Squid not working in Transparent mode on pfsense configured in a bridge mode

jimp

It's been covered before, but it's been a while:

Squid + Transparent mode alone + Bridge does not, and cannot work. Not sure if that will change in the future.

If you have the settings in the user's browser, then it is not using transparent mode.

chuksonpfsense

@jimp:

It's been covered before, but it's been a while:

Squid + Transparent mode alone + Bridge does not, and cannot work. Not sure if that will change in the future.

If you have the settings in the user's browser, then it is not using transparent mode.

Are you saying that i cannot run squid in transparent mode on pfsense configured as a transparent firewall/bridge? Does it mean you can only run squid in transparent mode if you configure pfsense as the router?

Could please throw more light

Thank you.

jimp

Correct.

Squid + Transparent + Bridge == Broken
Squid + Transparent + Routing == OK

chuksonpfsense

@jimp:

Correct.

Squid + Transparent + Bridge == Broken
Squid + Transparent + Routing == OK

Please i'm actually a newbie in pfsense. I really like some features of pfsense that i would want to deploy. Would you please advise me on how to deploy it in my network together with Mikrotik Router. I want to keep the Mikrotik and still enjoy some benefits of pfsense. That was why i configured the pfsense in a bridge mode but i didn't know that if you configure pfsense in the bridge then squid CANNOT work in transparent  mode. Is there a way i can use the mikrotik router and pfsense without configuring the pfsense in a bridge mode so that i can run squid in transparent mode?

Thank you.

chuksonpfsense

@Jimp has confirmed that squid CANNOT work in transparent mode while pfSense is configured as a transparent firewall/filtering bridge.

Now how can i configure pfSense as a firewall behind a mikrotik router? I have attached the network diagram. I don't want to replace the mikrotik router completely hence the need to have the two on the network.

I saw this article: "http://fafadiatech.blogspot.com/2012/05/setting-up-pfsense-as-main-firewall-and.html" but the writer was not specific with his configurations.

Any help will be appreciated

phil.davis

In that article he shows a Cisco router where your Microtik router is in your diagram. But in the setup he has the public WAN IP on the pfSense firewall. I don't know what the Cisco in his diagram is doing - from what he sets up the Cisco is passing through ("bridging"?) the external public IP to the pfSense.
Why do you want to retain the Microtik? Is there other gear between the Mictrotik and pfSense that you want in front of the pfSense for some reason?
I would have just put the pfSense WAN to the modem and let pfSense WAN have the public IP address - it is a firewall+router first, as well as able to do Squid proxy etc.

chuksonpfsense

Thanks phil.

i know in the article a Cisco router was used but i sited it because it has close setup to mine. As for his configuration, i wouldn't know what he did.

I'm going ahead with the installation. I will get back to this forum as it progresses.

chuksonpfsense

Preliminary update:

I have successfully configured the pfsense behind the edge mikrotik router. However, in order not to cut users off the internet, i connected the pfsense WAN to the switch where the mikrotik is connected too. So i have:

internet–------mikrotik-------switch--------WAN pfsense LAN------switch------PC
                                            |
                                            Production LAN
Mikrotik: WAN - DHCP
            LAN - 192.168.20.2

pfsense: WAN - 192.168.20.1
            LAN -  192.168.21.1

PC:        LAN - 192.168.21.2

Prod LAN - 192.168.20.x

My production LAN traffic FOR NOW goes straight to the mikrotik and uses the default gateway of 192.168.20.2 while i'm using the PC (only computer connected through the pfsense)  to configure and test the connectivity. The PC has default gateway of 192.168.21.1.

The pfsense and Mikrotik are doing double NATing. I can access the internet from PC. The pfsense can resolve domain names and download packages. Everything seem to be going on well. When i disable NAT on the pfsense, the PC lost access to the internet, which is understandle know that the PC and LAN of the Mikrotik are in different subnets.

My next step is to install some packages especially squid and see how it works, play around with some configurations and i promise to keep you posted.

Lastly, i will remove the switch before the mikrotik router and wire the pfsense WAN straight to the ROUTER LAN and force every user to pass through the pfsense.

I'm excited and will post all the stages here, it might just help someone

deltalord

Glad you made an effort! Thanks for the update, keep us posted, always interested in unconventional setups and see them working.

chuksonpfsense

Further update:
Squid is working in transparent mode!!! Also, i got bandwidthd and lightsquid are working. I must mention that i tried WITHOUT success to get bandwidthd work on brdige mode. Meanwhile, lightsquid did not work in my previous configuration obviously because transparent squid was not working. So i was glad to get it working so mi can now say that:

pfsense in bridge mode + bandwidthd = BROKEN
pfsense in bridge mode + lightsquid = BROKEN

Next step:
Configure client-to-site VPN
Install and configure other packages including squidguard, snort, ntop, etc.
Connect the production LAN through the pfsense
Report back to the forum  ;D

Well that will be on monday,18/3/2013.