External Transparent Proxy

informasys

Hi Guys,
I have PFsense as a gateway for about 70 users. I have setup a Tansparent Squid on FreeBSD 6.3 using squid 3.0.
I have been searching around three days now and cannot find any info that i understand or is same as my configuration.

I would like to use PFsense to divert all HTTP traffic to my External Squid Proxy.
here is my configuration

I have 2 nics in Pfsense lan and wan, proxy is on the lan side with clients.
proxy has 2 nics one lan side and wan side pointing to another gateway on different link. squid is listening on lan side 3128 and i have tested using proxy setting in windows.
I compiled squid with all the transparent options. it is also my understanding that after Squid 2.6 there is only one line in the squid.conf to make it transparent….
http_port (lan address) 3128 transparent. please correct me if i am wrong!!

i understand that i can use squid package on PFsense but i would really like to use external to PFsense and have PF redirect all the traffic.

i have tried a NAT port forward from lan interface ....80 to 3128 on squid lan address etc (using the GUI). but it didnt work. also i saw alot of blocks in the pf firewall log saying "default deny rule" as it appeared it was taking traffic from my lan and diverting it to squidlan:3128 i also saw nothing in access.log on squid.

any assistance would be greatly appreciated.
Thank you

informasys

It seems as i have stumped everyone??
I was on pfsense irc channel and someone suggested to me that rdr's cannot work on the same interface? so i have put a 3rd Nic into PF and put my proxy on that.
i can talk to the proxy from my lan with the pass rule on OPT1. but i still cannot get HTTP to redirect to the proxy port on OPT1 network.

has anyone ever achieved this at all?

eri--

Either you have to provide a policy router rule or use a GRE tunnel between your squid and pfSense(do not remeber how Cisco calls this!).
The problem is that you can do this configurations only on 2.0, sorry.

geilhuber

Hi Ladies and Gents,

well like I understand now it is not possible to redirect http traffic to an external squid on another subnet ? Thats to bad. The last 2 weeks I tried to pass my webtraffic to my squidmachine without success :-(

My Setup is as this:

PFSense with 1 LAN, 1 WAN und an OPT Interface. I gave the OPT Interface another Subnet than the LAN Interface holds, the squidmachine is listening on OPT Subnet, well the squid is a FreeBSD with 1 LAN interface on the PFSense LAN Subnet and an alias for the OPT Subnet, should work so far.

I added a NAT Rule that does
rdr on LAN inet proto tcp from LANSubnet to any port = 80 -> squidmachine port 3128

Well for test purpose I createt rules on my LAN and OPT that are passing all in and out. The overalleffect is that no traffic gets redirectet to the squidmachine.
It works well when I do a static proxyentry on my clientmachines.

Does anyone has a mindevolving hint for me ? Or is it just true that this is quite impossible with pfsense right now ?

The big fish with this is that I can not add a squidpackage on the PFSense itself, be cause I use an embedded Version. Please help on that, I love this firewall and it would me turn into some sort of ZENState ( that would be a nice type of state for pf ;-) ), when I can use my transparent squid.

thx and regards

geilhuber

push

:-)

Hi,
does anyone has a suggestion on this one ?

I do not get a clue.

Thx :-)