PfSense with transparent proxy not working



  • Before anyone shouts at me - I have read all the posts on this topic and I cannot seem to find the solution.  I have installed pfSense 2 beta, and am trying to set up squid as transparent proxy.  I enabled the proxy as per the pfSense tutorial (basically selected LAN interface, allow users on interface, and transparent proxy on).  I changed my web configurator to run under https on port 8443.  Whenever a client tries to connect out to a web site this happens:

    
    [root@bell ~]# telnet www.google.com 80
    Trying 66.249.90.104...
    Connected to www.google.com (66.249.90.104).
    Escape character is '^]'.
    GET / HTTP/1.1
    Host:www.google.com
    
    HTTP/1.1 301 Moved Permanently
    Location: https://www.google.com:8443/
    Content-Length: 0
    Date: Sat, 22 May 2010 02:44:53 GMT
    Server: lighttpd/1.4.26
    
    ^]
    telnet> quit
    Connection closed.
    
    

    Why is pfSense trying to redirect to my web configurator port 8443?



  • I suspect this has something to do with the web configurator listening on port 80 to redirect HTTP to HTTPS.  I'm not aware of there being a way to disable it.  I might take a look at it to see if there is an easy way to resolve this.



  • It was suggested that you may have your proxy configured on port 80.  I've been informed that you do not need it to be on port 80, and if you leave it at the default port it should be fine.



  • Proxy is at the default 3128.


  • Rebel Alliance Developer Netgate

    What is the output of "pfctl -sn" when you have transparent proxy enabled? And what is the date of the 2.0 BETA snapshot you are using?



  • Can yo please try the latest snapshot and got to the System->Advanced settings and check disable webConfigurator redirect?



  • 
    # pfctl -sn
    nat-anchor "natearly/*" all
    nat-anchor "natrules/*" all
    nat on vr1 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
    nat on vr1 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> 92.25.211.244 port 500
    nat on vr1 inet from 192.168.0.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
    nat on vr1 inet from 192.168.1.0/24 port = 5060 to any port = 5060 -> 92.25.211.244 port 5060
    nat on vr1 inet from 192.168.0.0/24 to any -> 92.25.211.244 port 1024:65535
    nat on vr1 inet from 192.168.1.0/24 to any -> 92.25.211.244 port 1024:65535
    rdr-anchor "relayd/*" all
    rdr-anchor "tftp-proxy/*" all
    rdr on vr1 inet proto tcp from any to any port = 8081 -> 192.168.0.72 port 8080
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8081 tag PFREFLECT -> 127.0.0.1 port 19000
    rdr on vr1 inet proto tcp from any to any port = 13091 -> 192.168.0.38
    rdr on vr1 inet proto udp from any to any port = 13091 -> 192.168.0.38
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
    rdr on em0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
    rdr on vr0 inet proto udp from any to 92.25.211.244 port = 13091 tag PFREFLECT -> 127.0.0.1 port 19001
    rdr on vr1 inet proto tcp from any to any port = http -> 192.168.0.39
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = http tag PFREFLECT -> 127.0.0.1 port 19002
    rdr on vr1 inet proto tcp from any to any port = rsh-spx -> 192.168.0.20 port 22
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = rsh-spx tag PFREFLECT -> 127.0.0.1 port 19003
    rdr on vr1 inet proto tcp from any to any port = 3390 -> 192.168.0.39 port 3389
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3390 tag PFREFLECT -> 127.0.0.1 port 19004
    rdr on vr1 inet proto tcp from any to any port = 5721 -> 192.168.0.39
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 5721 tag PFREFLECT -> 127.0.0.1 port 19005
    rdr on vr1 inet proto tcp from any to any port = https -> 192.168.0.39
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = https tag PFREFLECT -> 127.0.0.1 port 19006
    rdr on vr1 inet proto tcp from any to any port = 3395 -> 192.168.0.38 port 3389
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 3395 tag PFREFLECT -> 127.0.0.1 port 19007
    rdr on vr1 inet proto tcp from any to any port = 8069 -> 192.168.0.50 port 80
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8069 tag PFREFLECT -> 127.0.0.1 port 19008
    rdr on vr1 inet proto tcp from any to any port = 8088 -> 192.168.1.45 port 80
    rdr on em0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
    rdr on vr0 inet proto tcp from any to 92.25.211.244 port = 8088 tag PFREFLECT -> 127.0.0.1 port 19009
    no rdr on em0 inet proto tcp from any to 192.168.0.0/16 port = http
    no rdr on em0 inet proto tcp from any to 172.16.0.0/12 port = http
    no rdr on em0 inet proto tcp from any to 10.0.0.0/8 port = http
    no rdr on vr0 inet proto tcp from any to 192.168.0.0/16 port = http
    no rdr on vr0 inet proto tcp from any to 172.16.0.0/12 port = http
    no rdr on vr0 inet proto tcp from any to 10.0.0.0/8 port = http
    rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 80
    rdr on vr0 inet proto tcp from any to ! (vr0) port = http -> 127.0.0.1 port 80
    rdr-anchor "miniupnpd" all
    
    

    Will try latest snapshot


  • Rebel Alliance Developer Netgate

    Looking at that, you may want to disable NAT reflection instead.



  • And use split DNS instead?


  • Rebel Alliance Developer Netgate

    Well try it as a test and see if it makes a difference.

    If it does, perhaps the NAT reflection code may need adjusted to accommodate for this kind of scenario.



  • Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference.

    When I disable NAT reflection and add a domain monitoring.xxx.com to my split DNS config I get round robined between my public IP and the internal one - not matter how I flush the DNS cache or reboot:

    waldo@vcs ~ $ ping monitoring.xxx.com
    PING monitoring.xxx.com (192.168.0.39): 56 data bytes
    64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.448 ms
    ^C
    --- monitoring.fhblack.com ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.448/0.448/0.448/0.000 ms
    waldo@vcs ~ $ ping monitoring.xxx.com
    PING monitoring.xxx.com (192.168.0.39): 56 data bytes
    64 bytes from 192.168.0.39: icmp_seq=0 ttl=128 time=0.392 ms
    ^C
    --- monitoring.fhblack.com ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.392/0.392/0.392/0.000 ms
    waldo@vcs ~ $ ping monitoring.xxx.com
    PING yyy.dyndns.org (92.25.211.244): 56 data bytes
    64 bytes from 92.25.211.244: icmp_seq=0 ttl=64 time=0.312 ms
    64 bytes from 92.25.211.244: icmp_seq=1 ttl=64 time=0.351 ms
    ^C
    --- sram.dyndns.org ping statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.312/0.332/0.351/0.019 ms
    
    

  • Rebel Alliance Developer Netgate

    Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

    Did your transparent proxy work with NAT reflection off?



  • @jimp:

    Disabling NAT reflection was only to test whether or not your transparent proxy worked, not a test of split DNS.

    Did your transparent proxy work with NAT reflection off?

    I know that is why I replied:

    "Hmm Split DNS does not work reliably for me so I cannot use it. It made no difference."

    That referred to the transparent proxy testing.


  • Rebel Alliance Developer Netgate

    That was not at all clear from what you wrote, sorry.

    The output of pfctl -sn with NAT reflection disabled may help, but you might want to wait until the next snapshot (or gitsync) and try to disable the https webgui redirect.



  • Sorry if I was unclear.

    Will wait for the next build and try it.


Locked