Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    External squid3 server, Correct NAT Rules?

    NAT
    2
    2
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      ndboost
      last edited by

      so i have pfsense running on a thin client and running squid3 on it is just too heavy. That being said i have booted up a VM of ubuntu 13.10 and installed squid3 on it. Im trying to figure out how to get the setup to work so that pfsense will NAT redirect port 80 to 3128 of my proxy vm.

      
if: lan
protocol: TCP
source: 192.168.1.100 - this is an IP of a machine on my lan im using for testing
source port range: any - any
destination: any
desitnation port range: http - http
redirect targ ip: 192.168.1.145 - IP of my squid3 vm
redirect targ port: 3128
NAT Reflection: Enable Pure NAT

      Then in my squid conf i have the following..

      
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny to_localhost
icp_access deny all
htcp_access deny all

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid3/access.log squid

#Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .               0       20%     4320
# Leave coredumps in the first cache dir
coredump_dir /mnt/cache

# Allow localnet machines to whitelisted sites
http_access allow localnet

# block all other access
http_access deny all

      also i'm not sure, do i need to add any iptables configs to the squid vm?

      1 Reply Last reply Reply Quote 0
      • T
        TheSelby
        last edited by

        I have the same question, I can't figure out how to edit the firewall rules for using an external separate transparent Squid machine :)

        In the old fashion, there is a need for a prerouting, a postrouting and a forward rule. I have tried the same scenario as ndboost mentioned above, seems not to work.

        P.S. i've tried this on pfsense 2.1

        L.E. As I discovered on http://lukasz.cepowski.com/devlog/10,setup-squid-as-a-transparent-cache-proxy-for-lan, it seems that there is a bug with forwarding one port into another in the same lan subnet. And indeed I've checked the squid access log, and it was empty all the time (meaning it received no connections at all).
        Following the guide on that page, i cannot follow it because port 80 is already used by other process, so I must find a new workaround (or setup a new computer … more energy consumed haha)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.