Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    External Transparent Proxy

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      informasys
      last edited by

      Hi Guys,
      I have PFsense as a gateway for about 70 users. I have setup a Tansparent Squid on FreeBSD 6.3 using squid 3.0.
      I have been searching around three days now and cannot find any info that i understand or is same as my configuration.

      I would like to use PFsense to divert all HTTP traffic to my External Squid Proxy.
      here is my configuration

      I have 2 nics in Pfsense lan and wan, proxy is on the lan side with clients.
      proxy has 2 nics one lan side and wan side pointing to another gateway on different link. squid is listening on lan side 3128 and i have tested using proxy setting in windows.
      I compiled squid with all the transparent options. it is also my understanding that after Squid 2.6 there is only one line in the squid.conf to make it transparent….
      http_port (lan address) 3128 transparent. please correct me if i am wrong!!

      i understand that i can use squid package on PFsense but i would really like to use external to PFsense and have PF redirect all the traffic.

      i have tried a NAT port forward from lan interface ....80 to 3128 on squid lan address etc (using the GUI). but it didnt work. also i saw alot of blocks in the pf firewall log saying "default deny rule" as it appeared it was taking traffic from my lan and diverting it to squidlan:3128 i also saw nothing in access.log on squid.

      any assistance would be greatly appreciated.
      Thank you

      1 Reply Last reply Reply Quote 0
      • I
        informasys
        last edited by

        It seems as i have stumped everyone??
        I was on pfsense irc channel and someone suggested to me that rdr's cannot work on the same interface? so i have put a 3rd Nic into PF and put my proxy on that.
        i can talk to the proxy from my lan with the pass rule on OPT1. but i still cannot get HTTP to redirect to the proxy port on OPT1 network.

        has anyone ever achieved this at all?

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Either you have to provide a policy router rule or use a GRE tunnel between your squid and pfSense(do not remeber how Cisco calls this!).
          The problem is that you can do this configurations only on 2.0, sorry.

          1 Reply Last reply Reply Quote 0
          • G
            geilhuber
            last edited by

            Hi Ladies and Gents,

            well like I understand now it is not possible to redirect http traffic to an external squid on another subnet ? Thats to bad. The last 2 weeks I tried to pass my webtraffic to my squidmachine without success :-(

            My Setup is as this:

            PFSense with 1 LAN, 1 WAN und an OPT Interface. I gave the OPT Interface another Subnet than the LAN Interface holds, the squidmachine is listening on OPT Subnet, well the squid is a FreeBSD with 1 LAN interface on the PFSense LAN Subnet and an alias for the OPT Subnet, should work so far.

            I added a NAT Rule that does
            rdr on LAN inet proto tcp from LANSubnet to any port = 80 -> squidmachine port 3128

            Well for test purpose I createt rules on my LAN and OPT that are passing all in and out. The overalleffect is that no traffic gets redirectet to the squidmachine.
            It works well when I do a static proxyentry on my clientmachines.

            Does anyone has a mindevolving hint for me ? Or is it just true that this is quite impossible with pfsense right now ?

            The big fish with this is that I can not add a squidpackage on the PFSense itself, be cause I use an embedded Version. Please help on that, I love this firewall and it would me turn into some sort of ZENState ( that would be a nice type of state for pf ;-) ), when I can use my transparent squid.

            thx and regards

            1 Reply Last reply Reply Quote 0
            • G
              geilhuber
              last edited by

              push

              :-)

              Hi,
              does anyone has a suggestion on this one ?

              I do not get a clue.

              Thx :-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.