Squid with transparent proxy - firewall rules bypassed
-
Thanks for your answer.
What do you mean exactly ?
I don't want to exclude a LAN network from squid, I just want squid to reach some websites on another route than the default gateway.
I tried to add the IP addresses or networks of these websites on the "Firewall: NAT: Outbound" page, but same thing, it seems squid doesn't take care of it.And I'd like to log all http traffic, so I don't want to bypass squid for some websites, once again here is what I'd like:
- all http traffic goes transparently through squid
- based on firewall rules, squid then may have different gateway(s) for some addresses
Is it possible, and how ?
Thanks a lot!
-
It should be possible with Floating rules.
Create a rule with source address the wan address and destination the remote sites and gateway the one they should go. -
That's the same thing, squid intercepts http traffic before the firewall, so even with floating rules, it doesn't work.
-
Ok if you say so. ;D
But the rule on the floating tab should have direction out and no interface selected. -
Ok I just tried. The problem when I check firewall logs is my source address is the one assigned by the openvpn connexion.
If I put Wan address as source address, rule is not applied.
If I put "any" as source address, then rule seems to applied according to log, but when I check my IP address on an online website, it's still the openvpn one.So it seems squid intercepts traffic (because webpage is loaded), through default gateway, and firewall can't do anything even if it appears in logs.
Sorry for my english :)
-
Well page was loaded from squid cache. But here is the final result:
The firewall tries to send packets from openvpn wan IP to real Wan gateway. It can't work, and squid just says network timeout. -
You have to draw a scheme/diagram on what you want to do otherwise i am blind on your request.
-
LOL you're right :)
Let's try a diagram:
Also here is the last configuration I tried:
-
Show me even the interface configuration.
-
For sure!
