Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense with transparent proxy not working

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    15 Posts 4 Posters 13.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pwnell
      last edited by

      Before anyone shouts at me - I have read all the posts on this topic and I cannot seem to find the solution.  I have installed pfSense 2 beta, and am trying to set up squid as transparent proxy.  I enabled the proxy as per the pfSense tutorial (basically selected LAN interface, allow users on interface, and transparent proxy on).  I changed my web configurator to run under https on port 8443.  Whenever a client tries to connect out to a web site this happens:

      
      [root@bell ~]# telnet www.google.com 80
      Trying 66.249.90.104...
      Connected to www.google.com (66.249.90.104).
      Escape character is '^]'.
      GET / HTTP/1.1
      Host:www.google.com
      
      HTTP/1.1 301 Moved Permanently
      Location: https://www.google.com:8443/
      Content-Length: 0
      Date: Sat, 22 May 2010 02:44:53 GMT
      Server: lighttpd/1.4.26
      
      ^]
      telnet> quit
      Connection closed.
      
      

      Why is pfSense trying to redirect to my web configurator port 8443?

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        I suspect this has something to do with the web configurator listening on port 80 to redirect HTTP to HTTPS.  I'm not aware of there being a way to disable it.  I might take a look at it to see if there is an easy way to resolve this.

        1 Reply Last reply Reply Quote 0
        • E
          Efonnes
          last edited by

          It was suggested that you may have your proxy configured on port 80.  I've been informed that you do not need it to be on port 80, and if you leave it at the default port it should be fine.

          1 Reply Last reply Reply Quote 0
          • P
            pwnell
            last edited by

            Proxy is at the default 3128.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              What is the output of "pfctl -sn" when you have transparent proxy enabled? And what is the date of the 2.0 BETA snapshot you are using?

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Can yo please try the latest snapshot and got to the System->Advanced settings and check disable webConfigurator redirect?

                1 Reply Last reply Reply Quote 0
                • P
                  pwnell
                  last edited by

                  
                  # pfctl -sn
                  nat-anchor "natearly/*" all
                  nat-anchor "natrules/*" all
                  nat on vr1 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
                  nat on vr1 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
                  nat on vr1 inet from 192.168.0.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
                  nat on vr1 inet from 192.168.1.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
                  nat on vr1 inet from 192.168.0.0/24 to any -> 92.25.211.244 port 1024:65535
                  nat on vr1 inet from 192.168.1.0/24 to any -> 92.25.211.244 port 1024:65535
                  rdr-anchor "relayd/*" all
                  rdr-anchor "tftp-proxy/*" all
                  rdr on vr1 inet proto tcp from any to any port = 8081 -> 192.168.0.72 port 8080
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
                  rdr on vr1 inet proto tcp from any to any port = 13091 -> 192.168.0.38
                  rdr on vr1 inet proto udp from any to any port = 13091 -> 192.168.0.38
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
                  rdr on em0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
                  rdr on vr0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
                  rdr on vr1 inet proto tcp from any to any port = http -> 192.168.0.39
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
                  rdr on vr1 inet proto tcp from any to any port = rsh-spx -> 192.168.0.20 port 22
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
                  rdr on vr1 inet proto tcp from any to any port = 3390 -> 192.168.0.39 port 3389
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
                  rdr on vr1 inet proto tcp from any to any port = 5721 -> 192.168.0.39
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
                  rdr on vr1 inet proto tcp from any to any port = https -> 192.168.0.39
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
                  rdr on vr1 inet proto tcp from any to any port = 3395 -> 192.168.0.38 port 3389
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
                  rdr on vr1 inet proto tcp from any to any port = 8069 -> 192.168.0.50 port 80
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
                  rdr on vr1 inet proto tcp from any to any port = 8088 -> 192.168.1.45 port 80
                  rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
                  rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
                  no rdr on em0 inet proto tcp from any to 192.168.0.0/16 port = http
                  no rdr on em0 inet proto tcp from any to 172.16.0.0/12 port = http
                  no rdr on em0 inet proto tcp from any to 10.0.0.0/8 port = http
                  no rdr on vr0 inet proto tcp from any to 192.168.0.0/16 port = http
                  no rdr on vr0 inet proto tcp from any to 172.16.0.0/12 port = http
                  no rdr on vr0 inet proto tcp from any to 10.0.0.0/8 port = http
                  rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80
                  rdr on vr0 inet proto tcp from any to ! (vr0) port = http -> 127.0.0.1 port 80
                  rdr-anchor "miniupnpd" all
                  
                  

                  Will try latest snapshot

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Looking at that, you may want to disable NAT reflection instead.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • P
                      pwnell
                      last edited by

                      And use split DNS instead?

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Well try it as a test and see if it makes a difference.

                        If it does, perhaps the NAT reflection code may need adjusted to accommodate for this kind of scenario.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • P
                          pwnell
                          last edited by

                          Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference.

                          When I disable NAT reflection and add a domain monitoring.xxx.com to my split DNS config I get round robined between my public IP and the internal one - not matter how I flush the DNS cache or reboot:

                          waldo@vcs ~ $ ping monitoring.xxx.com
                          PING monitoring.xxx.com (192.168.0.39): 56 data bytes
                          64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.448 ms
                          ^C
                          --- monitoring.fhblack.com ping statistics ---
                          1 packets transmitted, 1 packets received, 0.0% packet loss
                          round-trip min/avg/max/stddev = 0.448/0.448/0.448/0.000 ms
                          waldo@vcs ~ $ ping monitoring.xxx.com
                          PING monitoring.xxx.com (192.168.0.39): 56 data bytes
                          64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.392 ms
                          ^C
                          --- monitoring.fhblack.com ping statistics ---
                          1 packets transmitted, 1 packets received, 0.0% packet loss
                          round-trip min/avg/max/stddev = 0.392/0.392/0.392/0.000 ms
                          waldo@vcs ~ $ ping monitoring.xxx.com
                          PING yyy.dyndns.org (92.25.211.244): 56 data bytes
                          64 bytes from 92.25.211.244: icmp_seq=0 ttl=64 time=0.312 ms
                          64 bytes from 92.25.211.244: icmp_seq=1 ttl=64 time=0.351 ms
                          ^C
                          --- sram.dyndns.org ping statistics ---
                          2 packets transmitted, 2 packets received, 0.0% packet loss
                          round-trip min/avg/max/stddev = 0.312/0.332/0.351/0.019 ms
                          
                          
                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

                            Did your transparent proxy work with NAT reflection off?

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • P
                              pwnell
                              last edited by

                              @jimp:

                              Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

                              Did your transparent proxy work with NAT reflection off?

                              I know that is why I replied:

                              "Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference."

                              That referred to the transparent proxy testing.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                That was not at all clear from what you wrote, sorry.

                                The output of pfctl -sn with NAT reflection disabled may help, but you might want to wait until the next snapshot (or gitsync) and try to disable the https webgui redirect.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pwnell
                                  last edited by

                                  Sorry if I was unclear.

                                  Will wait for the next build and try it.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.