Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypassing transparent http proxy (havp?)

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danswartz
      last edited by

      I have installed havp as transparent proxy and it works fine.  Until I found my tivo could no longer fetch program updates from the internet.  I remember this happening when I had a linux gateway with squid/dansguardian, and I was able to work around it by adding an iptables rule to allow the tivo IP address to bypass the proxy.  Is that possible with pfsense?  The problem is apparently the tivo sends non-standard http requests, so I see things in the havp log like this: "Invalid request from browser (no Host-header?)".  Whitelisting the tivo urls doesn't help - apparently the above check is done elsewhere than the whitelist code.

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        I did find the following in /usr/local/pkg/havp.inc:

        
        if ($type === 'nat') {
                        $rules[] = "# havp proxy ifaces redirect";
                    foreach($ifaces as $iface) {
                    switch($proxymode) {
                            case 'transparent':
                            # rdr any http => localhost:port
                            $rules[] = "rdr on $iface proto tcp from any to !($iface) port 80 -> $proxybindiface port $proxyport";
        
        

        I'm guessing I could change the above to say something like '! 10.0.0.222' (or whatever the right pf syntax is) instead of 'any', but I'd rather not have to touch packages.

        1 Reply Last reply Reply Quote 0
        • D
          danswartz
          last edited by

          Alternatively, if there was a place I could insert custom rules (specifically, something [don't know what yet] that would bypass any squid/havp transparent proxy, that would be fine.  On my old linux gateway, I could do this:

          
          /sbin/iptables -t nat -I PREROUTING -s 10.0.0.222 -p tcp --dport 80 -j ACCEPT
          
          

          This would cause anything aimed at port 80 from the specified host (my tivo) to bypass the redirect rule (if any) that squid would add.  Is there a pf way of doing this?  And if so, does pfsense have a place I can hook that in without messing with packages?  My clarkconnect server (formerly gateway) had /etc/rc.d/rc.firewall.local where I could plug in custom rules like the above.

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by

            I was thinking maybe I was making this overcomplicated.  My concern was to have the rdr rule generated by havp not get in the way, so I thought maybe I could use the internal mode instead of the transparent mode, and add my own rule, but I don't see how to do that in the GUI.  e.g. I can say something like '! 10.0.0.222' on the rules page, but not on the NAT page (which is what generates the rdr rule, no?)  So, at the moment I am stuck :(

            1 Reply Last reply Reply Quote 0
            • D
              dvserg
              last edited by

              Try setup not transparent proxy mode and configure Manual nat rules to 127.0.0.1:proxyport

              SquidGuardDoc EN  RU Tutorial
              Localization ru_PFSense

              1 Reply Last reply Reply Quote 0
              • D
                danswartz
                last edited by

                thanks, that is what i was thinking, but i'm not familiar enough with pf to be sure what to do.  i want havp to take the requests but not for the one specific IP.  i assumed i should do port forwarding on the LAN for this, but the gui seems not to have a way to say "! IP" for port forwarding, but only for pass/block type rules.  i do not mind putting the rule in somewhere in the CLI, but i am not sure where to do that in pfsense?

                1 Reply Last reply Reply Quote 0
                • D
                  danswartz
                  last edited by

                  Am I really asking something that off the wall?  e.g. how I can put in rdr rules that do not apply to certain hosts?  I can see how to do this from the CLI, but not the GUI.  if the former, as i said, i am fine with putting the rules in somewhere in a config file, but I don't see where to do that (there is no /etc/pf.conf like in vanilla freebsd), so what now?

                  1 Reply Last reply Reply Quote 0
                  • D
                    dvserg
                    last edited by

                    Test this:

                    1. [V] Not NAT - IFACE - from You IP - to any : port 80
                    2. –--------IFACE - from any    - to any : port 80

                    SquidGuardDoc EN  RU Tutorial
                    Localization ru_PFSense

                    1 Reply Last reply Reply Quote 0
                    • D
                      danswartz
                      last edited by

                      I will try that when I get home, thanks.  I am not sure how that will work though, since the tivo needs to get to the outside world and does have a private IP, so won't "no nat" keep that from working?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.