Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PacketFilter fails to redirect to self on bridge

    Cache/Proxy
    3
    5
    693
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wiertel last edited by

      Hello,

      I think that I have found a bug in pfSense deployment. When input and output interfaces are members of a bridge, then the attached rules do not work on pfSense 2.3.2 (same on 2.3.2-p1). The same rules work on FreeBSD 10.3, even with the bridged interfaces. Can you help me understand why is it so? I would expect that pfSense should handle them the same way FreeBSD does.

      The set of rules that works on FreeBSD is:

      set block-policy return
      rdr log on fxp0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
      pass in quick log on fxp0 route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state
      pass in log
      pass out keep state

      We have encoutered a problem while setting up a Transparent Squid Proxy on a pfSense configured to be a bridge (not a router, you might refer to the attached configuration file). The Transparent Squid does not work in such a configuration. There are already threads on this forum from people who also found this issue, but but no solutions unfortunatelly (like this below):
      https://forum.pfsense.org/index.php?topic=112743.msg627578#msg627578
      https://forum.pfsense.org/index.php?topic=113297.msg630101#msg630101

      While investigating the issue I found out that enabling Transparent Proxy adds the sa me firewall fule (pfctl -s nat) regardless of whether the interface is a bridge member or not. Apparently for this kind of redirection on a bridge member FreeBSD PacketFilter needs additional pass … route-to rule. Unfortunately adding this missing rule does not help. When client send a request, the packet matches the rule and dissapears. No trace of them in pflog, no reply (despite the return policy). The connection state is CLOSED:SYN_SENT.

      My team really needs a pfSense to work as a transparent proxy bridge. It is so important for us that I've been trying to fix that for over 3 weeks already and I've engaged 4 other pfsense administrators to help. Unfortunatelly they couldn't figure it out either. Thay ended up saying "It should work, but it's not and I don't know why".

      I think that it's small specific detail that disables this feature from be active.

      Can anyone help me to set this up? Or maybe you can find and repair this pfsense bug?

      To check yourself, configure a bridge interface with at leat 2 member interfaces, then connect the first one of them to Gateway and a user to the other. Squid should be configure to work as a Transparent Proxy on the second interface. Then you might try replacing rules with the attached ones: pfctl -f rules.txt

      Thank you for any help.

      Peter
      tmp_21340-config-pfSense.localdomain1990531950.txt
      tmp_21340-rules-1136343793.txt

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        https://redmine.pfsense.org/issues/1620

        Patches welcome. :P

        1 Reply Last reply Reply Quote 0
        • W
          wiertel last edited by

          So it looks like the problem is 5-years old.

          Because I want to solve it it would be good to know what is a level of development difficulty here. Please answer my few questions:
          1. Is this problem so complex to solve from programming perspective or it's just low priority issue?
          2. If you would start to work on it - in which pfsense files you would start to look for possible place of error? Any advice?
          3. Maybe there is someone who can help me directly with solving that? From pfsense team or not? Together we can solve this problem much faster :)

          Thanks
          Peter

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            See the last comment on the linked bug. Unable to provide any more hints than what's already stated there; all the rules are created by function squid_generate_rules() in squid.inc

            1 Reply Last reply Reply Quote 0
            • S
              sirwtf last edited by

              Hi everyone

              I've similiar problems when activating transparent proxy setting in squid3 on pfsense 2.3.2 amd64. The forwarding of port 80 to the squid interface wont work. If i manually add them in the Browsersetting its working. So squid is running.
              I've tried adding a Portforwarding Rule but with the same result. Connection got terminated.

              The only difference is I don't even use a bridge  :o

              1 Reply Last reply Reply Quote 0
              • First post
                Last post