Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I configure pfSense to act as a proxy server?

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 2 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mauro.tridici
      last edited by

      Dear Users,

      my boss asked me to identify a solution in order to deploy a proxy server.
      The proxy server should be able to allow the corporate users (working from different world locations) to reach a predefined list of web sites (after adjust accordingly their browser settings)

      In other words, corporate users that are working from office can easily be authorised to reach the web sites mentioned above through the public IP of our pfsense gateway/firewall.

      But, for the users that are working from home, I should activate a proxy server (and it should be authorised as well to reach the web sistes)

      Is there a way to do it in a single shot, using the same/existing pfsense gateway/firewall?

      Thank you in advance for the help,
      Mauro

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @mauro.tridici
        last edited by

        @mauro-tridici said in Can I configure pfSense to act as a proxy server?:

        corporate users that are working from office can easily be authorised to reach the web sites mentioned above through the public IP of our pfsense gateway/firewall.

        That sounds more like a you want corp users at home to be able to get to intranet sites hosted in the company network. That sounds more like you want a vpn.

        Or are you wanting to say allow your corp users on the corp network from going to say www.amazon.com, but allow them to got to www.cnn.com?

        And you also want to keep corp users at home from going to amazon but allow cnn?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 1 Reply Last reply Reply Quote 1
        • M
          mauro.tridici @johnpoz
          last edited by

          @johnpoz thank you for your reply.

          I think I'm in the second case.
          I will try to describe the scenario with an example.

          Imagine you have 3 web sites that every corporate users need to reach:

          www.website1.com
          www.website2com
          www.website3.com

          So, users that are working from office can reach them using current pfsense gateway/firewall (with public IP x.x.x.x)
          IP x.x.x.x will be authorised (by the web sites admin) to reach the web sites.

          corporate_users_from_LAN -> (private IP) corporate GW/FW (public IP)-> web sites

          Users that are working from home should reach the web sites only through the proxy server (that I would like to activate on the same pfsense GW/FW mentioned above).

          corporate_users_from_home -> (public IP) corporate GW/FW (public IP) -> web sites

          The websites admin should authorise only the pfsense GW/FW public IP.

          Do you think that it can be done using the current and running pfsense instance?
          What are the best practices in this case/scenario?

          Thank you in advance,
          Mauro

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @mauro.tridici
            last edited by

            @mauro-tridici if I want users out of the public internet (corp users at home) to get to my corp websites hosted on the corp network I would use a vpn..

            You could limit where these vpn users can go via simple firewall rules in pfsense, or your websites if running their own firewall could allow the specific range of IPs these vpn clients would get.

            Not only does this allow access to your websites, it would also allow if you want any other access to resources on the corp network. Also the vpn auth method is way more secure than just some proxy access with a password, etc.

            I mean sure you can setup a reverse proxy on pfsense with the haproxy, and auth your users to that.. But vpn would be a much more robust and secure method of letting road warriors from accessing your company resources.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 0
            • M
              mauro.tridici @johnpoz
              last edited by

              @johnpoz sorry, but the websites are not corp websites hosted on the corp network. They are public websites owned by other people.

              In other words, I would like to reach these websites only passing through a proxy server owned by our corporate.

              M 1 Reply Last reply Reply Quote 0
              • M
                mauro.tridici @mauro.tridici
                last edited by

                @mauro-tridici I don't know if it is correct... but it seems that the service I would like to implement is called "transparent proxy"... but I'm not sure, I'm still reading

                johnpozJ 2 Replies Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @mauro.tridici
                  last edited by

                  @mauro-tridici so you want some home user to access www.website1.com that limits who can access to corp IPs.

                  Vpn would be better solution to allow users to come from a corp network when not on the corp network..

                  User connects to the corp vpn, and then routes traffic through this vpn to get to xyz, be that on the corp network or off the corp network. Traffic to something off the corp network would be coming from a corp IP.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  M 1 Reply Last reply Reply Quote 1
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @mauro.tridici
                    last edited by johnpoz

                    @mauro-tridici said in Can I configure pfSense to act as a proxy server?:

                    mplement is called "transparent proxy".

                    no that is not what you want - a transparent proxy is something that intercept traffic and proxies it... For your thing to work you would need the client to have an explicit proxy setup - where they send traffic trying to go to www.website.com to send to your proxy.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 1
                    • M
                      mauro.tridici @johnpoz
                      last edited by

                      @johnpoz said in Can I configure pfSense to act as a proxy server?:

                      Traffic to something off the corp network would be coming from a corp IP.

                      this sentence wins.
                      thank you very much for your support.

                      in any case, for informational purposes only, is this the "other not recommended" solution (transparent proxy solution)?

                      https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-transparent.html

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @mauro.tridici
                        last edited by

                        @mauro-tridici see my last post - no a transparent proxy would not work for what you want.. How would proxy even see the traffic to intercept it?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          mauro.tridici @johnpoz
                          last edited by

                          @johnpoz you are right.. sorry but I'm a newbie and I'm still trying to study and understand a lot of things :)

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @mauro.tridici
                            last edited by

                            @mauro-tridici while you could setup a proxy on pfsense with haproxy, I really wouldn't go that route. If you want remote users to look like they come from your corp network. I would vpn them into your network, and route whatever traffic you want to come from a corp IP to something out the internet through the vpn.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.