Squid Transparent Proxy in Linux + pfSense Firewall (Help)



  • Hey there,

    First of all, sorry if this isn't exclusively related to pfSense but I'm pulling my hair at this point.

    Here's my setup:

    Proxmox Server containing:

    • pfSense KVM (Firewall + NAT) working fine as is no issue on that.

    • Debian LXC (squid for caching)

    I don't want to use squid within pfSense because pfSense has a limitaion where squid can't work with gateway groups (which are fundamental for my setup).

    I created a network interface in pfSense called SQUID that has an IP address of 192.168.5.1/30 which runs on its own vlan VLAN3. The squid LXC in proxmox has a network adapter on VLAN3 with IP address 192.168.5.2/30 and gateway 192.168.5.1

    I created a firewall rule on SQUID interface which allows SQUID_net to any through my specified gateway group.

    I created a firewall rule on LAN interface which allows LAN_net to SQUID_net.

    Everything is cool so far. squid has internet access. LAN has access to squid

    Now in my squid LXC vm:

    sudo apt update && sudo apt install squid3

    I edited /etc/squid3/squid.conf

    Changed #http_access deny all to http_access allow all

    Changed http_port 3128 to http_port 3128 transparent

    sudo service squid3 restart

    In pfSense:

    In NAT portforwarding I added this:

    Interface: LAN

    Source: LAN_net
    Source port: any

    Destination: any
    Destiation port: 80

    Redirect IP: 192.168.5.2 (squid)
    Redirect port: 3128

    Right now I expect that http requests from my LAN clients (192.168.3.0/24) should be redirected to squid (192.168.5.2) on squid's port (3128).

    However, what I get when I try to access http websites on my LAN is an error message in chrome "ERR_EMPTY_RESPONSE".

    It is confirmed that pfSense is doing what it's supposed to do in forwarding the ports. The only issue as I see it is a miss-configuration on squid's side.

    Any help is highly appreciated.



  • @mzarrugh:

    Hey there,

    First of all, sorry if this isn't exclusively related to pfSense but I'm pulling my hair at this point.

    Here's my setup:

    Proxmox Server containing:

    • pfSense KVM (Firewall + NAT) working fine as is no issue on that.

    • Debian LXC (squid for caching)

    I don't want to use squid within pfSense because pfSense has a limitaion where squid can't work with gateway groups (which are fundamental for my setup).

    I created a network interface in pfSense called SQUID that has an IP address of 192.168.5.1/30 which runs on its own vlan VLAN3. The squid LXC in proxmox has a network adapter on VLAN3 with IP address 192.168.5.2/30 and gateway 192.168.5.1

    I created a firewall rule on SQUID interface which allows SQUID_net to any through my specified gateway group.

    I created a firewall rule on LAN interface which allows LAN_net to SQUID_net.

    Everything is cool so far. squid has internet access. LAN has access to squid

    Now in my squid LXC vm:

    sudo apt update && sudo apt install squid3

    I edited /etc/squid3/squid.conf

    Changed #http_access deny all to http_access allow all

    Changed http_port 3128 to http_port 3128 transparent

    sudo service squid3 restart

    In pfSense:

    In NAT portforwarding I added this:

    Interface: LAN

    Source: LAN_net
    Source port: any

    Destination: any
    Destiation port: 80

    Redirect IP: 192.168.5.2 (squid)
    Redirect port: 3128

    Right now I expect that http requests from my LAN clients (192.168.3.0/24) should be redirected to squid (192.168.5.2) on squid's port (3128).

    However, what I get when I try to access http websites on my LAN is an error message in chrome "ERR_EMPTY_RESPONSE".

    It is confirmed that pfSense is doing what it's supposed to do in forwarding the ports. The only issue as I see it is a miss-configuration on squid's side.

    Any help is highly appreciated.

    in order not to start a new topic, i'm going to post here cause i'm in the same situation but with sime small diferences.

    i installed pfsense 2.4.2 in vmware (esxi) and i installed another vm with centos 7 and squid i've set it up it's running but i cannot redirect all traffic going from LAN to proxy .
    I want to mention that i have 2 subnets : LAN - 10.18.2.0/25 and DMZ - 192.168.4.0/24
    Proxy server is inside DMZ network and i'm trying to force all traffice from LAN to be redirected to proxy hos 192.168.4.3 on port 3128 i already tried this with NAT rule but it's not working.

    i did the same rule :

    In NAT portforwarding I added this:

    Interface: LAN

    Source: LAN_net
    Source port: any

    Destination: any
    Destiation port: 80

    Redirect IP: 192.168.4.3 (squid)
    Redirect port: 3128

    And this :

    Interface: LAN

    Source: LAN_net
    Source port: any

    Destination: any
    Destiation port: 443

    Redirect IP: 192.168.4.3 (squid)
    Redirect port: 3128

    And this one for DNS:

    Interface: LAN

    Source: LAN_net
    Source port: any

    Destination: any
    Destiation port: 53

    Redirect IP: 192.168.4.3 (squid)
    Redirect port: 3128

    I want all the hosts from LAN to be able to access everything only through squid host and also the squid host it's running as NTP server and DNS forwarder and proxy. So i want all host to syncronize time only with squid host and only squid host to be allowed on the internet on port 123 for ntp 53 for dns 80 and 443 .
    And as i write above all traffic from LAN to be forced  through  squid host and in te lan the clients not to be able to use another dns server or ntp server . Can someone help me with the redirect rule ? I was looking all over the forum and i tried different situation but it's not working … in this moment i can setup manualy in the browser the proxy for lan clients and it's working. I want to be able to make it without adding the proxy server in the browser.

    Thank you and maybe some one can help me.

    Regards,
    Dimostin



  • Can someone help me with the issue above?

    Thanks,
    Dimostin



  • Can someone help me ?

    Regards,
    Dimostin