2.0 How to redirect LAN port 80 to a proxy server

miafya

We have a squid/dansguardian server for internet filtering.

In pfSense 1.2, I set up a NAT rule to redirect all LAN traffic with a WAN destination on port 80 to the proxy server. The proxy server is on a separate interface.

However, when I try to do this with pfSense 2.0 RC3, nothing happens. The traffic is not redirected. Here's what the NAT rule looks like:

Interface: LAN
Protocol: TCP
Source: Any
Source Port: Any
Destination: WAN Address
Destination Port: 80
Redirect Target IP: 192.168.99.2 (the filter/proxy server)
Redirect Target Port: 8080

I also have the appropriate firewall rule on the LAN interface too.

Why does this not work? Am I missing something?

jimp

You really want something more like:

Interface: LAN
Protocol: TCP
Source: LAN subnet
Source Port: Any
Destination: any
Destination Port: 80
Redirect Target IP: 192.168.99.2 (the filter/proxy server)
Redirect Target Port: 8080

miafya

Thanks, I was trying to make the rule as non-restrictive as possible, just in case I was missing something.

But either way, the NAT still does not do anything, even when I make the changes you suggested.

jimp

And that 99.2 box is on a separate subnet from LAN?

Unless you have something else above that rule that would be overriding it, that should work. That would also including having the squid package installed on the firewall and running in transparent mode there.

miafya

Yeah, it's on a separate subnet and actually on it's own interface. This worked perfectly under pfSense 1.2 and I have not changed anything on the proxy side.

I guess I will have to dig a little deeper. Just wanted to make sure that nothing significant about NAT behavior had changed in 2.0.

periko

Hi guys.

Hey I want to do the same thing and u right, in 1.2.3 this setup works, in 2.0 it haven't been working, do u found how to do this ???

Thanks!!!

2.0-RC3 (i386) built on Fri Aug 12 16:23:11 EDT 2011

gendit

i use this configuration to redirect ALL LAN traffic to my transparent proxy that using port 3128

interface : LAN
external address : any
protocol : TCP
external port range : HTTP
nat ip : my transparent proxy IP
local port : transparent proxy port

and it works under pfsense 1.2.3 :)

periko

Thanks gendit.

Like miafya/me say, on 1.2.3 works, but now we want to setup this on 2.0RC3.

Thanks :)

miafya

After my posts a few days ago I left things alone for a day. When I came in the next morning, I realized that the NAT was working. I did not do anything different that I can think of, but it seems to be working just like with 1.2.3.

The only thing I can think of is that perhaps I still had some active states in the firewall that needed time to die before the NAT settings took effect.

I've attached the current rules I have. The first is of the NAT rule, the second is the firewall rule.

nat1.png_thumb

nat2.png_thumb

periko

Just want to confirm what I had read.

I got my pfsense LAN/WAN nics.

Squid listen in LAN address port 3128.

LAN 192.168.50.1

I cannot setup a port forward from my LAN subnet X port to LAN address Y port?

If I add another NIC in my pfsense box:

opt1 192.168.50.2

I setup squid to listen on this nic, I can do the port forward?

Or I must be on different subnet?

Pfsense 2.0 doubts.

Thanks!!!

miafya

The process I'm talking about is if you have an external squid box outside of pfSense and want to forward traffic to it. In version 1.2.x you had to have the external box on another interface in order to be able to NAT to it.

However under pfsense 2 you can install the squid package and do a transparent proxy directly in pfsense without using NAT or other interfaces. It is pretty simple to set up. Once you install the squid package, a "Proxy server" item will show up under the Services menu.

periko

Thanks miafya.

In my case, my pfsense box have squid running?

Thanks.

miafya

If your pfsense box has squid running and you want to use that, just enable squid for the interfaces you wish to use. The settings are under "Services -> Proxy Server". It has a nice transparent proxy option too.

If you want to use an external squid box, make sure to remove squid from your pfsense box or disable it from the interface you wish to use. Then use the NAT settings to forward to your external box.

periko

I had done this, my squid settings have the new interface, I cannot use transparent mode because I need to use my ldap users.
Thanks miafya.

bruno

@jimp:

Unless you have something else above that rule that would be overriding it, that should work. That would also including having the squid package installed on the firewall and running in transparent mode there.

jimp, what about https? I can't get it to work on 2.0, forwarding 443 on LAN to proxy_ip port 3128.


TCP_DENIED/400 3012 NONE error:unsupported-request-method - NONE/- text/html

thanks

jimp

You cannot transparently proxy https.