PfSense with transparent proxy not working

Efonnes

It was suggested that you may have your proxy configured on port 80.  I've been informed that you do not need it to be on port 80, and if you leave it at the default port it should be fine.

pwnell

Proxy is at the default 3128.

jimp

What is the output of "pfctl -sn" when you have transparent proxy enabled? And what is the date of the 2.0 BETA snapshot you are using?

eri--

Can yo please try the latest snapshot and got to the System->Advanced settings and check disable webConfigurator redirect?

pwnell

# pfctl -sn
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on vr1 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
nat on vr1 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
nat on vr1 inet from 192.168.0.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
nat on vr1 inet from 192.168.1.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
nat on vr1 inet from 192.168.0.0/24 to any -> 92.25.211.244 port 1024:65535
nat on vr1 inet from 192.168.1.0/24 to any -> 92.25.211.244 port 1024:65535
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on vr1 inet proto tcp from any to any port = 8081 -> 192.168.0.72 port 8080
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on vr1 inet proto tcp from any to any port = 13091 -> 192.168.0.38
rdr on vr1 inet proto udp from any to any port = 13091 -> 192.168.0.38
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on em0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr1 inet proto tcp from any to any port = http -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
rdr on vr1 inet proto tcp from any to any port = rsh-spx -> 192.168.0.20 port 22
rdr on em0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
rdr on vr1 inet proto tcp from any to any port = 3390 -> 192.168.0.39 port 3389
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on vr1 inet proto tcp from any to any port = 5721 -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
rdr on vr1 inet proto tcp from any to any port = https -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
rdr on vr1 inet proto tcp from any to any port = 3395 -> 192.168.0.38 port 3389
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on vr1 inet proto tcp from any to any port = 8069 -> 192.168.0.50 port 80
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
rdr on vr1 inet proto tcp from any to any port = 8088 -> 192.168.1.45 port 80
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
no rdr on em0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on em0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on em0 inet proto tcp from any to 10.0.0.0/8 port = http
no rdr on vr0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on vr0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on vr0 inet proto tcp from any to 10.0.0.0/8 port = http
rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80
rdr on vr0 inet proto tcp from any to ! (vr0) port = http -> 127.0.0.1 port 80
rdr-anchor "miniupnpd" all

Will try latest snapshot

jimp

Looking at that, you may want to disable NAT reflection instead.

pwnell

And use split DNS instead?

jimp

Well try it as a test and see if it makes a difference.

If it does, perhaps the NAT reflection code may need adjusted to accommodate for this kind of scenario.

pwnell

Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference.

When I disable NAT reflection and add a domain monitoring.xxx.com to my split DNS config I get round robined between my public IP and the internal one - not matter how I flush the DNS cache or reboot:

waldo@vcs ~ $ ping monitoring.xxx.com
PING monitoring.xxx.com (192.168.0.39): 56 data bytes
64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.448 ms
^C
--- monitoring.fhblack.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.448/0.448/0.448/0.000 ms
waldo@vcs ~ $ ping monitoring.xxx.com
PING monitoring.xxx.com (192.168.0.39): 56 data bytes
64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.392 ms
^C
--- monitoring.fhblack.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.392/0.392/0.392/0.000 ms
waldo@vcs ~ $ ping monitoring.xxx.com
PING yyy.dyndns.org (92.25.211.244): 56 data bytes
64 bytes from 92.25.211.244: icmp_seq=0 ttl=64 time=0.312 ms
64 bytes from 92.25.211.244: icmp_seq=1 ttl=64 time=0.351 ms
^C
--- sram.dyndns.org ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.312/0.332/0.351/0.019 ms

jimp

Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

Did your transparent proxy work with NAT reflection off?

pwnell

@jimp:

Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

Did your transparent proxy work with NAT reflection off?

I know that is why I replied:

"Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference."

That referred to the transparent proxy testing.

jimp

That was not at all clear from what you wrote, sorry.

The output of pfctl -sn with NAT reflection disabled may help, but you might want to wait until the next snapshot (or gitsync) and try to disable the https webgui redirect.

pwnell

Sorry if I was unclear.

Will wait for the next build and try it.