Proxy problem



  • Hi everybody.

    Im having problems accessing one of my servers in the DMZ zone.

    Im using pfSense 1.2.3 with SQUID transparent proxy (I think its the proxy thats the problem)

    Here's how the network is setup. (see typo.jpg attached)

    I can access the server's website and install the package (app-ms)

    But I cant login through the program.

    IF I change my default route to another ISP and router I can login.

    Any ideers?


    config-pfsense.local-20100309081206.txt



  • When you say "login through the program", what exactly are you referring to?



  • @Cry:

    When you say "login through the program", what exactly are you referring to?

    The problem is called ATC client and is a appref-ms program launched from the server.
    http://62.199.235.164/ATC/ATC - NT.application#ATC - NT.application, Culture=neutral, PublicKeyToken=a62aa9a911aacd36, processorArchitecture=msil

    This I can do.

    From my home address i can launch the program and login.
    I can use another gateway insted of pfSense and login

    I CANT login using pfSense gateway, which means pfSense blocks the login somehow.

    I have no ideer where to search for logs. Theres no blocking in the firewall log.

    I've activated the logging on the squid service.

    cat access.log | grep 62.199.235.164

    1268216381.469      0 192.168.241.113 TCP_MISS/417 1794 POST http://62.199.235.164/ATCServer/atcservice.asmx - NONE/- text/html
    1268216456.311      0 192.168.241.113 TCP_MISS/417 1794 POST http://62.199.235.164/ATCServer/atcservice.asmx - NONE/- text/html

    Soo some trafic is being send, but other than this, I cant find any logging on 62.199.235.164.

    Any ideers?



  • Are all your vlan's gateway'd through pfsense?

    The sidewinder firewall's interface that is connected to the switch, is it on a pfsense vlan?

    The client from which you cannot access the server, is it one one of your vlans?

    And the server is in the DMZ behind sidewinder?



  • Are all your vlan's gateway'd through pfsense?

    Yes.

    My core backbone switch has a default route through my pfsense

    The sidewinder firewall's interface that is connected to the switch, is it on a pfsense vlan?

    Yes. Its on vlan 249 (192.168.249.80 and pfsense has 192.168.249.50)

    The client from which you cannot access the server, is it one one of your vlans?

    Yes. I've tried on vlan 249, 241,240

    And the server is in the DMZ behind sidewinder?

    Yes.

    But keep in mind if I use another gateway i does work.
    (I have a Clark Connect on 192.168.249.90, which uses the same ISP as the pfsense, and this works)

    Regards Michael



  • So any traffic between DMZ and another vlan is routed through pfsense. pfsense doesn't know where to find 192.168.249.80, so you have to give it a static route with 192.168.249.50 as the gateway. Likewise, if the server is using its public IP address as its default gateway you will have to give it a static route for the client(s)'s IP address or range with 192.168.249.50 as its gateway.



  • @clarknova:

    So any traffic between DMZ and another vlan is routed through pfsense. pfsense doesn't know where to find 192.168.249.80, so you have to give it a static route with 192.168.249.50 as the gateway. Likewise, if the server is using its public IP address as its default gateway you will have to give it a static route for the client(s)'s IP address or range with 192.168.249.50 as its gateway.

    Hi again.

    From DMZ to VLAN is routed through the sidewinder, BUT 62.199.235.164 can only be accessed from outside address.

    What im really trying to do is access a server on the internet thats located in my DMZ zone. As I said this works fine if I use a Clark connect (192.168.249.90) but not through pfsense.



  • I'm not familiar with your switch, but unless it is L3 capable and you have it properly configured to route at that layer, all traffic from one vlan to another must pass through pfsense. This is because if you have a client, say 192.168.240.55/24, its routing table knows how to find only addresses beginning with 192.168.240, because they are on the same subnet. Any other destination address gets passed to the gateway (pfsense) via the default route.

    pfsense likewise has routing tables. Because none of its interfaces live on the same subnet as 62.199.235.164, it will in turn pass the packet out to its gateway via the default route. If however, you give pfsense a static route for host 62.199.235.164 via gateway 192.168.249.80, when it receives a packet for 62.199.235.164 it will pass it to 192.168.249.80 (sidewinder). Sidewinder then knows what to do with it because it has an interface that shares a subnet with the server.



  • Hi again.

    The switch is a Layer 3 switch, and it configured so all vlans can passthrough pfsense, i think its easier for me to explain this way.

    The switch has an IP address on all my vlans

    192.168.240.205
    192.168.241.205
    192.168.242.205
    192.168.244.205
    192.168.249.205

    The switch has a 0.0.0.0 route to 192.168.249.50 (pfsense). This works on all computers, except this 1 problem.

    So in your example 192.168.240.55/24 has default gateway to 192.168.240.205. In the 192.168.240.205 L3 switch's routing table is a 0.0.0.0 (default) route to 192.168.249.50 (pfsense)

    All vlans has been added on the pfsense with gateway 192.168.249.205 (switch).

    I need some way to debug this problem. theres is no information in the firewall, and i cant really see anything in the proxy's log. Any ideers?

    Remember.. I have excelent connection to the server (ping and traceroute) but the software wont run..

    Regards Michael


Log in to reply