PFsense FW + additional transparent proxy



  • Currently we run PFsense as our perimeter firewall. Behind it are, 1500 clients. We would like to setup a public network segregated via a private vlan from the rest of our network, then force via DHCP all traffic to go to/through the transparent proxy(PFsense box#2). This part is working, but for some reason I can't get it to then go to PFSense box #1 and then outside to the inet.

    So just to recap.

    Public Network – > PFsense2(Transparent PRoxy -->>> Pfsense1(perimeter fw/NAT) -- >>> inet (seperated internally via a private vlan)

    Any ideas?



  • @sysc:

    force via DHCP all traffic to go to/through the transparent proxy(PFsense box#2)

    Do you mean DHCP specifies pfSense #2 as the default gateway?

    @sysc:

    This part is working, but for some reason I can't get it to then go to PFSense box #1 and then outside to the inet.

    If you traceroute from a system on the public network to a system on the internet how far does the traceroute get?

    Have you checked the firewall log on pfSense 1 to see if it is blocking traffic? Have you checked the firewall log in pfSense 2 to see if it is blocking traffic?

    In your diagram what address range is in use on the subnet pfSense2 <-> pfSense1? (PERHAPS on pfSense2 you will need to allow private addresses on the WAN. If so, in web GUI: Interfaces -> WAN near the bottom of the page Block private networks should NOT be ticked.)

    It is not clear from your description that pfSense2 adds any value over (say) using just pfSense 1 with a separate interface (either physical or virtual) for the "public network". Maybe you are using that configuration to minimise changes made to your perimeter firewall.



  • You're right about only really needing one box. I can get it to work as in, getting out to the net however, it seems I can't get it to go through the transparent proxy on he same box. No logs, in /var/squid/log/access.log, so essentially it's getting out unfiltered. Not sure how to trouble shoot it.



  • On the transparent proxy's configuration, did you add the additional subnet of this new public network? Have you tried it with a non-transparent proxy set up to see if it works that way (just to troubleshoot where the problem lies).

    @sysc:

    You're right about only really needing one box. I can get it to work as in, getting out to the net however, it seems I can't get it to go through the transparent proxy on he same box. No logs, in /var/squid/log/access.log, so essentially it's getting out unfiltered. Not sure how to trouble shoot it.



  • I have it working now, the LAN interface had to be selected in order for it to work. Filtering via dns and squid guard not working real well, but with more tweaking/playing should be able to get it. Thanks for the help folks. ;)


Log in to reply