Setting up PFSENSE in Bridge mode with two nics
-
Hi everyone.
I am wondering if you guys have a similar setup as mine and if perhaps you can input some advice or share some gotchas/tips to my setup.
I have setup and got up and running ( although I think it needs tweaking ) pfsense with squid guard/squid in bridge mode. A this time I have turned off the firewall as I have a another physical device in front of pfsense.
In squid and Squid guard / snort, I have binded LAN/WAN interfaces as listening devices. So I am seeing a lot of chatter.
Is this a correct set of binding for snort / proxy to work? should I just bind one interface to the services?
any tweaks or hot tips any of you guys wishes to share for a similar setup?
–--Users---> [LAN SWITCH ]–------->LANpfSense[–SQUID-----]WanpfSense–------------------------- > Firewall
thanks again
-
no one :(
-
How are you using Squid there? What mode is it in?
Generally you cannot use Squid in transparent mode when the firewall is also running transparently (bridged interfaces) as you have it.
Steve
-
Hi there.
Thanks for the reply.
the firewall is turned off. I have it set up in bridge mode and transparent proxy.
–--Users---> [LAN SWITCH ]–------->LANpfSense[–SQUID-----]WanpfSense–------------------------- > Firewall
I am wondering of this is ok and also what interfaces the proxy should bind to? both LAN and WAN? how about Snort?
thanks again.
-
As for the "firewall is turned off" part - then no, that will NEVER EVER work with transparent proxy. Because, it is the firewall that's is doing the transparent part.
As for the rest - as noted above, this kind of configuration never worked with Squid. If you want to get it working, move over here, hack, test, report back: https://redmine.pfsense.org/issues/1620#note-5
However, that requires the packet filter to be enabled on pfSense. -
Give up on the bridge (why you need it anyway?) if you want to have a transparent proxy, the two are mutually exclusive because with a such bridge configuration there is no way for PF to intercept anything.
-
Interesting enough, it's working right now. It is in transparent mode and its intercepting and logging SSL traffic as well.
The one thing I have done that I forgot to mentioned is that I set up WPAD in both DNS and DHCP.
traffic indeed is being logged and filtered by squid guard.
I thought that perhaps someone else had a similar set up. To respond to one of you guys what I wanted to run a transparent proxy, this is due to the fact that I do not want to enter the proxy information in several pcs in the network. Additionally, for the road warriors ( laptop ) it would suck having to explain to the user the need to enable and disable proxy information in their browser - whenever they are On or OFF the LAN network.
-
Well huh… we definitely have a terminology mixup about what's transparent. No, transparent doesn't intercept anything when you turn off the firewall. WPAD/DNS is not transparent.
-
My Apologies.
I thought that transparent mode meant the user not having to enter any proxy info in IE. My mistake.
I will do further reading and investigation as to what NIC I have to bind to the proxy. At this time, I am binding both of them - but in all reality its my understanding that even if I just bind a single interface, both are being joined by the bridge anyhow. In essence, by selecting a single NIC, in bridge mode, both are being seen as one by pfsense.
I am just trying to understand that.