Squid and Pfsense firewall rules

  • Hi there!!

    For quite a while Squid for Windows was my proxy server to my LAN network. At that time Monowall was the router-firewall between LAN and WAN. I was shot to surprise when I discovered Pfsense and its choice to have Squid on the same deployment. Everything is perfect except one thing on which I might be wrong but I wanna be sure.

    Squid listens on the LAN interface on port 3128 by default. On the LAN firewall rules I blocked everything from source to destination. Assuming my network ip and gateway are right I have no traffic at all without using the proxy settings on my iexplorer as it's supposed to happen. Navigation is restablished once I set the proxy settings up on my explorer. Still everything is blocked on the LAN firewall rules.

    Isn't Squid intended to depend on the firewall rules? If everything is blocked how can Squid go through to the public interface?

    Thanks in advance


  • This has been brought up a couple of times before.  You are correct that Squid should be subjected to the firewall rules, however it is not.  I believe it is the way the package is written in 1.2.3 and it might be corrected in the 2.0 RCs.  I think this is also related to the reasons why it is not possible to do load balancing via Squid in 1.2.3.  Search through this forum and you might uncover the other two threads on the subject.

  • Rebel Alliance Developer Netgate

    Squid isn't on the "LAN" when it's on pfSense. It won't ever hit your LAN rules.

    The rules (especially on 1.2.3) are only evaluated when traffic comes into an interface, not when it leaves. When traffic comes into LAN, it's going to squid on port 3128. When it leaves squid it's going out WAN, and all traffic is allowed out by default from the firewall itself.

    On 2.0 you can restrict that with a floating firewall rule on the WAN with the direction set to 'out', but there isn't much reason to do so.

  • Sorry to jump into this thread now, but I'm having a similar problem.

    @jimp: If I want to route traffic from a particular host to another gateway, I need to be able to specify the source IP address in the floating rule.
    However, can you tell me whether the packet's source IP has been changed after reaching Squid and is now
    In that case, I won't be able to do the routing based on source IP address.
    Is this correct?

  • Rebel Alliance Developer Netgate

    You cannot use the proxy and also do policy routing based on the internal client IP. Once it hits squid, the client IP is lost and the traffic is sent from the proxy itself as the source.

  • Thanks for your reply.
    Does this mean that I can't do any content filtering together with policy-based routing?

    What I want to do is to have only 1 firewall for all Internet lines and based on the source IP addresses, I route the traffic to different lines.
    I had this working when Squid was not enabled.
    But I also need to do content filtering.

    Any suggestion?

  • Rebel Alliance Developer Netgate

    That is a topic for another thread. Start a new thread and ask. The previous question was at least partially related to this topic.

  • OK. Sorry about that.

  • Hi everyone,

    Version 2.0 installed. Based on my first scenario posted a couple of weeks ago (Squid and Pfsense firewall rules), right now everything works the way it should. On version 1.x even with no rules defined Squid comes out to the public interface (WAN). On 2.0, no rule, no Squid packet routing to the public interface. Then I was able to define a rule to only allow Squid to receive packets from the subnet via port 3128. Traffic to the WAN interface then is based on the firewall routing policies by default. Now I can make clients go out to the cloud by only using the proxy which finally handles out port 80 and 443 for https. Now I wanna use the floating rules to restrict the use of port 443 by some clients.

    Excellent work on the side of the pfsense development team. I have enjoyed this enhancement.


Log in to reply