Best way to redirect traffic for proxying/filtering



  • I'm deploying a couple of extra pfSense instances to be used as a caching proxy, full interception, and for further filtering according to random criteria and a little experimental too (that's why I'm installing not one but two). I've been bibling the book and watched the Hangouts videos for the proxy, captive portal, multi-WAN, basically anything where I though I could find some hints. It is mentioned in one of the videos that it's best to leave a second box exclusively for a cache and leave the firewall be a firewall--they mentioned super briefly about redirecting the traffic but it's no more than a sentence and that's about it.

    I looked around other places about this, not specific to pfSense but how to redirect the traffic on their normal ports to an external processor, let's say, and back to continue the route out, or out directly--not really important, but there's nothing about it. Well...not nothing, but nothing that doesn't involve iptables in the setup.

    That said. I came up with two ways to do it: one is NATting incoming traffic on the interface of the main firewall to the external box that's been set to intercept traffic on the regular ports of its LAN interface, meaning that box would be doing its own NATting so that's double NAT on the way out so far and yet at least one to go to reach public IP space. Then, I thought about NATting from the main firewall just as before, but directly to what would be the actual proxy ports, 3128/3129 usually but, as I gather, when a proxy is either manually or automatically (through WPAD) configured on a client, there's an understanding between the client and the proxy (I'm guessing HTTP headers) that the proxy is acting as such which is obviously not the setup here, so, I don't know if that'd work or not.

    The other way I thought about was very similar but instead of specific ports, go full on policy routing, switching the gateway on the clients involved, using the caching server as the new gateway for those clients (hence why I was watching the multi-WAN videos too) and variations on that.

    Is any of these method appropriate? If not, could you explain how to do it please?

    Thanks !


Log in to reply