Traffic Redirection with Port Forwards

jimp

When you redirect a range, the target cannot be a single port. You can only redirect a range to a range. If you want a bunch of ports to all go to the same IP:port pair, you need individual rules, or a port alias might work (though again it may need individual ports listed and not a range)

bellera

jimp

1. I created an alias with 80, 443 and 8000:8100 ports.
2. I put the alias at External port range.
3. I put 3128 at Local port.

WebGUI accepted this configuration and I can see at console (partial listing):

pfctl -s nat

rdr on em0 inet proto tcp from any to any port = http -> 192.168.2.12 port 3128
rdr on em0 inet proto tcp from any to any port = https -> 192.168.2.12 port 3128
rdr on em0 inet proto tcp from any to any port 8000:8100 -> 192.168.2.12 port 3128

I think this should work. Do you agree?

Regards,

Josep Pujadas

jimp

No, because the target port is considered the "starting" port of the destination range, from what I remember.

bellera

Ok, thanks!

Efonnes

Considering the output of pfctl -s nat, I think that should work, actually.

bellera

Thanks, but finally I implemented another solution.

I wanted to redirect 80, 443 and 8000-8100 to an external squid+squidguard proxy.

But the problem is that a redirected external proxy requires to be configured as transparent.

I don't like transparent proxies.

Finally, I used WPAD detection based on DNS records in my network:

http://forum.pfsense.org/index.php/topic,29452.0.html

Thanks,

Josep Pujadas

dolphy

Hi, Im having your problems, Im using an external squid proxy transparent + dansguardian
Testing with squid + dansgaurdian is working fine on browser setting.
But when using NAT to redirect to squid I got these errorsThe following error was encountered:

• Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

* The cache administrator does not allow this cache to make direct connections to origin servers, and
    * All configured parent caches are currently unreachable.

Your cache administrator is root.

And log on squid box

1290738384.951      2 10.0.10.3 TCP_NEGATIVE_HIT/504 1903 GET http://thoisuso.net/tin-khoa-hoc/hoi-nghi-tai-nga-mang-den-hy-vong-cho-loai-ho.html - NONE/- text/html
1290738385.998      2 10.0.10.3 TCP_NEGATIVE_HIT/504 1903 GET http://thoisuso.net/tin-khoa-hoc/hoi-nghi-tai-nga-mang-den-hy-vong-cho-loai-ho.html - NONE/- text/html
1290738397.254      2 10.0.10.3 TCP_DENIED/504 1569 GET http://thoisuso.net/ - NONE/- text/html
1290738397.256      9 10.0.10.3 TCP_MISS/504 1670 GET http://thoisuso.net/ - DIRECT/27.0.14.21 text/html
1290738397.259    20 10.0.10.3 TCP_MISS/504 1771 GET http://thoisuso.net/ - DIRECT/27.0.14.21 text/html
1290738421.218      2 10.0.10.3 TCP_NEGATIVE_HIT/504 1778 GET http://thoisuso.net/ - NONE/- text/html

can anybody got issues like this? Pls help.

bellera

Hi!

Revise your squid.conf.

squid must be in transparent mode. This means that transparent mode must be activated at squid.conf and you need to have squid compiled supporting transparent mode.

I don't know wich OS are you using. In FreeBSD is usual to download the package source and compile it. At this time FreeBSD ask for the configuration options of the package…

Be sure also wich networks are permitted as client (squid.conf and squidGuard.conf -in your case DansGuardian-). pfSense NATed network is the origine now for your squid, not the network client.

Regards,

Josep Pujadas

dolphy

Hi Josep Pujadas,

Here is my config

http_port 10.0.10.3:3128 transparent
visible_hostname SQUID
cache_mem 512 MB
cache_dir ufs /srv/squid/cache 10000 16 256
access_log /srv/squid/logs/access.log squid
cache_log /srv/squid/logs/cache.log
cache_store_log /srv/squid/logs/store.log
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

acl MyNetwork1 src 192.168.0.0/255.255.255.0

http_access allow  MyNetwork1

always_direct allow all
icp_access allow all
http_access deny all
coredump_dir /var/spool/squid

bellera

Try:

acl our_networks src 127.0.0.1/32 10.0.10.3/32 192.168.0.0/24
http_access allow our_networks
http_access deny all

localhost, your proxy and your network…

or try:

http_access allow all

restarting squid, to test if your problem is the source ip...

dolphy

I tried, allow all already but still the same.
Seem likes Pfsense do translate the source ip to the squid ip (nat)

Here is the log

1290995342.128    75 10.0.10.3 TCP_MISS/504 1881 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - DIRECT/27.0.14.21 text/html
1290995343.950      2 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.470      2 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.703    57 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.830    19 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html

External squid with pfsense still not work right.  :'(