Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense with transparent proxy not working

    2.0-RC Snapshot Feedback and Problems - RETIRED
    4
    15
    12.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eri--
      last edited by

      Can yo please try the latest snapshot and got to the System->Advanced settings and check disable webConfigurator redirect?

      1 Reply Last reply Reply Quote 0
      • P
        pwnell
        last edited by 

        
# pfctl -sn
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on vr1 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
nat on vr1 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
nat on vr1 inet from 192.168.0.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
nat on vr1 inet from 192.168.1.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
nat on vr1 inet from 192.168.0.0/24 to any -> 92.25.211.244 port 1024:65535
nat on vr1 inet from 192.168.1.0/24 to any -> 92.25.211.244 port 1024:65535
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on vr1 inet proto tcp from any to any port = 8081 -> 192.168.0.72 port 8080
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on vr1 inet proto tcp from any to any port = 13091 -> 192.168.0.38
rdr on vr1 inet proto udp from any to any port = 13091 -> 192.168.0.38
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on em0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on vr1 inet proto tcp from any to any port = http -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
rdr on vr1 inet proto tcp from any to any port = rsh-spx -> 192.168.0.20 port 22
rdr on em0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
rdr on vr1 inet proto tcp from any to any port = 3390 -> 192.168.0.39 port 3389
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on vr1 inet proto tcp from any to any port = 5721 -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
rdr on vr1 inet proto tcp from any to any port = https -> 192.168.0.39
rdr on em0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
rdr on vr1 inet proto tcp from any to any port = 3395 -> 192.168.0.38 port 3389
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on vr1 inet proto tcp from any to any port = 8069 -> 192.168.0.50 port 80
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
rdr on vr1 inet proto tcp from any to any port = 8088 -> 192.168.1.45 port 80
rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
no rdr on em0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on em0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on em0 inet proto tcp from any to 10.0.0.0/8 port = http
no rdr on vr0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on vr0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on vr0 inet proto tcp from any to 10.0.0.0/8 port = http
rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80
rdr on vr0 inet proto tcp from any to ! (vr0) port = http -> 127.0.0.1 port 80
rdr-anchor "miniupnpd" all

        Will try latest snapshot

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Looking at that, you may want to disable NAT reflection instead.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • P
            pwnell
            last edited by

            And use split DNS instead?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Well try it as a test and see if it makes a difference.

              If it does, perhaps the NAT reflection code may need adjusted to accommodate for this kind of scenario.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • P
                pwnell
                last edited by

                Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference.

                When I disable NAT reflection and add a domain monitoring.xxx.com to my split DNS config I get round robined between my public IP and the internal one - not matter how I flush the DNS cache or reboot:

                waldo@vcs ~ $ ping monitoring.xxx.com
PING monitoring.xxx.com (192.168.0.39): 56 data bytes
64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.448 ms
^C
--- monitoring.fhblack.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.448/0.448/0.448/0.000 ms
waldo@vcs ~ $ ping monitoring.xxx.com
PING monitoring.xxx.com (192.168.0.39): 56 data bytes
64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.392 ms
^C
--- monitoring.fhblack.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.392/0.392/0.392/0.000 ms
waldo@vcs ~ $ ping monitoring.xxx.com
PING yyy.dyndns.org (92.25.211.244): 56 data bytes
64 bytes from 92.25.211.244: icmp_seq=0 ttl=64 time=0.312 ms
64 bytes from 92.25.211.244: icmp_seq=1 ttl=64 time=0.351 ms
^C
--- sram.dyndns.org ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.312/0.332/0.351/0.019 ms
                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

                  Did your transparent proxy work with NAT reflection off?

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • P
                    pwnell
                    last edited by

                    @jimp:

                    Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

                    Did your transparent proxy work with NAT reflection off?

                    I know that is why I replied:

                    "Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference."

                    That referred to the transparent proxy testing.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      That was not at all clear from what you wrote, sorry.

                      The output of pfctl -sn with NAT reflection disabled may help, but you might want to wait until the next snapshot (or gitsync) and try to disable the https webgui redirect.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • P
                        pwnell
                        last edited by

                        Sorry if I was unclear.

                        Will wait for the next build and try it.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.