Transparent proxy not working as expected

nvdstruis · Nov 26, 2016, 9:34 PM

Hello all,

I hope someone can help me out, because I've tried for over a full day. I tried all hints to solutions to this issue, but none worked.
I installed pfsense on dedicated hardware and want to use it as a wireless AP and proxy. I have the AP working correctly. I verified, that websites I added to squid's blacklist box in pfsense are indeed blocked by squid, when I explicitly set the proxy in the browser.
Unfortunately, when I do not specify the proxy in the browser and instead turn on transparent proxying in pfsense, it seems squid is bypassed alltogether, i.e. the blocked website gets loaded.

I tried all sorts of things, like e.g. adding port forwarding with a NAT rule, but could not influence this behaviour.

I am pretty lost here. Any suggestions?
Thx

nvdstruis · Nov 26, 2016, 9:54 PM

I just verified that there is no new entries in the access log when in transparent mode. There are entries when I browse with the proxy server set in the browser.

nvdstruis · Nov 26, 2016, 9:59 PM

KOM · Nov 27, 2016, 1:43 AM

Honestly, transparent is more trouble than it's worth because you have to distribute certificates to every single client that will use the proxy or they will get browser MitM warnings for every HTTPS page. GO explicit instead, and configure WPAD to allow your clients to auto-discover the proxy on their own.

WPAD Autoconfigure for Squid

Don't let the details scare you, its just a DNS entry, a DHCP entry and a few text files on your pfSense box.

nvdstruis · Nov 27, 2016, 9:58 AM

Hi,

Thanks for your answer.
The problem is, that I want to force clients(i.e. children) to use the proxy. If I need a browser setting, they would probably figure out how to turn it off.

Isn't there any other way to do this? And why is pfsense's transparent setting not working anyway?

Thx

nvdstruis · Nov 27, 2016, 10:00 AM

What I suppose is a solution, is to add a NAT rule in pfsense to redirect all http traffic to 127.0.0.1:3128. For some reason, this does not work.

Any suggestions?

doktornotor · Nov 27, 2016, 11:33 AM

@nvdstruis:

What I suppose is a solution, is to add a NAT rule in pfsense to redirect all http traffic to 127.0.0.1:3128. For some reason, this does not work.

Any suggestions?

This is already done by the package when you set up transparent proxy, kindly see https://github.com/pfsense/FreeBSD-ports/blob/RELENG_2_3_2/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L2137

nvdstruis · Nov 27, 2016, 1:33 PM

Thx. Ok, so that's why manually doing that didn't change anything for the better…
But why doesn't that work???

chris4916 · Nov 27, 2016, 2:48 PM

@nvdstruis:

The problem is, that I want to force clients(i.e. children) to use the proxy. If I need a browser setting, they would probably figure out how to turn it off.

No if direct access is not authorized through your FW ;)
Furthermore, goal is not to configure is on browser but to just (only) ensure browser is using Web roxy Auto Discovery (WPAD)
WPAD will tell proxy where to find proxy.pac and proxy.pac will configure (transparently) browser on your behalf.

And if user changes this configuration, browser side, (s)he will not get access to internet :P

KOM · Nov 28, 2016, 2:02 PM

The problem is, that I want to force clients(i.e. children) to use the proxy. If I need a browser setting, they would probably figure out how to turn it off.

Which is why you have a rule on LAN that blocks TCP 80,443 so that they must use the proxy or else they don't get web access.

You can feel free to struggle with transparent mode, or you can take our suggestions and get it working.

nvdstruis · Dec 4, 2016, 11:22 AM

Thanks for all your answers.
I have a better understanding now and see your suggestions as the best solution.