2.0-BETA3 and squid transparent proxy

PeekNPoke

Hi all,

I've been breaking my back on this problem for the last … I can't remember how long. I can't get squid running in transparent mode, no matter what. I'm at a point where I'm just going to give up and jump off a cliff ... seriously ! ..  ::)

Anyway, I've got 3 interfaces. A LAN / WAN and WUG. This WUG interface is connected to a large private network via radio links. I've enabled squid only on the LAN interface. When I use the port 3128 (default) in my browser with the transparent switched off, it works 100%. The access.log file in the /var/squid/log/ folder get's updated and everything is just happiness ... and that's as far as squid working on the latest release (today's date, I've just download the latest "2.0-BETA3 built on Tue Jul 27 00:04:45 EDT 2010") is concerned.

If I enable the transparent flag in the UI, absolutely nothing happens ... nothing ... ? The access.log file stops expanding and everybody can still happily browse wherever they like. With nothing cached via squid.

Here's the output of pfcnt -sn

# pfctl -sn
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on re1 inet from 10.0.0.0/24 to any port = isakmp -> 192.168.0.2 static-port
nat on re1 inet from 10.0.0.0/24 to any port = 5060 -> 192.168.0.2 static-port
nat on re1 inet from 10.0.0.0/24 to any -> 192.168.0.2 port 1024:65535
nat on re1 inet from 172.25.69.112/29 to any port = isakmp -> 192.168.0.2 static-port
nat on re1 inet from 172.25.69.112/29 to any port = 5060 -> 192.168.0.2 static-port
nat on re1 inet from 172.25.69.112/29 to any -> 192.168.0.2 port 1024:65535
nat on re2 inet from 10.0.0.0/24 to 172.16.0.0/12 -> 172.25.69.115 port 1024:65535
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr pass on re0 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
rdr on re2 inet proto tcp from any to any port = 21021 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 21021 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 21021 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on re2 inet proto tcp from any to any port = 21022 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 21022 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 21022 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on re2 inet proto tcp from any to any port = 21023 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 21023 tag PFREFLECT -> 127.0.0.1 port 19002
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 21023 tag PFREFLECT -> 127.0.0.1 port 19002
rdr on re2 inet proto tcp from any to any port = 22022 -> 10.0.0.3
rdr on re2 inet proto udp from any to any port = 22022 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on re0 inet proto udp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on pptp inet proto udp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on re2 inet proto tcp from any to any port = 26000 -> 10.0.0.3
rdr on re2 inet proto udp from any to any port = 26000 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on re0 inet proto udp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on pptp inet proto udp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on re2 inet proto tcp from any to any port = http -> 10.0.0.3 port 8080
rdr on re2 inet proto udp from any to any port = http -> 10.0.0.3 port 8080
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on re0 inet proto udp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on pptp inet proto udp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on re1 inet proto tcp from any to any port = 22022 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 192.168.0.0/24 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19006
rdr on pptp inet proto tcp from any to 192.168.0.0/24 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19006
rdr on re1 inet proto tcp from any to any port = 8000 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 192.168.0.0/24 port = 8000 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on pptp inet proto tcp from any to 192.168.0.0/24 port = 8000 tag PFREFLECT -> 127.0.0.1 port 19007
rdr-anchor "miniupnpd" all

Can anybody just give me some pointer as to where to go next. (Hopefully not to hell)  :P

MrHorizontal

Yeah I encountered this problem too. You basically need to tell pfSense to set an introspective NAT rule to forward traffic to squid:

1. Go to Firewall -> NAT
2. Click + to add a Port Forward rule
3. Change Interface to the Interface that squid is listening on (ie your LAN)
3. Set Protocol to TCP
4. Set Source to the subnet of the interface you set in 2.
5. Under Destination, Check the NOT box
6. Under Destination select the interface address
NB: This is important to avoid a potential forwarding loop and to ensure clients can connect to squid's socket legitimately too
7. Set port range to HTTP - HTTP
8. Set Redirect target IP to 127.0.0.1
9. Set Redirect target port to HTTP
10. Set Filter Rule Association to None (no need to set a FW rule since it should allow traffic from LAN->WAN anyway)
11. Press Save and Apply

Repeat for any other interfaces and / or protocols you are proxying (ie SSL or FTP)

This forces pf to forward all HTTP traffic to localhost:80, which is what squid's tranny is listening on…

PeekNPoke

Dude ….. YOU'RE MY HERO !!!!!!!!!!!!!!!!!!

WHOOOOHOOOOOOOOOOOOOOOOOOOOOOOO !!!!!!!!!!!

Thanks man .... I thought I'll never get this going !

Gjeeeeeeesssssssssssss !

Awesome !

Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you !

jimp

This should be handled automatically by the package, though. If that isn't working, there may be a problem with the package yet.

MrHorizontal

@jimp:

This should be handled automatically by the package, though. If that isn't working, there may be a problem with the package yet.

It should be handled automatically, but does it actually set a rule specifically or does it just set up the socket?

Squid isn't the only package to have problems - OpenVPN can have issues if there's a conflict where pf actively managing the same interface, and Clamd and HAVP both have the same problem as squid. I haven't looked into precise rulesets and conflicts, since OVPN sometimes works, sometimes doesn't when on different interfaces, but if you set the rule, it always works.

jimp

Squid should be adding a NAT rule. It does for me, and it looks like this in pfctl -sn:

rdr on em1 inet proto tcp from any to ! (em1) port = http -> 127.0.0.1 port 80

If you can replicate the OpenVPN issue, open a ticket.

As for clamd/havp, I haven't used them enough to comment.

cattelan

I ran into this issue recently with 2.0-Beta4

First the way the web interface wants subnets is x.x.x.x/y but the squid config file is expecting x.x.x.x/m.m.m.m
and while the acl is added the "http_access allow  allowed_subnets" lines is not added to the squid.conf file.
So anybody connecting to the proxy is rejected.

I tried added a outbound nat rule via the web interface but could not seem to get one that worked.
I looked at squid.inc and found the rdr rule that is it wants to add.
$rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";

I added this rule to /tmp/rules.debug and reloaded pf just to see if that would do it, and indeed that
redirect does work. The access.log for squid showed activity coming from the various machines on my network.

I'm not much of a php person so I'm a bit lost when it comes to debugging things and trying to figure
out why it is not working as expected.