Bypass Transparent Proxy - All But One IP

vollmarj

I see that there are ways to bypass the proxy for defined IPs. My problem is that I need to bypass the transparent proxy for all IPs on the LAN other than one single IP.

So:
10.0.0.0/8 –> straight to firewall
10.x.x.x/32 --> proxy

This needs to be done because I am using Squidguard to filter content for that one IP (which happens to be another non-pfsense router).

One idea I have would be to create a "virtual interface" (don't know if pfsense can support this) and bind squid to only that virtual interface. I would then set the virtual interface IP as the gateway for the non-pfsense router that needs the filtering.

chudy

add in your squid.inc
$rules .= "no rdr on $iface proto tcp from ! 10.0.0.1 to any port 80\n";

vollmarj

I added the rule, and restarted squid with no luck. It looks like all my hosts are still going to the proxy.

chudy

Bypass proxy for Private Address Space (RFC 1918) destination should be checked.(not exactly the right place but it should work)
squid.inc should look like this

$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n";
$rules .= "no rdr on $iface proto tcp from ! 192.168.0.101 to any port 80\n";  

pfctl -sn to confirm should look like this

# pfctl -sn
nat-anchor "pftpx/*" all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em1 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 192.168.0.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 192.168.0.0/24 to any -> (em1) round-robin
rdr-anchor "pftpx/*" all
rdr-anchor "slb" all
no rdr on em0 proto tcp from any to <vpns>port = ftp
rdr on em0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
no rdr on em0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on em0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on em0 inet proto tcp from any to 10.0.0.0/8 port = http
no rdr on em0 inet proto tcp from ! 192.168.0.101 to any port = http
rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80
rdr-anchor "imspector" all
rdr-anchor "miniupnpd" all</vpns> 

and take a good look how they arranged.

no rdr on em0 inet proto tcp from ! 192.168.0.101 to any port = http  <<–- this line should be here
rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80 <--- before this line.

vollmarj

okay so in /usr/local/pkg/squid.inc I added:

$rules .= "no rdr on $iface proto tcp from ! 10.0.10.1 to any port 80\n";

but when I run```
pfctl -sn

chudy

Your firewall is turned off.

vollmarj

Sorry, I think I confused you… there are all kinds of rules when I run pfctl -sn, and my firewall is on. I just don't see that one rule.