PfSense transparent proxy bridge + trafficshaper possible?



  • Hello PfSense Community,

    i need some help with PfSense 1.2.3 RC3 Configuration.

    I set up a Bridge (WAN <-> LAN) and installed squid for transparent proxy caching. squid is working if you set proxy in browser setting manually. If i try to set transparent mode squid isn't working (no proxy settings on browser). Browser on client dont display any webpages.

    I dont find anything in Squid log.

    Do u have a solution for my problem? Maybe u can guide me a little..

    (same effect with 2.0 Alpha)

    cya

    Norman



  • I'm trying to solve this same problem using 1.2.2 and have had no luck.

    Here's my topic: http://forum.pfsense.org/index.php/topic,20890.0.html



  • need to know more about what your network looks like.



  • Hi Danswarts,

    my Network looks like this:

    Internet –- Router ---- (fxp1,WAN,10.128.70.210) Pfsense Bridge (fxp0,LAN,10.128.70.211, Proxy Port: 3128) ---- Servers + Clients

    I set up PfSense in Bridge Mode (Trendchiller Guide) with Squid, lightsquid and Squidguard. But there are some Problems left.

    1. transparent Proxy dont work
    2. i setup Proxy in Browser manual..Proxy work fine for external and internal URLs but not for pfsense access itself (GuiPort 80). It seems to be internal BSD Problem in bridgemode.

    Here Squid Access Log entry:

    1260024817.247 179638 10.128.70.25 TCP_MISS/504 1500 GET http://10.128.70.211/ - DIRECT/10.128.70.211 text/html

    seems to be ok but Operation Timed out if i try to access Webgui through proxy. Because of this Squidgard Errorpage generator has a Problem...the errorpages are not reachable.
    I can use external Page ok...that works...but i want to know why it dont work on PfSense itself.

    Do u have any ideas? I browse Forum and PfSense book but dont find a solution.

    PS: i testet some more today:

    disable Paketfilter dont help

    PfSense Settings:
    Bridged WAN - LAN
    Squid listen on LAN interface
    Disable reply-to on WAN rules activated
    Nat off
    disabled Paketfilter

    Firefoy Proxy settings :10.128.70.211:3128   -> Internet ok

    ERROR
    The requested URL could not be retrieved

    While trying to retrieve the URL: http://192.168.178.52/

    The following error was encountered:

    * Connection to 10.128.0.211 Failed

    The system returned:

    (60) Operation timed out

    The remote host or network may be down. Please try the request again.

    Your cache administrator is admin@localhost.
    Generated Sun, 06 Dec 2009 15:08:25 GMT by localhost (squid/3.0.STABLE8)

    Access to 10.128.70.211 (webgui) not possible :(

    In normal-NAT-mode there is no Problem...only with bridged interfaces.

    Help me..



  • Not an expert on bridging pfsense, but I seem to recall recommendations to NOT put an IP on both interfaces.  Have you tried removing one of them?



  • I have posted a sorta network diagram in my other topic, but here it is:

    Internet <- commercial router/DHCP server <- (WAN) transparent firewall/proxy (LAN) <- switch <- clients

    Internet: cable modem (DHCP assigned address)
    commercial router internal address: 192.168.1.1
    transparent firewall/proxy: 192.168.1.10
    clients: 192.168.1.(100-250)

    As I mention in the topic line I have, it's somewhat working.  The only thing that is maybe a problem is that the client machines can't get to the internet (through web) unless I set their gateways to be the transparent firewall.  All other traffic flows normally no matter what I set the gateway to.  If you know of a way I can allow the proxy to work without having to set the gateway, I would greatly appreciate it.



  • Hi,

    @Danswartz

    Thx for Reply.

    Not an expert on bridging pfsense, but I seem to recall recommendations to NOT put an IP on both interfaces.  Have you tried removing one of them?

    U are right.

    How i can remove one adress? Is filtering possible after removing Interface adress?

    @trinli

    I tested many hours and dont get it to work if clientgateway isnt PfSense Interface. Maybe the pf redirect to proxy port only work with transparent firewall Gateway adress.

    In my opinion its more useful to set Proxy via GPO or Script because wouldn't bypass SSL connections. Otherwise you cant log SSL Sessions.


Log in to reply