Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0-BETA3 and squid transparent proxy

    Scheduled Pinned Locked Moved
    2.0-RC Snapshot Feedback and Problems - RETIRED
    4
    7
    5.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PeekNPoke
      last edited by

      Hi all,

      I've been breaking my back on this problem for the last … I can't remember how long. I can't get squid running in transparent mode, no matter what. I'm at a point where I'm just going to give up and jump off a cliff ... seriously ! ..  ::)

      Anyway, I've got 3 interfaces. A LAN / WAN and WUG. This WUG interface is connected to a large private network via radio links. I've enabled squid only on the LAN interface. When I use the port 3128 (default) in my browser with the transparent switched off, it works 100%. The access.log file in the /var/squid/log/ folder get's updated and everything is just happiness ... and that's as far as squid working on the latest release (today's date, I've just download the latest "2.0-BETA3 built on Tue Jul 27 00:04:45 EDT 2010") is concerned.

      If I enable the transparent flag in the UI, absolutely nothing happens ... nothing ... ? The access.log file stops expanding and everybody can still happily browse wherever they like. With nothing cached via squid.

      Here's the output of pfcnt -sn

      
# pfctl -sn
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on re1 inet from 10.0.0.0/24 to any port = isakmp -> 192.168.0.2 static-port
nat on re1 inet from 10.0.0.0/24 to any port = 5060 -> 192.168.0.2 static-port
nat on re1 inet from 10.0.0.0/24 to any -> 192.168.0.2 port 1024:65535
nat on re1 inet from 172.25.69.112/29 to any port = isakmp -> 192.168.0.2 static-port
nat on re1 inet from 172.25.69.112/29 to any port = 5060 -> 192.168.0.2 static-port
nat on re1 inet from 172.25.69.112/29 to any -> 192.168.0.2 port 1024:65535
nat on re2 inet from 10.0.0.0/24 to 172.16.0.0/12 -> 172.25.69.115 port 1024:65535
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr pass on re0 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
rdr on re2 inet proto tcp from any to any port = 21021 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 21021 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 21021 tag PFREFLECT -> 127.0.0.1 port 19000
rdr on re2 inet proto tcp from any to any port = 21022 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 21022 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 21022 tag PFREFLECT -> 127.0.0.1 port 19001
rdr on re2 inet proto tcp from any to any port = 21023 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 21023 tag PFREFLECT -> 127.0.0.1 port 19002
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 21023 tag PFREFLECT -> 127.0.0.1 port 19002
rdr on re2 inet proto tcp from any to any port = 22022 -> 10.0.0.3
rdr on re2 inet proto udp from any to any port = 22022 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on re0 inet proto udp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on pptp inet proto udp from any to 172.25.69.112/29 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19003
rdr on re2 inet proto tcp from any to any port = 26000 -> 10.0.0.3
rdr on re2 inet proto udp from any to any port = 26000 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on re0 inet proto udp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on pptp inet proto udp from any to 172.25.69.112/29 port = 26000 tag PFREFLECT -> 127.0.0.1 port 19004
rdr on re2 inet proto tcp from any to any port = http -> 10.0.0.3 port 8080
rdr on re2 inet proto udp from any to any port = http -> 10.0.0.3 port 8080
rdr on re0 inet proto tcp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on re0 inet proto udp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on pptp inet proto tcp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on pptp inet proto udp from any to 172.25.69.112/29 port = http tag PFREFLECT -> 127.0.0.1 port 19005
rdr on re1 inet proto tcp from any to any port = 22022 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 192.168.0.0/24 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19006
rdr on pptp inet proto tcp from any to 192.168.0.0/24 port = 22022 tag PFREFLECT -> 127.0.0.1 port 19006
rdr on re1 inet proto tcp from any to any port = 8000 -> 10.0.0.3
rdr on re0 inet proto tcp from any to 192.168.0.0/24 port = 8000 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on pptp inet proto tcp from any to 192.168.0.0/24 port = 8000 tag PFREFLECT -> 127.0.0.1 port 19007
rdr-anchor "miniupnpd" all

      Can anybody just give me some pointer as to where to go next. (Hopefully not to hell)  :P

      1 Reply Last reply Reply Quote 0
      • M
        MrHorizontal
        last edited by

        Yeah I encountered this problem too. You basically need to tell pfSense to set an introspective NAT rule to forward traffic to squid:

        1. Go to Firewall -> NAT
        2. Click + to add a Port Forward rule
        3. Change Interface to the Interface that squid is listening on (ie your LAN)
        3. Set Protocol to TCP
        4. Set Source to the subnet of the interface you set in 2.
        5. Under Destination, Check the NOT box
        6. Under Destination select the interface address
        NB: This is important to avoid a potential forwarding loop and to ensure clients can connect to squid's socket legitimately too
        7. Set port range to HTTP - HTTP
        8. Set Redirect target IP to 127.0.0.1
        9. Set Redirect target port to HTTP
        10. Set Filter Rule Association to None (no need to set a FW rule since it should allow traffic from LAN->WAN anyway)
        11. Press Save and Apply

        Repeat for any other interfaces and / or protocols you are proxying (ie SSL or FTP)

        This forces pf to forward all HTTP traffic to localhost:80, which is what squid's tranny is listening on…

        1 Reply Last reply Reply Quote 0
        • P
          PeekNPoke
          last edited by

          Dude ….. YOU'RE MY HERO !!!!!!!!!!!!!!!!!!

          WHOOOOHOOOOOOOOOOOOOOOOOOOOOOOO !!!!!!!!!!!

          Thanks man .... I thought I'll never get this going !

          Gjeeeeeeesssssssssssss !

          Awesome !

          Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you , Thanks you !

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            This should be handled automatically by the package, though. If that isn't working, there may be a problem with the package yet.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              MrHorizontal
              last edited by

              @jimp:

              This should be handled automatically by the package, though. If that isn't working, there may be a problem with the package yet.

              It should be handled automatically, but does it actually set a rule specifically or does it just set up the socket?

              Squid isn't the only package to have problems - OpenVPN can have issues if there's a conflict where pf actively managing the same interface, and Clamd and HAVP both have the same problem as squid. I haven't looked into precise rulesets and conflicts, since OVPN sometimes works, sometimes doesn't when on different interfaces, but if you set the rule, it always works.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Squid should be adding a NAT rule. It does for me, and it looks like this in pfctl -sn:

                rdr on em1 inet proto tcp from any to ! (em1) port = http -> 127.0.0.1 port 80

                If you can replicate the OpenVPN issue, open a ticket.

                As for clamd/havp, I haven't used them enough to comment.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • C
                  cattelan
                  last edited by

                  I ran into this issue recently with 2.0-Beta4

                  First the way the web interface wants subnets is x.x.x.x/y but the squid config file is expecting x.x.x.x/m.m.m.m
                  and while the acl is added the "http_access allow  allowed_subnets" lines is not added to the squid.conf file.
                  So anybody connecting to the proxy is rejected.

                  I tried added a outbound nat rule via the web interface but could not seem to get one that worked.
                  I looked at squid.inc and found the rdr rule that is it wants to add.
                  $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";

                  I added this rule to /tmp/rules.debug and reloaded pf just to see if that would do it, and indeed that
                  redirect does work. The access.log for squid showed activity coming from the various machines on my network.

                  I'm not much of a php person so I'm a bit lost when it comes to debugging things and trying to figure
                  out why it is not working as expected.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.