Modo Transparente no funciona!

cristofalla

Buen dia,

Otra vez por acá dejando mis inquietudes, resulta que tengo configurado 1 pfsense para una empresa (Trabaja bien), me piden que haga una nueva instalacion en otro equipo a modo de respaldo (cuando se dañe o le pase algo al de producción). Este segundo pfsense es igualito al de producción pero no funciona el modo transparente, si quito la dirección del proxy en el navegador, todo el trafico pasa como si nada.

La pregunta seria, si squid esta en modo transparente por que sucede esto? por que el squid de produccion si funciona y el otro no?

La configuración del segundo pfsense la hice manualmente, porque la restauracion de un backup me estaba presentando problemas.

Muchicimas gracias anticipadas

sanchezluys

:) hola,

segun te entiendo ya el que esta en produccion pudiera fallar en cualquier momento,
descarga del de produccion el backup de todo (incluyendo configuracion de programas) de esta manera obtienes el archivo .xml y despues instalas ese .xml en tu segundo equipo,

de no ser posibles descargar el .xml entonces buscarlo via putty y obtener el que el sistema genera automaticamente todos los dias.

ahora que version de pfsense usas?

extide

Sorry, this will be in english, but I believe your problem is that you need to change the Squid Proxy Interface, and make sure it is NOT selected on localhost. LAN = yes, Localhost = no.

Transparent + Localhost listen does not work.

cristofalla

Hola y gracias por ayudarme,

amigo sanchezluys, ese ejecircio lo he hecho, pero la idea es configurarlo desde cero solo teniendo los datos basicos. Lo mas facil seria hacer el restore dek archivo xml, pero si la idea es ubicarme en una situacion en la que no tenga el archivo xml.

amigo extide, la squid proxy interface esta en la interface LAN :)

Estuve haciendo unas pruebas, desmarque la casilla del modo transparente y guarde, volvi y maque la casilla del modo transparente y guarde y asi SI ! funciono, no necesite poner el proxy en el navegador, pero me lleve una gran sorpresa al reiniciar el pfsense. Vuelve y pasa lo mismo, deja pasar todo! como si se borrara esa configuracion del modo transparente, pero voy y verifico y esta tal cual como lo deje antes de reiniciar.

Esto me ah dejado aun mas loco.

Gracias de nuevo por su colaboración.

bellera

Diagnostics - Command

pfctl -s nat

Copiar / Pegar en este fórum (sin datos sensibles).

cristofalla

hola bellera, los resultados son:

$ pfctl -s nat
nat-anchor "pftpx/" all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on em1 inet from 10.0.1.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.1.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.1.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.1.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.1.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.1.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 192.168.200.0/28 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 192.168.200.0/28 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 192.168.200.0/28 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 192.168.200.0/28 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 192.168.200.0/28 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 192.168.200.0/28 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.10.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.10.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.10.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.10.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.10.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.10.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.11.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.11.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.11.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.11.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.11.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.11.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.2.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.2.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.2.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.2.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.2.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.2.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.3.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.3.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.3.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.3.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.3.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.3.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.4.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.4.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.4.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.4.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.4.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.4.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.5.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.5.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.5.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.5.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.5.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.5.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.6.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.6.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.6.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.6.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.6.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.6.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.7.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.7.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.7.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.7.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.7.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.7.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.8.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.8.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.8.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.8.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.8.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.8.0/24 to any -> (em2) port 1024:65535 round-robin
nat on em1 inet from 10.0.9.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
nat on em1 inet from 10.0.9.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
nat on em1 inet from 10.0.9.0/24 to any -> (em1) port 1024:65535 round-robin
nat on em2 inet from 10.0.9.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
nat on em2 inet from 10.0.9.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
nat on em2 inet from 10.0.9.0/24 to any -> (em2) port 1024:65535 round-robin
rdr-anchor "pftpx/" all
rdr-anchor "slb" all
no rdr on em0 proto tcp from any to <vpns>port = ftp
no rdr on em0 proto tcp from <onetoonelist>to any port = ftp
rdr on em0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
no rdr on em2 proto tcp from any to <vpns>port = ftp
no rdr on em2 proto tcp from <onetoonelist>to any port = ftp
rdr on em2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8022
rdr on em3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023
rdr on em1 inet proto tcp from any to 190.xxx.xxx.139 port = 6200 -> 10.0.2.205
rdr on em1 inet proto udp from any to 190.xxx.xxx.139 port = 6200 -> 10.0.2.205
rdr on em0 inet proto tcp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19000
rdr on em0 inet proto udp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19001
rdr on em3 inet proto tcp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19002
rdr on em3 inet proto udp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19003
rdr on em1 inet proto tcp from any to 190.xxx.xxx.139 port = 6400 -> 10.0.4.205
rdr on em1 inet proto udp from any to 190.xxx.xxx.139 port = 6400 -> 10.0.4.205
rdr on em0 inet proto tcp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19004
rdr on em0 inet proto udp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19005
rdr on em3 inet proto tcp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19006
rdr on em3 inet proto udp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19007
rdr on em1 inet proto tcp from any to 190.xxx.xxx.138 port = 55000 -> 10.0.1.220
rdr on em1 inet proto udp from any to 190.xxx.xxx.138 port = 55000 -> 10.0.1.220
rdr on em0 inet proto tcp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19008
rdr on em0 inet proto udp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19009
rdr on em3 inet proto tcp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19010
rdr on em3 inet proto udp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19011
rdr on em1 inet proto tcp from any to 190.xxx.xxx.139 port = 6100 -> 10.0.1.205
rdr on em1 inet proto udp from any to 190.xxx.xxx.139 port = 6100 -> 10.0.1.205
rdr on em0 inet proto tcp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19012
rdr on em0 inet proto udp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19013
rdr on em3 inet proto tcp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19014
rdr on em3 inet proto udp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19015
rdr-anchor "imspector" all
rdr-anchor "miniupnpd" all
binat on em1 inet from 10.0.1.220 to any -> 192.192.1.3

Espero me puedan ayudar</onetoonelist></vpns></onetoonelist></vpns>

bellera

Algún lío hay. Deberías tener algo como:

rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 3128
rdr on lo0 inet proto tcp from any to ! (lo0) port = http -> 127.0.0.1 port 3128

1. Cualquier cosa que llegue por LAN (em0) y no vaya a LAN (emo) con destino TCP 80 tiene que irse al propio pfSense (127.0.0.1) puerto TCP 3128. Es decir, a squid.

2. Cualquier cosa que llegue por el propio pfSense (lo0) y no vaya al propio pfSense (lo0) con destino TCP 80 tiene que irse al propio pfSense (127.0.0.1) puerto TCP 3128. Es decir, a squid.

Si al marcar que quieres el proxy (squid) en modo transparente eso no te aparece en los nat entonces hay alguna incompatibilidad con el resto de cosas que tienes configuradas. O un bug, claro.

Cerciórate que tienes las interfases LAN y loopback activadas en la configuración de squid (proxy server).

¿Puedes postear tus NAT Outbound, NAT 1:1 y NAT Port Forward? Quiero decir las imágenes del configurador web. Enmascara datos que puedan ser delicados (ips públicas, por ejemplo).

cristofalla

Hola de nuevo, bellera te adjunto las imagenes del NAT y una de la conf del Squid(Proxy server) :)

Squid.JPG_thumb

PortForward.JPG_thumb

1-1.JPG_thumb

outbound.JPG_thumb

bellera

Bueno, veo que no te funciona bien esto.

También veo que debes estar con una versión 1.x

Tendrías que hacer un upgrade a la última versión. De lo contrario es complicado mantener la instalación.

Lo único que se me ocurre con la versión que tienes es que hagas el NAT Port Forward a mano (ver imagen).

proxy_transparent_manual.jpg_thumb