Redirect rule all http traffic to squid

firewire · Jun 9, 2016, 6:50 AM

Hi

i re-wrote here because i suppose is the right place.

i have pfsense (2.2.6) box with squid and squidguard.
Pfsense firewall is configured in bridge mode. Squid is configured in NOT transparent mode, because, with bridge, Squid seems that does not work in Transparent mode.

With this configuration, traffic across bridge is OK and if I config browsers with proxy address, proxy and proxyguard work.

Now I would that all traffic to the internet (http/https) was intercepted and redirected to the (internal) proxy, without config the proxy address in browsers. From this post https://forum.pfsense.org/index.php?topic=3086.0 this seems possible, but with the following configuration does not work.

Follows my config:

interfaces:
bridge (ip=none)
wan (ip=none)
lan (ip=192.168.1.12. gw= 192.168.1.1)

proxy interface=lan

nat outbound=AON

firewall rules e forwards as attached

I'm not sure about the firewall/nat rules, or, peraps, it is not possble?

Thanks in advance for help

Nachtfalke · Jun 9, 2016, 6:13 PM

Hi,

I am not sure if this scenario will work. Never used pfsense in bridge mode.

First thing - your firewall rules.
Wenn you allow por 80 - 443 this means all ports between 80 and 443 (80, 81, 82, 83, … 440,441,442,443). I think this is not what you intend. Same with 3128.
So I would suggest to create one firewall rule - like you did on "Floating" with IPv4 + IPv4 "any to any". Make sure that the "quick rule" ist selected in the floating rule.

No need for other rules on LAN are neccessary if you have a floating rule listening on LAN.

The NAT topic.

Assuming your squid is running on 3128 + 3129 ports you can try:
Source: any
Destination any
Dport: 80
redirect IP: 192.168.1.12
redirect port 3128

and
Source: any
Destination any
Dport: 443
redirect IP: 192.168.1.12
redirect port 3129

If this is not working then try with such a NAT rule:
Source: any
Destination any
Dport: 80
redirect IP: 127.0.0.1
redirect port 3128

and

Source: any
Destination any
Dport: 443
redirect IP: 127.0.0.1
redirect port 3129

For these NAT rules your squid proxy must be configured for localhost as listening interface. In general for both options I would configure squid for LAN+localhost as Interface.
Forther make sure to DISABLE "Bypass Proxy for private address space". If you later need to bypass proxy for some special IPs then add these IPs to the "bypass destination" or "bypass source" field.

PS:
Enable logging on all rules (LAN, NAT) to have a look if your rulebase matches your traffic.

PPS:
If this should work and squid is working then you can start to try if it is possible to tighten your floating rule.

Good Luck!

doktornotor · Dec 16, 2016, 2:34 PM

@firewire:

Squid is configured in NOT transparent mode, because, with bridge, Squid seems that does not work in Transparent mode.

In case the OP is still alive, see this (Comment #5) https://redmine.pfsense.org/issues/1620#note-5 ; test with that line modified accordingly and report back. (Needs to be tested with 2.3.x, noone will ever fix anything for 2.2.x and the PBI crap.)