Squid transparent proxy doesn't work in Azure
-
Hello,
I've setup pfSense in Azure from the marketplace image:
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/netgate.pfsense-fw-vpn-router?tab=OverviewIt is on VM which has 2 NIC's one performing WAN and other as LAN (on which squid is listening), I installed squid package and configured as normal proxy on port 3128 and can use it as proxy for VM's in other subnets just fine when I point VM OS through proxy settings to the pfsense server.
Then I created routing table (UDR) on the client vm subnet and redirected all 0.0.0.0/0 (internet) traffic to the pfsense server, after removing the machine wide proxy settings in client vm I cannot open any website.
I can see that traffic still reach the LAN interface but squid is not forwarding the traffic to internet… the proxy log shows nothing.
I even added client ip to the unrestricted IP's in ACS setup.I have not setup any NAT rules or do any additional steps, so pfsense is vanilla just after installation from marketplace offer.
I also noticed that the connection stuck on SYN_SENT on https at the destination when trying the transparent mode, however I can telnet on both 80 and 443 to the destination server from cmd.
Here are settings from config file added from gui:
http_port 10.100.12.50:3128
http_port 127.0.0.1:3128 interceptWorth to mention my WAN IP is 10.100.11.50 and LAN 10.100.12.50 so I dont use the public or ISP provided one for WAN
This also doesn't work when I remove LAN NIC from the OS and running everything on WAN.
Wonder if any one can suggest how can I go about investigating the issue or shed more light as how transparent proxy working between pfsense and squid as seems that this is the problem.
This is the first time I'm working with squid and pfsense so any help would be great.squid -v:
Squid Cache: Version 3.5.26
Service Name: squid
This binary uses OpenSSL 1.0.1s-freebsd 1 Mar 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.htmlpfsense:
2.3.4-RELEASEOS:
FreeBSD <hostname>10.3-RELEASE-p19 FreeBSD 10.3-RELEASE-p19 #1 76a12c4e6(RELENG_2_3_4): Thu Jun 1 09:22:27 CDT 2017 root@factory23-amd64-builder:/builder/factory-234/tmp/obj/builder/factory-234/tmp/FreeBSD-src/sys/pfSense amd64Thanks</hostname>
-
bump - anyone ?
-
Can you show a diagram of your network setup (subnets etc / where nics are located) – may be helpful in debugging.
I actually had some issues before doing UDR next hop to the Virtual App when the lan nic/wan nic was in same subnet as the machine you are forwarding.
IE forwarding your proxy to LAN adapter when lan adapter is in the same subnet.
I ended up needing to do something like this:
NGFW_WAN Subnet 172.20.1.0/24 (wan adapter here @ 172.20.1.4)
NGFW_LAN Subnet 172.20.2.0/24 (lan adapter here @ 172.20.2.4)
Lan Subnet 172.20.22.0/24UDR for lan subnet 0.0.0.0/0 next hop 172.20.2.4
UDR for NGFW_Lan 0.0.0.0/0 next hop 172.20.1.4 -
Squid in transparent mode fails for me as well - in general, not in Azure. I am running 2.4.1-RELEASE (amd64). I also use squidGuard.
What I observed was that requests (downloads from LAN which should get caught by squid) bypass squid and get downloaded via WAN. They do no appear in the Real Time monitor (because no traffic at all shows up in the Real Time monitor). SquidGuard blocking does also not work.
I tried to disable squid (Unchecked "Check to enable the Squid proxy.", hit Save) and re-enable it, but that didn't solve it.
I tried to disable transparent mode (while keeping squid enabled, so I unckecked "Enable transparent mode to forward all requests for destination port 80 to the proxy server.", hit Save), then re-abled it (checked "Enable transparent mode to forward all requests for destination port 80 to the proxy server.", then hit Save), and, yes, suddenly transparent mode worked!
Until the next reboot at least.
I then re-disabled transparent mode, and re-enabled it again, and it was up again (content from the disk cache was getting served from the cache in transparent mode right away).
Obviously, this workaround sucks a bit. I wonder if this could be automated…or fixed. :D
Note that disabling transparent mode will clear the data "Bypass Proxy for These Source IPs" and "Bypass Proxy for These Destination IPs"! if you have anything in there, be sure to put in into the clipboard first. Or else you have to pull it from your config history. The XML tags are <defined_ip_proxy_off>and <defined_ip_proxy_off_dest>.
Edit: it seems that doing changes in the WebGUI also causes transparent mode to stop working. I can not see whether a certain change did trigger this, as several changes occured around the time when squid stopped working in transparent mode. In any case, disbaling and re-enabling transparent mode did the trick to (temporarily) fix transparent mode.
Another edit: it looks like having entries in "Bypass Proxy for These Source IPs" and "Bypass Proxy for These Destination IPs" breaks transparent mode. As the disable/re-enable cycle clears these fields, transparent mode works again…until I re-enter the required IP ranges back into these fields. Then transparent mode is disabled again.
I then tried to delete the content in "Bypass Proxy for These Source IPs" and "Bypass Proxy for These Destination IPs" (without disabling/re-enabling transparent mode) and, yes, transparent mode suddenly started working again. Oh well.</defined_ip_proxy_off_dest></defined_ip_proxy_off>