@terdexx89 said in pfsense : forward all LAN traffic to a proxy:

android phone connected to a proxy and make a vpn connection

Ok I'm a bit confused - are you saying your phone can not connect to this vpn connection unless it bounces off this proxy?

If pfsense can make a vpn connection to where your phone is connecting or any other vpn service on the internet, then you could route all clients behind pfsense through this vpn.. This is just a client vpn connection on pfsense and people do this all the time..

Pfsense does have the ability to use an upstream proxy, but I am not sure if it would then route its vpn connection through this proxy?

https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#proxy-support

I take it your goal is to use pfsense to route your device behind pfsense through the vpn connection? Which users do all the time. What I am confused about is the added proxy? My understanding of the upstream proxy feature of pfsense is so pfsense can access updates and packages. I am not clear on if you set this upstream proxy, and then setup a client vpn connection in pfsense if it would make that connection through the proxy.

But once pfsense has this vpn connection, it is quite simple to route devices behind pfsense through this vpn connection.

edit:
If you want your vpn client on pfsense to bounce off a proxy, those settings are in the vpn client setup

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-client.html#proxy-settings

@atxcoder you need a Web Application Firewall (WAF) to do that, pfsense FW rules block at the ip layer. x-real-ip is application layer. The traffic is allowed because it came from 10.0.10.4.

@ma0f97 Has no one an idea?

@rtw915 said in WAN optimization/acceleration:

Now the SQL team needs me to find a way to improve SQL linked server transfer rates to synchronize transactions.

This will bring you back to the initial wan accelerator solution.
The only other possible solution is to redesing the db subsystem, utilizing some way of sql replication, taking into consideration propagation delays

So you just need to redirect traffic to them in pfSense? You can just use port forwards for that. That's what Squid does if you set it to transparent mode.

Steve

@lucasll había puesto el IP y puerto del kerio en Advanced - Miscellaneus del pfsense pero ya encontré la solución. Mi DNS superior no resolvía las direcciones fuera de la VPN. Utilicé un repositorio alternativo que el DNS era capaz de resolver.

@norcarde A transparent proxy would solve your application problems, but they are a hassle to setup and can introduce their own problems.

@santi buen día. Ya revisé el log. Dónde obtuve la ip a la cual de está conectado, la agregue a la lista blanca, además, del puerto. Pero sigue sin funcionar .

@PiBa Good news, I got it to work! I did as you suggested and got a self signed certificate on the server using this guide. After that HAProxy is able to route traffic to the host. It even works with the Let's Encrypt wildcard cert I have through the ACME package, so there's no cert errors getting to the site. Thank you for the help again.

@jimp could you point me in the right direction how to setup so HAProxy on pfSense handels the certs ( not just getting them )

@juanmaximoti Como conseguiu liberar?

You can still do some filtering on HTTPS without the MITM. On E2 Guardian, I have multiple groups setup, some which have MITM enabled and some such as in your case that are for Guest Wi-Fi where I can't properly sneak in the CA. On Squid I believe this is referred to as Bump and Splice all.

For my guest Wi-Fi setups, I just use the non-MITM method. This is where the proxy is able to see the domain name without the resource path at the end in order to decide if a website should be let through or not. MITM would obviously allow the proxy to look at the entire URL with the resource path and make a informed decision as to whether or not to allow a website through. I prefer it way more than DNS level filtering as it's more flexible. You can set it up for specific users while others can browse those sites just fine.

If you've got sometime, I recommend you give E2 Guardian a shot. It worked out a lot better than Squid in my use case and it has the added benefit of actual phrase filtering.

If you just want to do DNS bases blacklisting you could take a look at pfBlockerNG.

How many hours of work... Seems like quite a few to me.. So unless you get lucky and someone writes it up for their own use and shares it. You have to provide enough incentive for someone to do all the work.

$100 at best at best cover an hour worth of work - this is clearly more than 1 hour to implement, etc.