Traffic Redirection with Port Forwards
-
Hello!
I'm redirecting my web traffic to an external squid attached to a new OPT interface.
Not problem (see attached image) for 80 and 443 ports.
But I want to redirect also the range 8000-8100. In this case I can't put 3128 at Local port box. The WebGUI automatically puts 3128-3228.
Any idea?
Using 1.2.3 version.
Regards,
Josep Pujadas
-
When you redirect a range, the target cannot be a single port. You can only redirect a range to a range. If you want a bunch of ports to all go to the same IP:port pair, you need individual rules, or a port alias might work (though again it may need individual ports listed and not a range)
-
jimp
1. I created an alias with 80, 443 and 8000:8100 ports.
2. I put the alias at External port range.
3. I put 3128 at Local port.WebGUI accepted this configuration and I can see at console (partial listing):
pfctl -s nat
rdr on em0 inet proto tcp from any to any port = http -> 192.168.2.12 port 3128
rdr on em0 inet proto tcp from any to any port = https -> 192.168.2.12 port 3128
rdr on em0 inet proto tcp from any to any port 8000:8100 -> 192.168.2.12 port 3128I think this should work. Do you agree?
Regards,
Josep Pujadas
-
No, because the target port is considered the "starting" port of the destination range, from what I remember.
-
Ok, thanks!
-
Considering the output of pfctl -s nat, I think that should work, actually.
-
Thanks, but finally I implemented another solution.
I wanted to redirect 80, 443 and 8000-8100 to an external squid+squidguard proxy.
But the problem is that a redirected external proxy requires to be configured as transparent.
I don't like transparent proxies.
Finally, I used WPAD detection based on DNS records in my network:
http://forum.pfsense.org/index.php/topic,29452.0.html
Thanks,
Josep Pujadas
-
Hi, Im having your problems, Im using an external squid proxy transparent + dansguardian
Testing with squid + dansgaurdian is working fine on browser setting.
But when using NAT to redirect to squid I got these errorsThe following error was encountered:- Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct connections to origin servers, and
* All configured parent caches are currently unreachable.Your cache administrator is root.
And log on squid box
1290738384.951 2 10.0.10.3 TCP_NEGATIVE_HIT/504 1903 GET http://thoisuso.net/tin-khoa-hoc/hoi-nghi-tai-nga-mang-den-hy-vong-cho-loai-ho.html - NONE/- text/html
1290738385.998 2 10.0.10.3 TCP_NEGATIVE_HIT/504 1903 GET http://thoisuso.net/tin-khoa-hoc/hoi-nghi-tai-nga-mang-den-hy-vong-cho-loai-ho.html - NONE/- text/html
1290738397.254 2 10.0.10.3 TCP_DENIED/504 1569 GET http://thoisuso.net/ - NONE/- text/html
1290738397.256 9 10.0.10.3 TCP_MISS/504 1670 GET http://thoisuso.net/ - DIRECT/27.0.14.21 text/html
1290738397.259 20 10.0.10.3 TCP_MISS/504 1771 GET http://thoisuso.net/ - DIRECT/27.0.14.21 text/html
1290738421.218 2 10.0.10.3 TCP_NEGATIVE_HIT/504 1778 GET http://thoisuso.net/ - NONE/- text/htmlcan anybody got issues like this? Pls help.
-
Hi!
Revise your squid.conf.
squid must be in transparent mode. This means that transparent mode must be activated at squid.conf and you need to have squid compiled supporting transparent mode.
I don't know wich OS are you using. In FreeBSD is usual to download the package source and compile it. At this time FreeBSD ask for the configuration options of the package…
Be sure also wich networks are permitted as client (squid.conf and squidGuard.conf -in your case DansGuardian-). pfSense NATed network is the origine now for your squid, not the network client.
Regards,
Josep Pujadas
-
Hi Josep Pujadas,
Here is my config
http_port 10.0.10.3:3128 transparent
visible_hostname SQUID
cache_mem 512 MB
cache_dir ufs /srv/squid/cache 10000 16 256
access_log /srv/squid/logs/access.log squid
cache_log /srv/squid/logs/cache.log
cache_store_log /srv/squid/logs/store.log
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECTacl MyNetwork1 src 192.168.0.0/255.255.255.0
http_access allow MyNetwork1
always_direct allow all
icp_access allow all
http_access deny all
coredump_dir /var/spool/squid -
Try:
acl our_networks src 127.0.0.1/32 10.0.10.3/32 192.168.0.0/24
http_access allow our_networks
http_access deny alllocalhost, your proxy and your network…
or try:
http_access allow all
restarting squid, to test if your problem is the source ip...
-
I tried, allow all already but still the same.
Seem likes Pfsense do translate the source ip to the squid ip (nat)Here is the log
1290995342.128 75 10.0.10.3 TCP_MISS/504 1881 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - DIRECT/27.0.14.21 text/html
1290995343.950 2 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.470 2 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.703 57 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.830 19 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/htmlExternal squid with pfsense still not work right. :'(