PfSense with transparent proxy not working

jimp

What is the output of "pfctl -sn" when you have transparent proxy enabled? And what is the date of the 2.0 BETA snapshot you are using?

eri--

Can yo please try the latest snapshot and got to the System->Advanced settings and check disable webConfigurator redirect?

pwnell

# pfctl -sn
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on vr1 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
nat on vr1 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
nat on vr1 inet from 192.168.0.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
nat on vr1 inet from 192.168.1.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
nat on vr1 inet from 192.168.0.0/24 to any -> 92.25.211.244 port 1024:65535
nat on vr1 inet from 192.168.1.0/24 to any -> 92.25.211.244 port 1024:65535
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on vr1 inet proto tcp from any to any port = 8081 -> 192.168.0.72 port 8080
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on vr1 inet proto tcp from any to any port = 13091 -> 192.168.0.38
rdr on vr1 inet proto udp from any to any port = 13091 -> 192.168.0.38
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on em0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr1 inet proto tcp from any to any port = http -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
rdr on vr1 inet proto tcp from any to any port = rsh-spx -> 192.168.0.20 port 22
rdr on em0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
rdr on vr1 inet proto tcp from any to any port = 3390 -> 192.168.0.39 port 3389
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on vr1 inet proto tcp from any to any port = 5721 -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
rdr on vr1 inet proto tcp from any to any port = https -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
rdr on vr1 inet proto tcp from any to any port = 3395 -> 192.168.0.38 port 3389
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on vr1 inet proto tcp from any to any port = 8069 -> 192.168.0.50 port 80
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
rdr on vr1 inet proto tcp from any to any port = 8088 -> 192.168.1.45 port 80
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
no rdr on em0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on em0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on em0 inet proto tcp from any to 10.0.0.0/8 port = http
no rdr on vr0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on vr0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on vr0 inet proto tcp from any to 10.0.0.0/8 port = http
rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80
rdr on vr0 inet proto tcp from any to ! (vr0) port = http -> 127.0.0.1 port 80
rdr-anchor "miniupnpd" all

Will try latest snapshot

jimp

Looking at that, you may want to disable NAT reflection instead.

pwnell

And use split DNS instead?

jimp

Well try it as a test and see if it makes a difference.

If it does, perhaps the NAT reflection code may need adjusted to accommodate for this kind of scenario.

pwnell

Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference.

When I disable NAT reflection and add a domain monitoring.xxx.com to my split DNS config I get round robined between my public IP and the internal one - not matter how I flush the DNS cache or reboot:

waldo@vcs ~ $ ping monitoring.xxx.com
PING monitoring.xxx.com (192.168.0.39): 56 data bytes
64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.448 ms
^C
--- monitoring.fhblack.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.448/0.448/0.448/0.000 ms
waldo@vcs ~ $ ping monitoring.xxx.com
PING monitoring.xxx.com (192.168.0.39): 56 data bytes
64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.392 ms
^C
--- monitoring.fhblack.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.392/0.392/0.392/0.000 ms
waldo@vcs ~ $ ping monitoring.xxx.com
PING yyy.dyndns.org (92.25.211.244): 56 data bytes
64 bytes from 92.25.211.244: icmp_seq=0 ttl=64 time=0.312 ms
64 bytes from 92.25.211.244: icmp_seq=1 ttl=64 time=0.351 ms
^C
--- sram.dyndns.org ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.312/0.332/0.351/0.019 ms

jimp

Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

Did your transparent proxy work with NAT reflection off?

pwnell

@jimp:

Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

Did your transparent proxy work with NAT reflection off?

I know that is why I replied:

"Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference."

That referred to the transparent proxy testing.

jimp

That was not at all clear from what you wrote, sorry.

The output of pfctl -sn with NAT reflection disabled may help, but you might want to wait until the next snapshot (or gitsync) and try to disable the https webgui redirect.

pwnell

Sorry if I was unclear.

Will wait for the next build and try it.