Proxy on internal network

  • First off, im not sure if this is the correct area to post this but I didn't think it fit under "Packages"

    So, I have squid currently running on a computer on my internal network. I want to "transparently" forward all web traffic to the proxy and allow the internal proxy to bypass this rule and access the internet. My current setup is to have Squid with almost no cache (50 mb), and using the internal computer as the parent proxy. I do not want to use this setup anymore. I have been having issues with the overhead of squid (Thus the dedicated machine).

    What is the best(Most efficient and fastest) way to forward all port 80 traffic to the proxy on another port (3128) but to allow all port 80 traffic from the proxy IP address internally?


  • I'm not sure I completely understand, though it does not sound like you are trying to do anything that cannot be done.  Can you sketch out a diagram of what you have versus what you want or something?

  • So right now all port 80 traffic works like so …

    Client ( ->
    Pfsense (
      Squid Transparent Process with 50mb internal storage
      Squid routes to parent proxy on internal network ( ->
    Squid on internal network with HAVP, and squidguard then requests from WAN

    Ideally I would like it to go like so
    Client ( ->
    Pfsense ( ->
    Redirects all port 80 traffic except that from to proxy
    Proxy on requests content from web

    Essentially removing the process on the router is the goal


  • Banned

    In short you want a reverse proxy, to take load of eventual webservers??? Correct??

  • I guess… I just want to proxy content requested from all my internal computers. I want to make the network faster and use less bandwidth though WAN. I have squid setup with videocache and HAVP on my internal server. I just want all traffic from my lan on port 80 to go to the proxy on ther internal server and have it request the non cached data from the servers. I want to completely remove squid from my router.

    Not entirely sure the correct lingo for that.

    The simplest way I think is to have 2 rules such as:
    All traffic on port 80 from proxy internal to wan is allowed
    All traffic on LAN subnet that is not from proxy internal using port 80 with destination though WAN to be redirected to local proxy on port 3128.

  • Banned

    Then it is not reverse proxy….:)

    Reverse proxy serves WAN side of router with requested pages.....

    Check to see if there is anything free available....

  • Sounds like all you need are two pfSense boxes.  The setup would be like this:

    WAN -> PFS1 (WAN (real IP) & LAN as, no packages) -> PFS2 (WAN as, gateway and LAN as, running Squid, DHCP, etc.)

    All your clients would pull 192.168.2.x IP addresses.  If you setup squid as a transparent proxy on, all the local content would be cached there, and if it was not cached, the content would be pulled down from the router.  Just make sure you add a block rule for traffic from 192.168.2.x to 192.168.1.x, except for the routers themselves and set your subnet masks correctly.

    Is this setup for a very large installation, or you just like to keep server roles separate?  If you configure/scale your hardware right, you should be able to make things easier and keep the entire setup on one box.

  • Banned

    In that case, i would suggest doing it in VmWare….. Much easier than 2 seperate boxes. Also a lot cheaper in terms of power used :)

Log in to reply