Squid transparent proxy breaks 1:1 NAT + NAT reflection
-
Hi all, a post of more than 120 days old told me I should start a new topic rather than reply, so here goes!
Original post: http://forum.pfsense.org/index.php/topic,43613.0.html
My question/issue is slightly different I think, I still have the same issue with the NAT reflection breaking when using 1:1 (public IP's) instead of hosts seeing the originating IP they see the WAN IP of the pfSense.
Is there a way to get squid to work properly with 1:1 NAT?
-
Jimp replied that thread with a good solution, did you tried that? ???
http://forum.pfsense.org/index.php/topic,43613.msg227556.html#msg227556
-
Does that not exclude the Public IP's from the proxy server?
I would like to be able to run squid both ways on the public IP's.
-
I would like to be able to run squid both ways on the public IP's.
you mean transparent proxy connections from internet to your squid on port 80? ???
-
I have a subnet of public IP's + routed subnet on WAN to ISP, I am using 1:1 NAT.
I use squid to log traffic for my subnet per IP using lightsquid.
The problem is when enabled any application that needs a totally transparent route between host and IP comes back with the proxy servers IP and not the originating IP.
Question is, is this a possible scenario or not possible?
-
The problem is when enabled any application that needs a totally transparent route between host and IP comes back with the proxy servers IP and not the originating
Did you tried to include these server internal ips on destination bypass box in the squid config?
-
Yes tried it but does exactly what I don't want it to do…
Without the bypass on the public subnet - (from whatismyip.com)
Your IP Address Is: xxx.xxx.xxx.218 (Client IP)
Other IPs Detected: xxx.xxx.xxx.2 (pfsense WAN IP)
Possible Proxy Detected: 1.1 localhost:3128 (squid/2.7.STABLE9)With the bypass no traffic data is logged to /var/squid/log as the bypass suggests!
-
Hi again, so there is no way of using the transparent proxy on a public IP subnet?
-
No because the proxy is the one making the outbound connection to the web server, not the originating client. Nothing you do will make that appear to originate from the actual client IP.
There were some kernel hacks/patches for Linux out there (tproxy, I think) but I'm not sure anything like that exists on FreeBSD.