Forward 80 port to proxy host in LAN

zorg

Please Help, how to do forwarding http/https requests from LAN to proxy host:3128 in same LAN.

PFSENSE IP : 192.168.1.1
PROXY IP: 192.168.1.10, PORT 3128

LOCAL USERS from scope: 192.168.1.100-192.168.1.250

KOM

An Outbound NAT rule on LAN?

https://doc.pfsense.org/index.php/Outbound_NAT

johnpoz

why would you do that?  Why not just let the client machines know about that proxy via wpad which can be handed out dhcp or dns.  Or setup group policy to hand out the proxy settings or pac file location.  Or just go to the client machines and manually set.

Trying to forward http or especially https to a proxy is going to cause problems especially with a hairpin like your doing to a proxy on the same lan.

Your going to have packets going to pfsense 192.168.1.1, just to get forwarded to 192.168.1.10 just to go back to 192.168.1.1 to get off the 192.168.1.0/24 network..  Thats a lot of packets going back and forth for no good reason.

chris4916

I suppose there is some misunderstanding here.
Although question is raised in "NAT" related section, I suppose that idea behind such question is rather "how to force users using internal proxy?"

Should have been asked either in proxy related section or at least "general" section  8)
I suspect that idea is to implement transparent proxy with proxy not running at the default gateway place.
technically speaking feasible but does it make sense?
As johnpoz explains, it generates significant traffic that could be avoided. Why not targeting explicit proxy instead?

muswellhillbilly

Either enter the proxy details in the browser settings explicitly or use a proxy PAC file if you want greater overall control.

zorg

I understand that direct connection is much better than redirect, but in some cases no possibility to use all techniques as described above, (such as AD Polices, WPAD/PAC files DNS & DHCP configuring and so on).
For example:

• OS is not added to domain

• System is not Win-like

• Smartphones and other mobile devices

• smart-TV

• and sometimes software that writed  on the knee by "drunk indus cool hardcoders in dark room at the midnight" not configurable to use proxy

I want to see example of rule that do that simple thing:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

to closely understand how to work with pfsense.

pfSense version: 2.2.4

muswellhillbilly

If your proxy is on the same network as your clients then the firewall isn't going to be able to handle the traffic before the proxy does. So no rule on the firewall is going to NAT or otherwise return the traffic to a host that's local to your clients. The only way to do it as far as I can see is to install Squid proxy directly on your firewall and have it proxy your web traffic transparently.

chris4916

Point it not with NAT, even if transparent proxy relies on NAT-like (or even NAT) mechanism.
pfSense is not using iptables but packet filter. This doesn't really make difference but good to notice at this stage  ;)

Problem you will face with proxy on same LAN as other client is that your redirection will have to manage exceptions so that proxy flow is not redirected itself.
I also would be curious to look closer at frames when relying on transparent proxy on same LAN because request is issued from browser and neither client and server are-aware of this transparent device and, this is the potentially blocking point, transparent proxy is not in the middle of network flow.

This should be easier if you manage to set-up DMZ that will host your transparent proxy.

• This avoids to maintain exception and useless network load on internal interface
• you will NAT to another network ;-)

If this can't be done, you should at least split your LAN with shorter network mask.

chris4916

Aside my previous answer, I would be curious to know which devices do not support proxy settings  ???
For sure WPAD doesn't work with ALL devices (although it describes different ways to achieve it and this has nothing to do with Windows-like or not  ;)) but all other devices I'm using here are able to support proxy configuration would it be manual.

lockye

I have a Roku Box that I would like to forward through the proxy server but I have no way of changing the proxy settings on the Roku box, when I use transparent HTTP and Man in the middle it blocks some of the channels I can access.

I would also like to find a way to make the Roku box go through my proxy server

johnpoz

how exactly are you going to do a man in the middle with https creating certs that the roku would trust?  Can you install trusted ca's in  your roku?

Some devices do not support proxy, why should they – they are designed for the home..  I wish my net thermostat supported wpa enterprise or 802.1x but doesn't ;)