic while keeping the source IP of the request. (So that rules out creating an "outbound" NAT situation) I have tried following http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915 to the T, I've started from a fresh installation (1.01 stable) and followed it at least 5 times to make sure I did not miss anything. If I get this working I promise I will make a very detailed wiki entry on the matter :) Thanks.

NovceGuru

dwadson

In my config.xml, here's how my Squid "pool" is setup:

<lbpool><type>gateway</type>
                        <behaviour>failover</behaviour>
                        <monitorip><name>squid</name>
                        <desc>Squid Transparent Proxy</desc>
                        <port><servers>192.168.0.12|192.168.0.12</servers></port></monitorip></lbpool>

My LAN firewall rule to redirect traffic is:
Proto      Source    Port    Destination    Port        Gateway
TCP      !squid   *             *   80 (HTTP) squid

You'll also need a rule on your Squid box to redirect the port 80 requests to the Squid port (probably 3128)

NovceGuru

Thanks for the reply. Technically could I run the squid to listen on port 80? I do not have a firewall on the internal box. Thanks again.

NovceGuru

dwadson

You don't necessarily need a whole firewall running on your Squid box. Mine, running on CentOS, has a single iptables rule:

iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.0.12 -p tcp –dport 80 -j REDIRECT --to-ports 8080

There's some sort of reason as to why the transparent proxy runs on a different port that I'll admit I'm not 100% sure on. It might simply be so that it doesn't conflict with a webserver running on the squid box.

But first thing that you need to get working right is to have the port 80 traffic getting redirected out your Squid "gateway" on the pfSense box.

NovceGuru

Thanks again for the reply.

My squid box is running FreeBSD without a firewall, It's to bad I can't do that redirecting from the pfSense box. I think if that's not possible (which I assume it is not) I can just alias a free LAN address and run squid on port 80 on that box. I'll report back with what I find. Unfortunately I can't test this at the moment with people at the location of the box.

NovceGuru

NovceGuru

I have these settings:

but the requests for some reason do not make it to 192.168.165.10, when I run tcpdump and make a request, my web client times out, but the logs show it allowing to connect. Thanks.

NovceGuru

dwadson

The only significant difference I can see between your pfSense and mine is that I'm running one of the latest snapshots - 1.2-BETA-1-TESTING-SNAPSHOT-05-29-2007.

However, i thought I had this working on 1.0.1 before. Maybe not though.

It does appear that your packets are going through the firewall as mine are so you should probably turn your attention now to the Squid box to confirm that it's receiving the packets. It might simply be having Apache with MySAR running on it that makes me run my Squid on a different port.

NovceGuru

I might try the latest 1.2 beta. I aliased an ip address and bound squid to it, and setup apache to bind to the other address. I can access squid via my browser @ 192.168.165.12 (and reconfigured the pool and firewall rule to reflect these changes) and the packets never seem to hit the squid box.  :'( :'(

NovceGuru

Sadly still a no go on 1.2-BETA-1, I had to hand edit the xml file to make it reflect yours.

<servers>192.168.0.12|192.168.0.12</servers> was WAN:192.168.165.12 (that didn't work either)

back to the drawing board…

NovceGuru

NovceGuru

Mucking around via SSH I added

rdr on sis0 proto tcp from ! <letpastsquid>to any port 80 -> 192.168.165.12 port 3128</letpastsquid> 

to rules.debug, and pfctl -f rules.debug and atleast got the packets to reach the squid box, but it basically does the same thing as before–> times out

NovceGuru

May I see your squid.conf? Although I am using it right now with it configured in the browser, and I think the only "special" thing I need is http_port 192.168.165.10:3128 transparent

Thanks,

NovceGuru

NovceGuru

#this is the firewall, it has:

table <letpastsquid>{ 192.168.165.10 192.168.165.12 }
rdr on sis0 proto tcp from ! <letpastsquid>to any port 80 -> 192.168.165.12 port 3128
in pf.conf

pfsense:/tmp#  tcpdump -vv | grep -v ssh | grep -v NETBIOS | grep -v arp
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes
18:34:31.172636 IP (tos 0x0, ttl 128, id 57820, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3165 > google.com.http: S, cksum 0xd6a6 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:31.173166 IP (tos 0x0, ttl 127, id 46940, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3165 > 192.168.165.12.3128: S, cksum 0xcc63 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:33.630977 IP (tos 0x0, ttl 128, id 57822, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3164 > static-fxfeeds.nslb.sj.mozilla.com.http: S, cksum 0x4faf (correct), 364223045:364223045(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:33.631202 IP (tos 0x0, ttl 127, id 35077, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3164 > 192.168.165.12.3128: S, cksum 0xef1c (correct), 364223045:364223045(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:34.133926 IP (tos 0x0, ttl 128, id 57824, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3165 > google.com.http: S, cksum 0xd6a6 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:34.134204 IP (tos 0x0, ttl 127, id 4967, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3165 > 192.168.165.12.3128: S, cksum 0xcc63 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:40.169236 IP (tos 0x0, ttl 128, id 57828, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3165 > google.com.http: S, cksum 0xd6a6 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:40.169484 IP (tos 0x0, ttl 127, id 23104, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3165 > 192.168.165.12.3128: S, cksum 0xcc63 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:52.153409 IP (tos 0x0, ttl 128, id 57843, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3166 > google.com.http: S, cksum 0x9065 (correct), 3034145817:3034145817(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:52.153934 IP (tos 0x0, ttl 127, id 33875, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3166 > 192.168.165.12.3128: S, cksum 0x8622 (correct), 3034145817:3034145817(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:52.176660 IP (tos 0x0, ttl 128, id 57859, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3167 > google.com.http: S, cksum 0x522d (correct), 4197997809:4197997809(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:52.177169 IP (tos 0x0, ttl 127, id 57198, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3167 > 192.168.165.12.3128: S, cksum 0x47ea (correct), 4197997809:4197997809(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:52.177205 IP (tos 0x0, ttl 128, id 57868, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3168 > google.com.http: S, cksum 0xb1db (correct), 573101394:573101394(0) win 65535 <mss 1460,nop,nop,sackok="">18:34:52.177693 IP (tos 0x0, ttl 127, id 36447, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.22.3168 > 192.168.165.12.3128: S, cksum 0xa798 (correct), 573101394:573101394(0) win 65535 <mss 1460,nop,nop,sackok="">^C61 packets captured
65 packets received by filter
0 packets dropped by kernel

###This is the box running squid

mcserver# tcpdump -vv | grep -v ssh | grep -v NETBIOS | grep -v arp
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
14:05:17.812138 IP (tos 0x0, ttl 127, id 46940, offset 0, flags [DF], proto: TCP (6), length: 48) pc01.3165 > 192.168.165.12.3128: S, cksum 0xcc63 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">14:05:17.812182 IP (tos 0x0, ttl  64, id 56558, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.12.3128 > pc01.3165: S, cksum 0xcb96 (incorrect (-> 0x56bc), 1961296304:1961296304(0) ack 3624270509 win 65535 <mss 1460,sackok,eol="">14:05:17.812384 IP (tos 0x0, ttl 128, id 57821, offset 0, flags [none], proto: TCP (6), length: 40) pc01.3165 > 192.168.165.12.3128: R, cksum 0x2670 (correct), 3624270509:3624270509(0) win 0
14:05:20.269458 IP (tos 0x0, ttl 127, id 35077, offset 0, flags [DF], proto: TCP (6), length: 48) pc01.3164 > 192.168.165.12.3128: S, cksum 0xef1c (correct), 364223045:364223045(0) win 65535 <mss 1460,nop,nop,sackok="">14:05:20.269496 IP (tos 0x0, ttl  64, id 56561, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.12.3128 > pc01.3164: S, cksum 0xcb96 (incorrect (-> 0x4c95), 1846752612:1846752612(0) ack 364223046 win 65535 <mss 1460,sackok,eol="">14:05:20.269706 IP (tos 0x0, ttl 128, id 57823, offset 0, flags [none], proto: TCP (6), length: 40) pc01.3164 > 192.168.165.12.3128: R, cksum 0x6be1 (correct), 364223046:364223046(0) win 0
14:05:20.772261 IP (tos 0x0, ttl 127, id 4967, offset 0, flags [DF], proto: TCP (6), length: 48) pc01.3165 > 192.168.165.12.3128: S, cksum 0xcc63 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">14:05:20.772277 IP (tos 0x0, ttl  64, id 56562, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.12.3128 > pc01.3165: S, cksum 0xcb96 (incorrect (-> 0xda37), 3146594190:3146594190(0) ack 3624270509 win 65535 <mss 1460,sackok,eol="">14:05:20.772511 IP (tos 0x0, ttl 128, id 57825, offset 0, flags [none], proto: TCP (6), length: 40) pc01.3165 > 192.168.165.12.3128: R, cksum 0x2670 (correct), 3624270509:3624270509(0) win 0
14:05:26.805793 IP (tos 0x0, ttl 127, id 23104, offset 0, flags [DF], proto: TCP (6), length: 48) pc01.3165 > 192.168.165.12.3128: S, cksum 0xcc63 (correct), 3624270508:3624270508(0) win 65535 <mss 1460,nop,nop,sackok="">14:05:26.805836 IP (tos 0x0, ttl  64, id 56563, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.165.12.3128 > pc01.3165: S, cksum 0xcb96 (incorrect (-> 0x7b85), 3471540962:3471540962(0) ack 3624270509 win 65535 <mss 1460,sackok,eol="">14:05:26.806038 IP (tos 0x0, ttl 128, id 57829, offset 0, flags [none], proto: TCP (6), length: 40) pc01.3165 > 192.168.165.12.3128: R, cksum 0x2670 (correct), 3624270509:3624270509(0) win 0
14:05:30.048918 IP (tos 0x0, ttl  64, id 56564, offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.165.12.netbios-ssn > pc01.ncube-lm: P, cksum 0xcb92 (incorrect (-> 0x34d6), 3691487235:3691487239(4) ack 4080383168 win 65535
>>> NBT Session Packet
NBT Session Keepalive
Flags=0x0
Length=0 (0x0)

^C61 packets captured
62 packets received by filter
0 packets dropped by kernel

Sorry I suck at grep.</mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></letpastsquid></letpastsquid> 

NovceGuru

1. stop squid

2)mcserver# nc -l 3128

3. firefox http://192.168.165.10:3128

netcat returns:

GET / HTTP/1.1
Host: 192.168.165.10:3128
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

4. firefox http://google.com

netcat returns:

<nothing></nothing>