Captive + Squid transp. works only after reload
-
Hi there,
I am using pfSense for half a year now in a very basic setup. Now I want to drive this a bit further and use it in a productive environment.
I am using a pfSense 1.01 on a P4 with 2 network cards and squid 2.6.5_1-p15 installed (no other packages).What I want to achieve:
A client connects to the WLAN network (accesspoint attached to one interface, dhcp disabled on the AP), gets the IP from pfSenses dhcp server and the first http-query gets redirected to the captive portal (local userdb). After the authentication, all the internet-traffic gets redirected through the transparent squid, so that I can dig the logs and connect the username to the surfed sites.
What I have configured:
-
Anti lockout rule disabled. Access to the web-interface is granted from one fixed external ip address
-
No NAT
-
LAN Rules:
-
-
UDP Port 53 to LAN address (for DNS)
-
TCP Port 80 to LAN address (shouldn't be necessary AFAIK)
-
TCP Port 3128 to LAN address (shouldn't be necessary, because redirection comes from 127.0.0.1, right?)
-
TCP Port 8000 to LAN address (Captive Portal)
-
-
Traffic Shaper: went through the wizard
-
Captive Portal:
-
-
Enabled on LAN interface
-
IDLE timeout: 120 minutes
-
Enable logout popup window
-
Local user manager
-
Additionaly I uploaded my own templates (prefixed with captiveportal-)
-
-
Enabled the DNS forwarder
-
Enabled DHCP Server
-
-
Range 192.168.0.10-…254
-
DNS Server: 192.168.0.1 (LAN address)
-
Gateway: 192.168.0.1
-
-
Proxy Server on LAN interface
-
-
ticked Allow users on interface
-
ticked Transparent Proxy
-
ticked Enable logging
-
Log Store Directory: /var/squid/log
-
Proxy Port: 3128
-
Access Control: Allowed Subnets: 192.168.0.0/24
-
And that's all.
Now to the problem:
After a reboot of the maschine, the internet access to the internet is not working. I can access 192.168.0.1:8000 when I enter the URL directly, but I cannot open google.de for example. I watched the squid logs with "tail -f" but there is nothing in when I try to access an URL, so I assume, the NAT rule is not generated automatically after reboot.
I am able to fix that by going to NAT in the web-interface and create an apply a dummy rule like "nat port 9999 to 192.168.0.2 port 9999". After applying the rules, the connection works as supposed. I have also tried to leave this rule in and reboot the maschine, but without succes.
Well, I can live with that, but I need to roll this out to several locations and it should work out of the box.
Your help is very much appreciated…
CHeers,
Manuel -
-
did you move the webgui from port 80 to a different port ? so that squid can take port 80 for the Transparent Proxy
-
Yes, the webinterface is running on port 443 (HTTPS).
I think I have found the reason why it doesn't generate the NAT rules after startup.
I had the option "Disable NAT Reflection" under Advanced Tab enabled, because I don't want to allow this type of traffic to the firewall and the internet. All the administration stuff should come from one external ip address.When I disable the option, the internet access is available directly after reboot. But in addition every client is allowed to connect to the firewall directly and this is not intended.
Does anybody know which NAT rules I have to set up in order to have the SQUID transparent option working without having to disable the "Disable NAT reflection" rule?
Many thanks in advance.
Manuel
-
Sorry, I was wrong with my last post.
The problem still exists. After a reboot, no access from inside to outside without creating and deleting a dummy-nat-rule.
Regards,
Manue