Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Transparent proxy not working as expected

    Cache/Proxy
    4
    11
    2117
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nvdstruis last edited by

      Hello all,

      I hope someone can help me out, because I've tried for over a full day. I tried all hints to solutions to this issue, but none worked.
      I installed pfsense on dedicated hardware and want to use it as a wireless AP and proxy. I have the AP working correctly. I verified, that websites I added to squid's blacklist box in pfsense are indeed blocked by squid, when I explicitly set the proxy in the browser.
      Unfortunately, when I do not specify the proxy in the browser and instead turn on transparent proxying in pfsense, it seems squid is bypassed alltogether, i.e. the blocked website gets loaded.

      I tried all sorts of things, like e.g. adding port forwarding with a NAT rule, but could not influence this behaviour.

      I am pretty lost here. Any suggestions?
      Thx

      1 Reply Last reply Reply Quote 0
      • N
        nvdstruis last edited by

        I just verified that there is no new entries in the access log when in transparent mode. There are entries when I browse with the proxy server set in the browser.

        1 Reply Last reply Reply Quote 0
        • N
          nvdstruis last edited by


          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            Honestly, transparent is more trouble than it's worth because you have to distribute certificates to every single client that will use the proxy or they will get browser MitM warnings for every HTTPS page.  GO explicit instead, and configure WPAD to allow your clients to auto-discover the proxy on their own.

            WPAD Autoconfigure for Squid

            Don't let the details scare you, its just a DNS entry, a DHCP entry and a few text files on your pfSense box.

            1 Reply Last reply Reply Quote 0
            • N
              nvdstruis last edited by

              Hi,

              Thanks for your answer.
              The problem is, that I want to force clients(i.e. children) to use the proxy. If I need a browser setting, they would probably figure out how to turn it off.

              Isn't there any other way to do this? And why is pfsense's transparent setting not working anyway?

              Thx

              1 Reply Last reply Reply Quote 0
              • N
                nvdstruis last edited by

                What I suppose is a solution, is to add a NAT rule in pfsense to redirect all http traffic to 127.0.0.1:3128. For some reason, this does not work.

                Any suggestions?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  @nvdstruis:

                  What I suppose is a solution, is to add a NAT rule in pfsense to redirect all http traffic to 127.0.0.1:3128. For some reason, this does not work.

                  Any suggestions?

                  This is already done by the package when you set up transparent proxy, kindly see https://github.com/pfsense/FreeBSD-ports/blob/RELENG_2_3_2/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L2137

                  1 Reply Last reply Reply Quote 0
                  • N
                    nvdstruis last edited by

                    Thx. Ok, so that's why manually doing that didn't change anything for the better…
                    But why doesn't that work???

                    1 Reply Last reply Reply Quote 0
                    • C
                      chris4916 last edited by

                      @nvdstruis:

                      The problem is, that I want to force clients(i.e. children) to use the proxy. If I need a browser setting, they would probably figure out how to turn it off.

                      No if direct access is not authorized through your FW  ;)
                      Furthermore, goal is not to configure is on browser but to just (only) ensure browser is using Web roxy Auto Discovery (WPAD)
                      WPAD will tell proxy where to find proxy.pac and proxy.pac will configure (transparently) browser on your behalf.

                      And if user changes this configuration, browser side, (s)he will not get access to internet  :P

                      Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                      1 Reply Last reply Reply Quote 0
                      • KOM
                        KOM last edited by

                        The problem is, that I want to force clients(i.e. children) to use the proxy. If I need a browser setting, they would probably figure out how to turn it off.

                        Which is why you have a rule on LAN that blocks TCP 80,443 so that they must use the proxy or else they don't get web access.

                        You can feel free to struggle with transparent mode, or you can take our suggestions and get it working.

                        1 Reply Last reply Reply Quote 0
                        • N
                          nvdstruis last edited by

                          Thanks for all your answers.
                          I have a better understanding now and see your suggestions as the best solution.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post