Traffic Redirection with Port Forwards

  • Hello!

    I'm redirecting my web traffic to an external squid attached to a new OPT interface.

    Not problem (see attached image) for 80 and 443 ports.

    But I want to redirect also the range 8000-8100. In this case I can't put 3128 at Local port box. The WebGUI automatically puts 3128-3228.

    Any idea?

    Using 1.2.3 version.


    Josep Pujadas

  • Rebel Alliance Developer Netgate

    When you redirect a range, the target cannot be a single port. You can only redirect a range to a range. If you want a bunch of ports to all go to the same IP:port pair, you need individual rules, or a port alias might work (though again it may need individual ports listed and not a range)

  • jimp

    1. I created an alias with 80, 443 and 8000:8100 ports.
    2. I put the alias at External port range.
    3. I put 3128 at Local port.

    WebGUI accepted this configuration and I can see at console (partial listing):

    pfctl -s nat

    rdr on em0 inet proto tcp from any to any port = http -> port 3128
    rdr on em0 inet proto tcp from any to any port = https -> port 3128
    rdr on em0 inet proto tcp from any to any port 8000:8100 -> port 3128

    I think this should work. Do you agree?


    Josep Pujadas

  • Rebel Alliance Developer Netgate

    No, because the target port is considered the "starting" port of the destination range, from what I remember.

  • Ok, thanks!

  • Considering the output of pfctl -s nat, I think that should work, actually.

  • Thanks, but finally I implemented another solution.

    I wanted to redirect 80, 443 and 8000-8100 to an external squid+squidguard proxy.

    But the problem is that a redirected external proxy requires to be configured as transparent.

    I don't like transparent proxies.

    Finally, I used WPAD detection based on DNS records in my network:,29452.0.html


    Josep Pujadas

  • Hi, Im having your problems, Im using an external squid proxy transparent + dansguardian
    Testing with squid + dansgaurdian is working fine on browser setting.
    But when using NAT to redirect to squid I got these errorsThe following error was encountered:

    • Unable to forward this request at this time.

    This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

    * The cache administrator does not allow this cache to make direct connections to origin servers, and
        * All configured parent caches are currently unreachable.

    Your cache administrator is root.

    And log on squid box

    1290738384.951      2 TCP_NEGATIVE_HIT/504 1903 GET - NONE/- text/html
    1290738385.998      2 TCP_NEGATIVE_HIT/504 1903 GET - NONE/- text/html
    1290738397.254      2 TCP_DENIED/504 1569 GET - NONE/- text/html
    1290738397.256      9 TCP_MISS/504 1670 GET - DIRECT/ text/html
    1290738397.259    20 TCP_MISS/504 1771 GET - DIRECT/ text/html
    1290738421.218      2 TCP_NEGATIVE_HIT/504 1778 GET - NONE/- text/html

    can anybody got issues like this? Pls help.

  • Hi!

    Revise your squid.conf.

    squid must be in transparent mode. This means that transparent mode must be activated at squid.conf and you need to have squid compiled supporting transparent mode.

    I don't know wich OS are you using. In FreeBSD is usual to download the package source and compile it. At this time FreeBSD ask for the configuration options of the package…

    Be sure also wich networks are permitted as client (squid.conf and squidGuard.conf -in your case DansGuardian-). pfSense NATed network is the origine now for your squid, not the network client.


    Josep Pujadas

  • Hi Josep Pujadas,

    Here is my config

    http_port transparent
    visible_hostname SQUID
    cache_mem 512 MB
    cache_dir ufs /srv/squid/cache 10000 16 256
    access_log /srv/squid/logs/access.log squid
    cache_log /srv/squid/logs/cache.log
    cache_store_log /srv/squid/logs/store.log
    acl all src
    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443        # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210        # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280        # http-mgmt
    acl Safe_ports port 488        # gss-http
    acl Safe_ports port 591        # filemaker
    acl Safe_ports port 777        # multiling http
    acl CONNECT method CONNECT

    acl MyNetwork1 src

    http_access allow  MyNetwork1

    always_direct allow all
    icp_access allow all
    http_access deny all
    coredump_dir /var/spool/squid

  • Try:

    acl our_networks src
    http_access allow our_networks
    http_access deny all

    localhost, your proxy and your network…

    or try:

    http_access allow all

    restarting squid, to test if your problem is the source ip...

  • I tried, allow all already but still the same.
    Seem likes Pfsense do translate the source ip to the squid ip (nat)

    Here is the log

    1290995342.128    75 TCP_MISS/504 1881 GET - DIRECT/ text/html
    1290995343.950      2 TCP_NEGATIVE_HIT/504 1887 GET - NONE/- text/html
    1290995344.470      2 TCP_NEGATIVE_HIT/504 1887 GET - NONE/- text/html
    1290995344.703    57 TCP_NEGATIVE_HIT/504 1887 GET - NONE/- text/html
    1290995344.830    19 TCP_NEGATIVE_HIT/504 1887 GET - NONE/- text/html

    External squid with pfsense still not work right.  :'(