External Transparent Proxy

  • Hi Guys,
    I have PFsense as a gateway for about 70 users. I have setup a Tansparent Squid on FreeBSD 6.3 using squid 3.0.
    I have been searching around three days now and cannot find any info that i understand or is same as my configuration.

    I would like to use PFsense to divert all HTTP traffic to my External Squid Proxy.
    here is my configuration

    I have 2 nics in Pfsense lan and wan, proxy is on the lan side with clients.
    proxy has 2 nics one lan side and wan side pointing to another gateway on different link. squid is listening on lan side 3128 and i have tested using proxy setting in windows.
    I compiled squid with all the transparent options. it is also my understanding that after Squid 2.6 there is only one line in the squid.conf to make it transparent….
    http_port (lan address) 3128 transparent. please correct me if i am wrong!!

    i understand that i can use squid package on PFsense but i would really like to use external to PFsense and have PF redirect all the traffic.

    i have tried a NAT port forward from lan interface ....80 to 3128 on squid lan address etc (using the GUI). but it didnt work. also i saw alot of blocks in the pf firewall log saying "default deny rule" as it appeared it was taking traffic from my lan and diverting it to squidlan:3128 i also saw nothing in access.log on squid.

    any assistance would be greatly appreciated.
    Thank you

  • It seems as i have stumped everyone??
    I was on pfsense irc channel and someone suggested to me that rdr's cannot work on the same interface? so i have put a 3rd Nic into PF and put my proxy on that.
    i can talk to the proxy from my lan with the pass rule on OPT1. but i still cannot get HTTP to redirect to the proxy port on OPT1 network.

    has anyone ever achieved this at all?

  • Either you have to provide a policy router rule or use a GRE tunnel between your squid and pfSense(do not remeber how Cisco calls this!).
    The problem is that you can do this configurations only on 2.0, sorry.

  • Hi Ladies and Gents,

    well like I understand now it is not possible to redirect http traffic to an external squid on another subnet ? Thats to bad. The last 2 weeks I tried to pass my webtraffic to my squidmachine without success :-(

    My Setup is as this:

    PFSense with 1 LAN, 1 WAN und an OPT Interface. I gave the OPT Interface another Subnet than the LAN Interface holds, the squidmachine is listening on OPT Subnet, well the squid is a FreeBSD with 1 LAN interface on the PFSense LAN Subnet and an alias for the OPT Subnet, should work so far.

    I added a NAT Rule that does
    rdr on LAN inet proto tcp from LANSubnet to any port = 80 -> squidmachine port 3128

    Well for test purpose I createt rules on my LAN and OPT that are passing all in and out. The overalleffect is that no traffic gets redirectet to the squidmachine.
    It works well when I do a static proxyentry on my clientmachines.

    Does anyone has a mindevolving hint for me ? Or is it just true that this is quite impossible with pfsense right now ?

    The big fish with this is that I can not add a squidpackage on the PFSense itself, be cause I use an embedded Version. Please help on that, I love this firewall and it would me turn into some sort of ZENState ( that would be a nice type of state for pf ;-) ), when I can use my transparent squid.

    thx and regards

  • push


    does anyone has a suggestion on this one ?

    I do not get a clue.

    Thx :-)