Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense firewall + pfSense bridge transparent squid - What am I doing wrong?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 1 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      penfield
      last edited by

      I have a setup like below: (both are 1.2.3-RELEASE)

      WAN1 –-
                    -- pfSense1[192.168.168.1 LAN] (Load Balancing) –-------[192.168.168.2 WAN] pfSense2 (SQUID) [192.168.168.3 LAN]–-- Clients 192.168.168.0/24
      WAN2 ---/

      pfSense1 = firewall
              Automatic Outbound NAT
              Load Balancer
              DNS -> OpenDNS servers

      pfSense2 = bridge mode LAN->WAN
              Manual Outbound NAT with all rules deleted
              transparent squid proxy
              firewall rules to allow everything to and from LAN<->WAN
              Acts as LAN Clients GW in DHCP (Server 2003 - .4 on network)

      The bridge is set up because squid doesn't work with load balancing on 1.2.3 and to act as a whitelist for some IPs - the rest are unrestricted.  Everything was/is working beautifully and passes to the load balancer just fine.  But now I've decided to create a firewall (pfSense1) rule specific to a certain client LAN IP address and the logs are showing that pfSense1 is only showing passing traffic from 192.168.168.3 on its LAN interface.  I thought that by disabling NAT on the bridge (and having it in bridge mode period) that the pfSense1 LAN interface would see all client IPs from the network LAN, but that is not the case.  I have scoured these forums for days and have found similar instances of pfSense implementations, but nothing is jumping out as showing me what I'm doing wrong.  I have seen some people use separate subnets for their firewall LAN addresses and add static routes, but I'd like to know if this will solve my problem and why. Maybe using squid already has me dead in the water?  NAT has to be working successfully someplace, otherwise no one would be able to access the Internet.  I have tried creating these firewall rules on the bridge also, with no success.

      I have read that some users are running squid and load balancing on 2.0 installations and that's a future possibility, but I'd like to keep things as they are currently set up if possible.

      Any guidance would be greatly appreciated.

      Thanks,

      Andy

      1 Reply Last reply Reply Quote 0
      • P
        penfield
        last edited by

        Just to follow up on this for the sake of documentation, I ended up connecting the LAN firewall NIC and the bridge WAN NIC into the same switch rather than into each other.  I was hoping to avoid users hacking their workstation NIC settings to get around the proxy gateway, but setting reservations in DHCP should probably be good enough.

        1 Reply Last reply Reply Quote 0
        • P
          penfield
          last edited by

          Turns out this other configuration I tried was causing a problem with some HTTPS sites due to the transparent proxy.  I finally found the best solution in the "Bypass proxy for these source IPs" under the General tab section for proxy server and went back to bridge mode like the setup in my first post.  The "Unrestricted IPs" section under the "Access Control" tab wasn't doing exactly what I thought it was…

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.