PfSense with transparent proxy not working
-
Before anyone shouts at me - I have read all the posts on this topic and I cannot seem to find the solution. I have installed pfSense 2 beta, and am trying to set up squid as transparent proxy. I enabled the proxy as per the pfSense tutorial (basically selected LAN interface, allow users on interface, and transparent proxy on). I changed my web configurator to run under https on port 8443. Whenever a client tries to connect out to a web site this happens:
[root@bell ~]# telnet www.google.com 80 Trying 66.249.90.104... Connected to www.google.com (66.249.90.104). Escape character is '^]'. GET / HTTP/1.1 Host:www.google.com HTTP/1.1 301 Moved Permanently Location: https://www.google.com:8443/ Content-Length: 0 Date: Sat, 22 May 2010 02:44:53 GMT Server: lighttpd/1.4.26 ^] telnet> quit Connection closed.Why is pfSense trying to redirect to my web configurator port 8443?
-
I suspect this has something to do with the web configurator listening on port 80 to redirect HTTP to HTTPS. I'm not aware of there being a way to disable it. I might take a look at it to see if there is an easy way to resolve this.
-
It was suggested that you may have your proxy configured on port 80. I've been informed that you do not need it to be on port 80, and if you leave it at the default port it should be fine.
-
Proxy is at the default 3128.
-
What is the output of "pfctl -sn" when you have transparent proxy enabled? And what is the date of the 2.0 BETA snapshot you are using?
-
Can yo please try the latest snapshot and got to the System->Advanced settings and check disable webConfigurator redirect?
-
# pfctl -sn nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on vr1 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500 nat on vr1 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500 nat on vr1 inet from 192.168.0.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060 nat on vr1 inet from 192.168.1.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060 nat on vr1 inet from 192.168.0.0/24 to any -> 92.25.211.244 port 1024:65535 nat on vr1 inet from 192.168.1.0/24 to any -> 92.25.211.244 port 1024:65535 rdr-anchor "relayd/*" all rdr-anchor "tftp-proxy/*" all rdr on vr1 inet proto tcp from any to any port = 8081 -> 192.168.0.72 port 8080 rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000 rdr on vr1 inet proto tcp from any to any port = 13091 -> 192.168.0.38 rdr on vr1 inet proto udp from any to any port = 13091 -> 192.168.0.38 rdr on em0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001 rdr on em0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001 rdr on vr0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001 rdr on vr1 inet proto tcp from any to any port = http -> 192.168.0.39 rdr on em0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002 rdr on vr1 inet proto tcp from any to any port = rsh-spx -> 192.168.0.20 port 22 rdr on em0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003 rdr on vr1 inet proto tcp from any to any port = 3390 -> 192.168.0.39 port 3389 rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004 rdr on vr1 inet proto tcp from any to any port = 5721 -> 192.168.0.39 rdr on em0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005 rdr on vr1 inet proto tcp from any to any port = https -> 192.168.0.39 rdr on em0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006 rdr on vr1 inet proto tcp from any to any port = 3395 -> 192.168.0.38 port 3389 rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007 rdr on vr1 inet proto tcp from any to any port = 8069 -> 192.168.0.50 port 80 rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008 rdr on vr1 inet proto tcp from any to any port = 8088 -> 192.168.1.45 port 80 rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009 rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009 no rdr on em0 inet proto tcp from any to 192.168.0.0/16 port = http no rdr on em0 inet proto tcp from any to 172.16.0.0/12 port = http no rdr on em0 inet proto tcp from any to 10.0.0.0/8 port = http no rdr on vr0 inet proto tcp from any to 192.168.0.0/16 port = http no rdr on vr0 inet proto tcp from any to 172.16.0.0/12 port = http no rdr on vr0 inet proto tcp from any to 10.0.0.0/8 port = http rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80 rdr on vr0 inet proto tcp from any to ! (vr0) port = http -> 127.0.0.1 port 80 rdr-anchor "miniupnpd" allWill try latest snapshot
-
Looking at that, you may want to disable NAT reflection instead.
-
And use split DNS instead?
-
Well try it as a test and see if it makes a difference.
If it does, perhaps the NAT reflection code may need adjusted to accommodate for this kind of scenario.
-
Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference.
When I disable NAT reflection and add a domain monitoring.xxx.com to my split DNS config I get round robined between my public IP and the internal one - not matter how I flush the DNS cache or reboot:
waldo@vcs ~ $ ping monitoring.xxx.com PING monitoring.xxx.com (192.168.0.39): 56 data bytes 64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.448 ms ^C --- monitoring.fhblack.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.448/0.448/0.448/0.000 ms waldo@vcs ~ $ ping monitoring.xxx.com PING monitoring.xxx.com (192.168.0.39): 56 data bytes 64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.392 ms ^C --- monitoring.fhblack.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.392/0.392/0.392/0.000 ms waldo@vcs ~ $ ping monitoring.xxx.com PING yyy.dyndns.org (92.25.211.244): 56 data bytes 64 bytes from 92.25.211.244: icmp_seq=0 ttl=64 time=0.312 ms 64 bytes from 92.25.211.244: icmp_seq=1 ttl=64 time=0.351 ms ^C --- sram.dyndns.org ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.312/0.332/0.351/0.019 ms -
Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.
Did your transparent proxy work with NAT reflection off?
-
Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.
Did your transparent proxy work with NAT reflection off?
I know that is why I replied:
"Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference."
That referred to the transparent proxy testing.
-
That was not at all clear from what you wrote, sorry.
The output of pfctl -sn with NAT reflection disabled may help, but you might want to wait until the next snapshot (or gitsync) and try to disable the https webgui redirect.
-
Sorry if I was unclear.
Will wait for the next build and try it.
