Squid Transparent Proxy Configuration Issue
-
Hi,
I've been struggling with a co-worker in getting PFSense setup in our environment. I don't think our setup is complicated but I'm sure its something we are missing in getting this all to work.
Network Diagram
–------Cisco ASA 5505 (172.28.1.5 [vlan 1]) | +------------------------+ | Cisco 3560 Switch | +------------------------+ / \ PFSense Test PC WAN - 172.28.1.252 [vlan 1], 10.48.2.13 [vlan 26] LAN - 10.48.2.252 [vlan 26], OPT1 [not defined]Goal
–-----
We'd like setup PFSense to do transparent proxy (with squidguard) and captive portal for only folks in the 10.48.2.x network.So far
We have PFSense installed and configured.
Captive Portal is not setup yet
Proxy and squidguard are working but transparent proxy is not- proxy is on LAN interface
Issue
We are having trouble with setting up the transparent proxy.
If i setup a client on the 10.48.2.x and configure the proxy for 10.48.2.252:1328, i'm able to access the internet without any issues. I also get blocked on pages defined in squidguard. This is good.
Once i remove the proxy info, i cannot get out to the internet.
In PFSense, i have the LAN and WAN firewall rules to allow from/to any:any on any protocol, yet that doesn't help. I also enabled the 'transparent mode' in squid and tried selecting both LAN/WAN in the options but to no avail.I'm sure there is a step we are missing in this setup. Any suggestions/ideas?
Thanks.
-
Your gateway for the 10.48.2.13 PC is 10.48.2.252 correct?
You dont need a rule on the WAN to allow from/to any:any on any protocol and on the LAN all you need is to allow the LAN outbound for the relevant protocols that you require or use the default allow all outbound from the LAN.
When refining your FW rules remember to allow DNS.
-
When you say 'cannot get out to the internet' - does the browser sit as though it can't reach the gateway, or are you seeing Squid errors (ACL, access denied, etc.)?
Is your webGUI on HTTPS/443? There can be issues with the transparent redirect rules if it is still set to HTTP/80.
LAN is the only interface that needs to be selected in the GUI config for the Squid package.
Lastly, you might try tinkering with the 'Allow Users on Interface' checkbox on the SquidGUI. Tick it, save, untick, save etc. The directive that this writes to the config was getting reset by the one created by the transparent box some time ago, but I think this has since been corrected.
-
Your gateway for the 10.48.2.13 PC is 10.48.2.252 correct?
Actually no. We were using the Cisco switches gateway which was 10.48.2.1I'll try switching that later tonight and let you know how that goes.
I allowed any:any on the FW rules to make sure that that PFsense wasn't in blocking traffic and being our problem. We will lock down the FW rules after we get things working. (Thanks for the tip on setting up LAN outbound rules.)
When you say 'cannot get out to the internet' - does the browser sit as though it can't reach the gateway, or are you seeing Squid errors (ACL, access denied, etc.)?
I don't see any Squid errors. What i get is that the browser was just 'hanging' and seemingly didn't know where to go. It could be related to the gateway question brought up by wagonza.Is your webGUI on HTTPS/443? There can be issues with the transparent redirect rules if it is still set to HTTP/80.
I didn't setup the webgui on 443 but i was thinking of doing it after the setup was complete. I'll keep this in mind if/when we get this working.Lastly, you might try tinkering with the 'Allow Users on Interface' checkbox on the SquidGUI. Tick it, save, untick, save etc. The directive that this writes to the config was getting reset by the one created by the transparent box some time ago, but I think this has since been corrected.
I tried selecting LAN and WAN individually and then also selected them both so they were both active. Either setting didn't appear to help. -
I would change your WebGUI BEFORE you test any further, as this has been the major hangup for a lot of transparent proxy installation problems in the forum. Be advised that changing to HTTPS has been known to require a reboot of the pfSense box.
-
@wagonza
sweet! changing the gateway to .252 I started getting internet access! Awesome.@mhab12
I did change the webgui to https. I started playing with the captive portal and started having issues. We realized that it appears the the captive portal and webgui must be using the same port (either 80 or 443) otherwise it wouldn't work. Since this is our test environment, we just left it on http.We still need to tweak the FW rules but overall i think we are all set. Thank you both for the suggestions on how to get this setup and working.
I can't wait to try out the other PFSense functionality.
Sijis