External Transparent Proxy
-
Hi Guys,
I have PFsense as a gateway for about 70 users. I have setup a Tansparent Squid on FreeBSD 6.3 using squid 3.0.
I have been searching around three days now and cannot find any info that i understand or is same as my configuration.I would like to use PFsense to divert all HTTP traffic to my External Squid Proxy.
here is my configurationI have 2 nics in Pfsense lan and wan, proxy is on the lan side with clients.
proxy has 2 nics one lan side and wan side pointing to another gateway on different link. squid is listening on lan side 3128 and i have tested using proxy setting in windows.
I compiled squid with all the transparent options. it is also my understanding that after Squid 2.6 there is only one line in the squid.conf to make it transparent….
http_port (lan address) 3128 transparent. please correct me if i am wrong!!i understand that i can use squid package on PFsense but i would really like to use external to PFsense and have PF redirect all the traffic.
i have tried a NAT port forward from lan interface ....80 to 3128 on squid lan address etc (using the GUI). but it didnt work. also i saw alot of blocks in the pf firewall log saying "default deny rule" as it appeared it was taking traffic from my lan and diverting it to squidlan:3128 i also saw nothing in access.log on squid.
any assistance would be greatly appreciated.
Thank you -
It seems as i have stumped everyone??
I was on pfsense irc channel and someone suggested to me that rdr's cannot work on the same interface? so i have put a 3rd Nic into PF and put my proxy on that.
i can talk to the proxy from my lan with the pass rule on OPT1. but i still cannot get HTTP to redirect to the proxy port on OPT1 network.has anyone ever achieved this at all?
-
Either you have to provide a policy router rule or use a GRE tunnel between your squid and pfSense(do not remeber how Cisco calls this!).
The problem is that you can do this configurations only on 2.0, sorry. -
Hi Ladies and Gents,
well like I understand now it is not possible to redirect http traffic to an external squid on another subnet ? Thats to bad. The last 2 weeks I tried to pass my webtraffic to my squidmachine without success :-(
My Setup is as this:
PFSense with 1 LAN, 1 WAN und an OPT Interface. I gave the OPT Interface another Subnet than the LAN Interface holds, the squidmachine is listening on OPT Subnet, well the squid is a FreeBSD with 1 LAN interface on the PFSense LAN Subnet and an alias for the OPT Subnet, should work so far.
I added a NAT Rule that does
rdr on LAN inet proto tcp from LANSubnet to any port = 80 -> squidmachine port 3128Well for test purpose I createt rules on my LAN and OPT that are passing all in and out. The overalleffect is that no traffic gets redirectet to the squidmachine.
It works well when I do a static proxyentry on my clientmachines.Does anyone has a mindevolving hint for me ? Or is it just true that this is quite impossible with pfsense right now ?
The big fish with this is that I can not add a squidpackage on the PFSense itself, be cause I use an embedded Version. Please help on that, I love this firewall and it would me turn into some sort of ZENState ( that would be a nice type of state for pf ;-) ), when I can use my transparent squid.
thx and regards
-
push
:-)
Hi,
does anyone has a suggestion on this one ?I do not get a clue.
Thx :-)