How to redirect port 80 traffic to my squid box



  • Hi all,

    I've read the following, but can't find such an option on my WRAP based 1.2 setup…

    http://forum.pfsense.org/index.php/topic,10918.msg60720.html#msg60720

    So how will I've to setup the NAT rule to achieve this?

    Greetz
      Mircsicz



  • At  Firewall: NAT: Port Forward: Edit  something like:

    Interface: Lan
    External address: any
    Protocol: TCP
    External Port Range: from HTTP to HTTP
    NAT IP: squid-box-IP-or-alias
    Local Port: 3128
    Description: Redirect local HTTP traffic to external squid

    didn't work?
    Since you are running an embedded version on a wrap I cannot use a local squid, right?



  • I had it setup like this

    Interface: Lan
    External address: Interface Adress
    Protocol: TCP
    External Port Range: from HTTP to ?
    NAT IP: squid-box-IP-or-alias
    Local Port: 3128

    but it didn't work…

    I'll check if it works when I'm back in office, on wednesday, and post it here...

    Greetz
    Mircsicz



  • According to the note when creating the rule you should set the  "External address"  to  "any"

    External Port Range: from HTTP to ?
    can be read as  "from 80 to 80". It's not a range but a single port.

    IMHO the marks 'external' and 'local' are misleading here since it is the other way round, but anyway.

    If it doesn't work I'd try to revert those…



  • The way you described it it didn't work…

    Can you be a bit more detailed about reverting?

    I'll make another try tonight!

    Greetz
    Mircsicz



  • I have no means of testing this.

    I would simply try this
    External Port Range: 3128 to 3128
    Local Port: 80

    Maybe this is handled the other way round, but I don't know. Sorry.



  • @jahonix: THere's no reason to excuse, I'm very thankfull that you take my by the hand while trying… ;-)

    Unfortunatly it doesn't even work the other way...

    ATM there's no one in the office not having the proxy in his browser setting, but I'ld prefer not getting any question if we se a new employe...

    So I still have some hope to solve this!

    Greetz
    Mircsicz



  • I've done some testing using tcpdump:

    Client direct Inet connect:

    If  Proto  Ext. port range  NAT IP              Int. port range 
    LAN  TCP  80 (HTTP)  192.168.115.19(ext.: any) 3128

    dump:
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    22:05:08.336890 arp who-has 192.168.115.24 tell 192.168.115.19
    22:05:08.336913 arp reply 192.168.115.24 is-at 00:0c:29:9b:aa:66
    22:05:08.337081 IP 192.168.115.19.3128 > 192.168.115.24.58197: S 631841885:631841885(0) ack 2735949398 win 5792 <mss 5="" 620102202="" 1460,sackok,timestamp="" 234665413,nop,wscale="">22:05:08.337101 IP 192.168.115.24.58197 > 192.168.115.19.3128: R 2735949398:2735949398(0) win 0
    22:05:11.330867 IP 192.168.115.19.3128 > 192.168.115.24.58197: S 678681117:678681117(0) ack 2735949398 win 5792 <mss 5="" 620102951="" 1460,sackok,timestamp="" 234666163,nop,wscale="">22:05:11.330890 IP 192.168.115.24.58197 > 192.168.115.19.3128: R 2735949398:2735949398(0) win 0
    22:05:13.334333 arp who-has 192.168.115.19 tell 192.168.115.24
    22:05:13.334419 arp reply 192.168.115.19 is-at 00:16:3e:0c:e5:aa
    22:05:15.472990 arp who-has 192.168.115.25 tell 192.168.115.19
    22:05:17.330964 IP 192.168.115.19.3128 > 192.168.115.24.58197: S 772437842:772437842(0) ack 2735949398 win 5792 <mss 5="" 620104451="" 1460,sackok,timestamp="" 234667663,nop,wscale="">22:05:17.330983 IP 192.168.115.24.58197 > 192.168.115.19.3128: R 2735949398:2735949398(0) win 0

    Client proxy connect:

    If  Proto  Ext. port range  NAT IP              Int. port range 
    LAN  TCP  80 (HTTP)  192.168.115.19(ext.: any) 3128

    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    22:10:01.128790 arp who-has 192.168.115.19 tell 192.168.115.24
    22:10:01.129134 arp reply 192.168.115.19 is-at 00:16:3e:0c:e5:aa
    22:10:01.129163 IP 192.168.115.24.52079 > 192.168.115.19.3128: S 3041545880:3041545880(0) win 5840 <mss 6="" 234738611="" 1460,sackok,timestamp="" 0,nop,wscale="">22:10:01.129326 IP 192.168.115.19.3128 > 192.168.115.24.52079: S 933166760:933166760(0) ack 3041545881 win 5792 <mss 5="" 620175400="" 1460,sackok,timestamp="" 234738611,nop,wscale="">22:10:01.129363 IP 192.168.115.24.52079 > 192.168.115.19.3128: . ack 1 win 92 <nop,nop,timestamp 234738612="" 620175400="">22:10:01.129909 IP 192.168.115.24.52079 > 192.168.115.19.3128: P 1:457(456) ack 1 win 92 <nop,nop,timestamp 234738612="" 620175400="">22:10:01.130013 IP 192.168.115.19.3128 > 192.168.115.24.52079: . ack 457 win 215 <nop,nop,timestamp 234738612="" 620175400="">22:10:01.131253 arp who-has 192.168.115.1 tell 192.168.115.19
    22:10:31.136499 IP 192.168.115.19.3128 > 192.168.115.24.52079: . 1:2897(2896) ack 457 win 215 <nop,nop,timestamp 234738612="" 620182902="">22:10:31.136509 IP 192.168.115.24.52079 > 192.168.115.19.3128: . ack 2897 win 137 <nop,nop,timestamp 234746113="" 620182902="">22:10:31.136568 IP 192.168.115.19.3128 > 192.168.115.24.52079: P 2897:4067(1170) ack 457 win 215 <nop,nop,timestamp 234746113="" 620182902="">22:10:31.136573 IP 192.168.115.24.52079 > 192.168.115.19.3128: . ack 4067 win 182 <nop,nop,timestamp 234746113="" 620182902="">22:10:31.136689 IP 192.168.115.19.3128 > 192.168.115.24.52079: F 4067:4067(0) ack 457 win 215 <nop,nop,timestamp 234746113="" 620182902="">22:10:31.173028 IP 192.168.115.24.52079 > 192.168.115.19.3128: . ack 4068 win 182 <nop,nop,timestamp 234746123="" 620182902="">22:10:35.388938 IP 192.168.115.24.52079 > 192.168.115.19.3128: F 457:457(0) ack 4068 win 182 <nop,nop,timestamp 234747176="" 620182902="">22:10:35.389051 IP 192.168.115.19.3128 > 192.168.115.24.52079: . ack 458 win 215 <nop,nop,timestamp 234747176="" 620183965="">22:10:38.716629 IP 192.168.115.24.52080 > 192.168.115.19.3128: S 3622402877:3622402877(0) win 5840 <mss 6="" 234748008="" 1460,sackok,timestamp="" 0,nop,wscale="">22:10:38.716743 IP 192.168.115.19.3128 > 192.168.115.24.52080: S 1529884998:1529884998(0) ack 3622402878 win 5792 <mss 5="" 620184797="" 1460,sackok,timestamp="" 234748008,nop,wscale="">22:10:38.716759 IP 192.168.115.24.52080 > 192.168.115.19.3128: . ack 1 win 92 <nop,nop,timestamp 234748008="" 620184797="">22:10:38.717144 IP 192.168.115.24.52080 > 192.168.115.19.3128: P 1:444(443) ack 1 win 92 <nop,nop,timestamp 234748009="" 620184797="">22:10:38.717256 IP 192.168.115.19.3128 > 192.168.115.24.52080: . ack 444 win 215 <nop,nop,timestamp 234748009="" 620184797="">22:10:38.718340 IP 192.168.115.19.3128 > 192.168.115.24.52080: . 1:2897(2896) ack 444 win 215 <nop,nop,timestamp 234748009="" 620184797="">22:10:38.718350 IP 192.168.115.24.52080 > 192.168.115.19.3128: . ack 2897 win 137 <nop,nop,timestamp 234748009="" 620184797="">22:10:38.718354 IP 192.168.115.19.3128 > 192.168.115.24.52080: P 2897:3548(651) ack 444 win 215 <nop,nop,timestamp 234748009="" 620184797="">22:10:38.718363 IP 192.168.115.24.52080 > 192.168.115.19.3128: . ack 3548 win 182 <nop,nop,timestamp 234748009="" 620184797="">22:10:38.718457 IP 192.168.115.19.3128 > 192.168.115.24.52080: F 3548:3548(0) ack 444 win 215 <nop,nop,timestamp 234748009="" 620184797="">22:10:38.757097 IP 192.168.115.24.52080 > 192.168.115.19.3128: . ack 3549 win 182 <nop,nop,timestamp 234748019="" 620184797="">22:10:39.423574 IP 192.168.115.24.52080 > 192.168.115.19.3128: F 444:444(0) ack 3549 win 182 <nop,nop,timestamp 234748185="" 620184797="">22:10:39.423696 IP 192.168.115.19.3128 > 192.168.115.24.52080: . ack 445 win 215 <nop,nop,timestamp 234748185="" 620184974="">Which means to me that with a setting like this not even the proxy can contact the outside…

    Now I'll try the opposite settings:

    Client direct connect:

    If  Proto  Ext. port range  NAT IP              Int. port range 
    LAN  TCP  3128  192.168.115.19(ext.: any) 80

    tcpdump -n host 192.168.115.19
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel

    which doesn't bring a single package to the proxy, or load the page...

    Client proxy connect:

    If  Proto  Ext. port range  NAT IP              Int. port range 
    LAN  TCP  3128  192.168.115.19(ext.: any) 80

    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    22:18:14.196420 IP 192.168.115.24.56564 > 192.168.115.19.3128: S 2192800381:2192800381(0) win 5840 <mss 6="" 234861877="" 1460,sackok,timestamp="" 0,nop,wscale="">22:18:14.199637 arp who-has 192.168.115.24 tell 192.168.115.19
    22:18:14.199647 arp reply 192.168.115.24 is-at 00:0c:29:9b:aa:66
    22:18:14.199743 IP 192.168.115.19.3128 > 192.168.115.24.56564: S 76087213:76087213(0) ack 2192800382 win 5792 <mss 5="" 620298666="" 1460,sackok,timestamp="" 234861877,nop,wscale="">22:18:14.199761 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 1 win 92 <nop,nop,timestamp 234861878="" 620298666="">22:18:14.200161 IP 192.168.115.24.56564 > 192.168.115.19.3128: P 1:491(490) ack 1 win 92 <nop,nop,timestamp 234861878="" 620298666="">22:18:14.200241 IP 192.168.115.19.3128 > 192.168.115.24.56564: . ack 491 win 215 <nop,nop,timestamp 234861878="" 620298667="">22:18:14.203577 arp who-has 192.168.115.1 tell 192.168.115.19
    22:18:14.649324 IP 192.168.115.19.3128 > 192.168.115.24.56564: P 1:702(701) ack 491 win 215 <nop,nop,timestamp 234861878="" 620298779="">22:18:14.649344 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 702 win 114 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649428 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 702:3598(2896) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649432 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 3598 win 159 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649481 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 3598:6494(2896) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649484 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 6494 win 204 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649527 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 6494:7942(1448) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649530 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 7942 win 249 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649547 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 7942:9390(1448) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649550 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 9390 win 295 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649553 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 9390:12286(2896) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649554 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 12286 win 340 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649603 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 12286:15182(2896) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649608 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 15182 win 385 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649628 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 15182:16630(1448) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649632 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 16630 win 430 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649633 IP 192.168.115.19.3128 > 192.168.115.24.56564: P 16630:17086(456) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649636 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 17086 win 476 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649659 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 17086:19982(2896) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649662 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 19982 win 521 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649664 IP 192.168.115.19.3128 > 192.168.115.24.56564: P 19982:21182(1200) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649667 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 21182 win 566 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649752 IP 192.168.115.19.3128 > 192.168.115.24.56564: . 21182:24078(2896) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649755 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 24078 win 611 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649757 IP 192.168.115.19.3128 > 192.168.115.24.56564: P 24078:25278(1200) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649760 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 25278 win 657 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649765 IP 192.168.115.19.3128 > 192.168.115.24.56564: P 25278:26331(1053) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649767 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 26331 win 646 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.649921 IP 192.168.115.19.3128 > 192.168.115.24.56564: F 26331:26331(0) ack 491 win 215 <nop,nop,timestamp 234861991="" 620298779="">22:18:14.688995 IP 192.168.115.24.56564 > 192.168.115.19.3128: . ack 26332 win 654 <nop,nop,timestamp 234862001="" 620298779="">38 packets captured
    38 packets received by filter
    0 packets dropped by kernel

    This way the page is loaded....

    This tells me that the first rule work's but does also block or redirect port 80 traffic from the proxy to port 3128 on the proxy -> So I've build a loop!!!

    So all I need to know how I can exclude my proxy-host from the NAT rule...

    Hopefully one of you can give me this info!

    Greetz
    Mircsicz</nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></mss></mss></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></mss></mss></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></mss></mss></mss></mss></mss>



  • I was assuming that the Squid box would be on a different IF/port and subnet.

    Which OS are your clients using?
    For Windows there are group policies that can set the proxy definition automatically…



  • Most of my Clients are Mac's and they are scriptable to use the proxy…



  • I probably would go this way and disable access on port 80 for all but the squid box.



  • That's what i did, but I'ld prefer having it transparent. Especially the laptop user tend to forget changing to office location and then try to surf with their default home-dhcp location, which has no proxy set…

    That's why I still hope that someone out there know's how to set such a rule exclude, as you have read in my post from last night it works... All I need is a way to exclude the proxy from the NAT rule!!

    Greetz
    Mircsicz



  • Would be easy if the proxy could resides on the third WRAP interface with a different subnet.
    Then it's pure routing.
    Right now each packet reaches the WRAP, gets reflected to the Proxy and re-enters from there. Not too economical on resource limited hardware.

    Or use a full install on bigger hardware and install squid locally.

    Maybe someone else with deeper NAT knowledge comes up with a better idea!? …



  • Hmmm actually you need a no redirect rule stating to not redirect the ip of the squid box or a rule that states redirect all but this ip.
    It seems for redirection this is not exposed in the gui as it is for nat.

    I will add this on my todo for 2.0.



  • @Jahonix: yeap this would be a solution, but that would mean a lot of work for me, if I'ld move the proxy to new server subnet I'ld like to move all the other servers to this subnet too, and I've ten different DomU's on my Sun Fire X4150.

    And to be honest I don't know how to do the routing in pfSense, I just migrated from IPcop… Except all my MacOS experience this is one of my first BSD's!

    @ermal: That sound's rela good, I'm looking forward for 2.0. Is there something like a roadmap?

    But I think as not even 1.2.1 is out in the wild I'ld like to have a non GUI solution to do this. Could you pls describe how to achieve this by editing on off the config files via WebGUI or Console!

    Looking forward for an answer...

    Greetz
    Mircsicz




Log in to reply