PfSense firewall + pfSense bridge transparent squid - What am I doing wrong?


  • I have a setup like below: (both are 1.2.3-RELEASE)

    WAN1 –-
                  -- pfSense1[192.168.168.1 LAN] (Load Balancing) –-------[192.168.168.2 WAN] pfSense2 (SQUID) [192.168.168.3 LAN]–-- Clients 192.168.168.0/24
    WAN2 ---/

    pfSense1 = firewall
            Automatic Outbound NAT
            Load Balancer
            DNS -> OpenDNS servers

    pfSense2 = bridge mode LAN->WAN
            Manual Outbound NAT with all rules deleted
            transparent squid proxy
            firewall rules to allow everything to and from LAN<->WAN
            Acts as LAN Clients GW in DHCP (Server 2003 - .4 on network)

    The bridge is set up because squid doesn't work with load balancing on 1.2.3 and to act as a whitelist for some IPs - the rest are unrestricted.  Everything was/is working beautifully and passes to the load balancer just fine.  But now I've decided to create a firewall (pfSense1) rule specific to a certain client LAN IP address and the logs are showing that pfSense1 is only showing passing traffic from 192.168.168.3 on its LAN interface.  I thought that by disabling NAT on the bridge (and having it in bridge mode period) that the pfSense1 LAN interface would see all client IPs from the network LAN, but that is not the case.  I have scoured these forums for days and have found similar instances of pfSense implementations, but nothing is jumping out as showing me what I'm doing wrong.  I have seen some people use separate subnets for their firewall LAN addresses and add static routes, but I'd like to know if this will solve my problem and why. Maybe using squid already has me dead in the water?  NAT has to be working successfully someplace, otherwise no one would be able to access the Internet.  I have tried creating these firewall rules on the bridge also, with no success.

    I have read that some users are running squid and load balancing on 2.0 installations and that's a future possibility, but I'd like to keep things as they are currently set up if possible.

    Any guidance would be greatly appreciated.

    Thanks,

    Andy


  • Just to follow up on this for the sake of documentation, I ended up connecting the LAN firewall NIC and the bridge WAN NIC into the same switch rather than into each other.  I was hoping to avoid users hacking their workstation NIC settings to get around the proxy gateway, but setting reservations in DHCP should probably be good enough.


  • Turns out this other configuration I tried was causing a problem with some HTTPS sites due to the transparent proxy.  I finally found the best solution in the "Bypass proxy for these source IPs" under the General tab section for proxy server and went back to bridge mode like the setup in my first post.  The "Unrestricted IPs" section under the "Access Control" tab wasn't doing exactly what I thought it was…