Using pfsense as a transparent firewall and proxy



  • Hey I need some guidance on a strange setup, just hear me on this one.

    I have a dual wan pfsense gateway on 192.168.1.1 - directly connected to that is another pfsense gateway with ip 192.168.1.2 and on the other side of that is my clients. See the full diagram below (attachment).

    Now I can get to the internet and the web interface of 192.168.1.1, everything seems fine. The traffic is going through no problem (I bridged the WAN and LAN to do this)

    The problem: I cannot enable squid transparently. For some reason I cannot browse anything on port 80 with squid when transparent mode is enabled. This is what I need help with. I want all traffic to go though this box and squid to transparently cache.

    Finally you might be wondering why in the world would I want this setup, well its so I can control all traffic in a dedicated box, to remove the role from the main router. Separating roles helps with performance.




  • are you using the second box mainly for the firewall? if so why not just run the entire thing transparent?

    http://forum.pfsense.org/index.php/topic,13142.0.html
    http://pfsense.trendchiller.com/transparent_firewall.pdf



  • Edit: I have configured my firewall as a transparent firewall. I have bridged the WAN and LAN. I even have a OPT1 for wifi network (like blue in IPCop).

    Squid does not work in transparent mode. I did a packet capture while squid was DISABLED and saw my connection was fine.
    I did another packet capture while squid was ENABLED transparently and the packet capture didn't capture any packets on port 80.

    So what am I doing wrong. Thank you for your help.



  • i'm sure it's something to do with the fact that it's looking to send stuff back through the loopback device.

    maybe you can edit /usr/local/pkg/squid.inc
    take all instances of 127.0.0.1 and change them to your actual lan ip

    make sure your web ap isn't on port 80 (change to https and set a custom port)

    make a lan firewall rule to allow traffic
    make a wan firewall rule to allow traffic

    make a rule that allows traffic to your web gui port
    turn off the anti-lockout rule

    restart

    that's what worked for me



  • I tried that, not working.
    Here is something weird that I do not understand.

    My OPT1 is on 10.0.0.1 which has all my wifi clients. Its configured the exact same as my LAN right now with the exception of the NIC address. Squid works on the 10.0.0.0 network and even in transparent mode! Now why would it work for 10.0.0.0 and not 192.168.1.0, seems werid. Mind you my squid.inc has been restored to defaults.

    I am still testing so maybe I can have this figured out soon. Do you have any ideas?

    Edit: attached is a updated network diagram that shows you where OPT1 is located in relation to my LAN on the transparent firewall.




  • You are missing the obvious!
    Use a different subnet between your "Main router" and the "transparent bridge" - and forget about it being transparent.
    That way it can actually route traffic as Proxy while the other box acts as perimeter firewall.

    Squid is able to work on your 10. subnet because the traffic is routed to 192.168.

    Use something like 192.168.250.0/30 as your network between perimeter fw (192.168.250.1/30) and your proxy (192.168.250.2/30) with 192.168.250.3 being the broadcast and all should be fine.



  • BTW: do you have a DHCP server enabled and what's the gateway from the clients?

    You may want to check your network settings with a tool like this:  http://www.subnetmask.info/



  • Thank you for the input Jahonix.
    I configured my network according to your setup and didn't like it at all. Its not what I wanted, I still want to run a transparent firewall. I have since then changed everything back to the previous setup. I know your setup will correct my issue, because my transparent firewall will now become a gateway on a separate network than the perimeter firewall. However, this is not the solution, I would like to keep the transparent firewall.

    To answer your second question Jahonix, I am the biggest idiot ever! I never thought to change my default gateway because I could use the perimeter fw just fine. When you bind squid to the LAN on the transparent fw and configure your browser to utilize squid, squid doesn't know why your traffic is going to an 'outside' gateway. All packets are dropped. By configuring your default gateway to the transparent firewall everything works just great. That's why my 10 network worked fine, because the default gateway was the OPT1 address.

    To summarize,
    I am retardededed. Using a transparent fw on the same network works fine, just like you would expect. But if you want your transparent fw to handle the traffic with pkg support you need to configure it as a default gateway for the clients behind that box.

    I can't believe I missed that, pebkac



  • You can still use Squid in transparent mode; it's only a checkbox away…



  • Yes it works just fine. I had to change my dhcp server settings, now my default gateway is the LAN address of the transparent firewall.

    I know why it works, with the default gateway, because the transparent firewall acts as a gateway, but I had no idea that a 'transparent' firewall would have to be used as the default gateway for pkg support. I guess I don't understand it completely.


Log in to reply