Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid with transparent proxy - firewall rules bypassed

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    13 Posts 2 Posters 9.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      OyyoDams
      last edited by

      Hi,

      I read that since 2.0 firewall rules are applied before squid transparent proxy mechanism. Or I have the following problem:

      • squid is setup in transparent mode
      • for some reasons, I need to add some specific rules for some HTTP destinations

      It worked some beta versions ago, but now when transparent proxy is activated, firewall is bypassed on port 80.
      When I swith transparent proxy mode off, firewall rules are then applied again.

      Any help ?

      BTW I use i386

      1 Reply Last reply Reply Quote 0
      • O
        OyyoDams
        last edited by

        No idea ?

        Ok let me try to explain better.

        I have a permanent openvpn connexion to an external ISP which is my default route. So all my traffic is sent to OPT1.
        But I need to access some websites trough the WAN interface (not via the VPN).

        This works perfectly when I add specific rules in firewall without using squid.

        But now I want to add a transparent proxy.

        The problem is squid doesn't take care of firewall rules. So when transparent proxy is activated, all my http trafic is sent to OPT1.
        I found a way to make it work by adding static routes, but I don't like it for 2 reasons:

        • I'd prefer to use firewall rules instead of static routes
        • Static routes are sometimes reseted, I don't know exactly when for now, I suspect it happens when openvpn connexion is re-established. In this case, I have to reload routing configuration manually.

        So is there any way to apply firewall rules before squid ?

        I really hope for an answer!

        Thanks by advance.

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Just put rules on port forward for the subnets/interfaces you do not want to go to squid as NO port forward from this subnet to any.

          1 Reply Last reply Reply Quote 0
          • O
            OyyoDams
            last edited by

            Thanks for your answer.

            What do you mean exactly ?
            I don't want to exclude a LAN network from squid, I just want squid to reach some websites on another route than the default gateway.
            I tried to add the IP addresses or networks of these websites on the "Firewall: NAT: Outbound" page, but same thing, it seems squid doesn't take care of it.

            And I'd like to log all http traffic, so I don't want to bypass squid for some websites, once again here is what I'd like:

            • all http traffic goes transparently through squid
            • based on firewall rules, squid then may have different gateway(s) for some addresses

            Is it possible, and how ?

            Thanks a lot!

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              It should be possible with Floating rules.
              Create a rule with source address the wan address and destination the remote sites and gateway the one they should go.

              1 Reply Last reply Reply Quote 0
              • O
                OyyoDams
                last edited by

                That's the same thing, squid intercepts http traffic before the firewall, so even with floating rules, it doesn't work.

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  Ok if you say so.  ;D
                  But the rule on the floating tab should have direction out and no interface selected.

                  1 Reply Last reply Reply Quote 0
                  • O
                    OyyoDams
                    last edited by

                    Ok I just tried. The problem when I check firewall logs is my source address is the one assigned by the openvpn connexion.
                    If I put Wan address as source address, rule is not applied.
                    If I put "any" as source address, then rule seems to applied according to log, but when I check my IP address on an online website, it's still the openvpn one.

                    So it seems squid intercepts traffic (because webpage is loaded), through default gateway, and firewall can't do anything even if it appears in logs.

                    Sorry for my english :)

                    1 Reply Last reply Reply Quote 0
                    • O
                      OyyoDams
                      last edited by

                      Well page was loaded from squid cache. But here is the final result:
                      The firewall tries to send packets from openvpn wan IP to real Wan gateway. It can't work, and squid just says network timeout.

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by

                        You have to draw a scheme/diagram on what you want to do otherwise i am blind on your request.

                        1 Reply Last reply Reply Quote 0
                        • O
                          OyyoDams
                          last edited by

                          LOL you're right :)

                          Let's try a diagram:

                          Also here is the last configuration I tried:

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri--
                            last edited by

                            Show me even the interface configuration.

                            1 Reply Last reply Reply Quote 0
                            • O
                              OyyoDams
                              last edited by

                              For sure!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.