PacketFilter fails to redirect to self on bridge



  • Hello,

    I think that I have found a bug in pfSense deployment. When input and output interfaces are members of a bridge, then the attached rules do not work on pfSense 2.3.2 (same on 2.3.2-p1). The same rules work on FreeBSD 10.3, even with the bridged interfaces. Can you help me understand why is it so? I would expect that pfSense should handle them the same way FreeBSD does.

    The set of rules that works on FreeBSD is:

    set block-policy return
    rdr log on fxp0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
    pass in quick log on fxp0 route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state
    pass in log
    pass out keep state

    We have encoutered a problem while setting up a Transparent Squid Proxy on a pfSense configured to be a bridge (not a router, you might refer to the attached configuration file). The Transparent Squid does not work in such a configuration. There are already threads on this forum from people who also found this issue, but but no solutions unfortunatelly (like this below):
    https://forum.pfsense.org/index.php?topic=112743.msg627578#msg627578
    https://forum.pfsense.org/index.php?topic=113297.msg630101#msg630101

    While investigating the issue I found out that enabling Transparent Proxy adds the sa me firewall fule (pfctl -s nat) regardless of whether the interface is a bridge member or not. Apparently for this kind of redirection on a bridge member FreeBSD PacketFilter needs additional pass … route-to rule. Unfortunately adding this missing rule does not help. When client send a request, the packet matches the rule and dissapears. No trace of them in pflog, no reply (despite the return policy). The connection state is CLOSED:SYN_SENT.

    My team really needs a pfSense to work as a transparent proxy bridge. It is so important for us that I've been trying to fix that for over 3 weeks already and I've engaged 4 other pfsense administrators to help. Unfortunatelly they couldn't figure it out either. Thay ended up saying "It should work, but it's not and I don't know why".

    I think that it's small specific detail that disables this feature from be active.

    Can anyone help me to set this up? Or maybe you can find and repair this pfsense bug?

    To check yourself, configure a bridge interface with at leat 2 member interfaces, then connect the first one of them to Gateway and a user to the other. Squid should be configure to work as a Transparent Proxy on the second interface. Then you might try replacing rules with the attached ones: pfctl -f rules.txt

    Thank you for any help.

    Peter
    tmp_21340-config-pfSense.localdomain1990531950.txt
    tmp_21340-rules-1136343793.txt


  • Banned



  • So it looks like the problem is 5-years old.

    Because I want to solve it it would be good to know what is a level of development difficulty here. Please answer my few questions:
    1. Is this problem so complex to solve from programming perspective or it's just low priority issue?
    2. If you would start to work on it - in which pfsense files you would start to look for possible place of error? Any advice?
    3. Maybe there is someone who can help me directly with solving that? From pfsense team or not? Together we can solve this problem much faster :)

    Thanks
    Peter


  • Banned

    See the last comment on the linked bug. Unable to provide any more hints than what's already stated there; all the rules are created by function squid_generate_rules() in squid.inc



  • Hi everyone

    I've similiar problems when activating transparent proxy setting in squid3 on pfsense 2.3.2 amd64. The forwarding of port 80 to the squid interface wont work. If i manually add them in the Browsersetting its working. So squid is running.
    I've tried adding a Portforwarding Rule but with the same result. Connection got terminated.

    The only difference is I don't even use a bridge  :o


Log in to reply