Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid NAT Rule Same Interface

    Scheduled Pinned Locked Moved
    NAT
    1
    2
    4.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rsw686
      last edited by

      I have a squid transparent proxy sitting on the LAN interface. I know I can make this work if I set squid on OPT1, but I would perfer it on the LAN interface. I have squid and a couple other servers running inside VMware Server and would do not want to add nic cards to the box.

      I created a NAT rule as follows:

      interface: lan
      external address: any
      protocol: tcp
      external port range: 80
      nat ip: 10.10.1.19 (squid ip)
      local port: 3128

      The problem is theres no way to specify the external address as not the squid ip. So I'm assuming its just generating a loop. Is there any way around this.

      I have used monowall before I know I can add a rule by hand using the following on the exec.php page. I tried this in pfsense but it doesn't work. Is there a way to do this?

      echo 'rdr fxp1 ! from 10.10.1.19/32 to 0.0.0.0/0 port = 80 -> 10.10.1.19 port 3128 tcp' | ipnat -f-

      1 Reply Last reply Reply Quote 0
      • R
        rsw686
        last edited by

        I gave up getting it to work. What I did was set the dhcp server gateway in pfsense to point to the squid box. Then I just enabled ipv4 fowarding and created two iptables rules. Yes this puts all dhcp clients no matter what protocol or port through the squid box, but the performance hit is neglibile and will be outweighed by the caching effect. Especially for google maps and live.local virtual earth. All servers still point to the pfsense box as their default gateway.

        If anybody wants to duplicate … I'm running fedora core 4, squid setup in transparent proxy mode.

        Add/change the following line in /etc/sysctl.conf to enable ip forwarding.

        net.ipv4.ip_forward = 1

        Then just add the following iptables rules to /etc/rc.local

        iptables -A FORWARD -j ACCEPT
        iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

        The first rule says to accept and forward all traffic received to the default gateway (pfsense) otherwise aim, mail clients, etc wouldn't work. The second intercepts the http traffic and sends it to squid on the default port of 3128.

        I also use the following script so I can make changes to squid and restart it without end users seeing.

        echo "Stopping Squid Traffic Redireect"
        iptables -t nat -F PREROUTING

        service squid restart

        echo "Redirecting Traffic To Squid"
        iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

        This just clears the iptables then reinstates the rule after squid restarts. You can make modifications of this to stop squid, etc.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post