Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFsense FW + additional transparent proxy

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sysc
      last edited by

      Currently we run PFsense as our perimeter firewall. Behind it are, 1500 clients. We would like to setup a public network segregated via a private vlan from the rest of our network, then force via DHCP all traffic to go to/through the transparent proxy(PFsense box#2). This part is working, but for some reason I can't get it to then go to PFSense box #1 and then outside to the inet.

      So just to recap.

      Public Network – > PFsense2(Transparent PRoxy -->>> Pfsense1(perimeter fw/NAT) -- >>> inet (seperated internally via a private vlan)

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • W Offline
        wallabybob
        last edited by

        @sysc:

        force via DHCP all traffic to go to/through the transparent proxy(PFsense box#2)

        Do you mean DHCP specifies pfSense #2 as the default gateway?

        @sysc:

        This part is working, but for some reason I can't get it to then go to PFSense box #1 and then outside to the inet.

        If you traceroute from a system on the public network to a system on the internet how far does the traceroute get?

        Have you checked the firewall log on pfSense 1 to see if it is blocking traffic? Have you checked the firewall log in pfSense 2 to see if it is blocking traffic?

        In your diagram what address range is in use on the subnet pfSense2 <-> pfSense1? (PERHAPS on pfSense2 you will need to allow private addresses on the WAN. If so, in web GUI: Interfaces -> WAN near the bottom of the page Block private networks should NOT be ticked.)

        It is not clear from your description that pfSense2 adds any value over (say) using just pfSense 1 with a separate interface (either physical or virtual) for the "public network". Maybe you are using that configuration to minimise changes made to your perimeter firewall.

        1 Reply Last reply Reply Quote 0
        • S Offline
          sysc
          last edited by

          You're right about only really needing one box. I can get it to work as in, getting out to the net however, it seems I can't get it to go through the transparent proxy on he same box. No logs, in /var/squid/log/access.log, so essentially it's getting out unfiltered. Not sure how to trouble shoot it.

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            On the transparent proxy's configuration, did you add the additional subnet of this new public network? Have you tried it with a non-transparent proxy set up to see if it works that way (just to troubleshoot where the problem lies).

            @sysc:

            You're right about only really needing one box. I can get it to work as in, getting out to the net however, it seems I can't get it to go through the transparent proxy on he same box. No logs, in /var/squid/log/access.log, so essentially it's getting out unfiltered. Not sure how to trouble shoot it.

            1 Reply Last reply Reply Quote 0
            • S Offline
              sysc
              last edited by

              I have it working now, the LAN interface had to be selected in order for it to work. Filtering via dns and squid guard not working real well, but with more tweaking/playing should be able to get it. Thanks for the help folks. ;)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.