2.0 How to redirect LAN port 80 to a proxy server



  • We have a squid/dansguardian server for internet filtering.

    In pfSense 1.2, I set up a NAT rule to redirect all LAN traffic with a WAN destination on port 80 to the proxy server. The proxy server is on a separate interface.

    However, when I try to do this with pfSense 2.0 RC3, nothing happens. The traffic is not redirected. Here's what the NAT rule looks like:

    Interface: LAN
    Protocol: TCP
    Source: Any
    Source Port: Any
    Destination: WAN Address
    Destination Port: 80
    Redirect Target IP: 192.168.99.2 (the filter/proxy server)
    Redirect Target Port: 8080

    I also have the appropriate firewall rule on the LAN interface too.

    Why does this not work? Am I missing something?


  • Rebel Alliance Developer Netgate

    You really want something more like:

    Interface: LAN
    Protocol: TCP
    Source: LAN subnet
    Source Port: Any
    Destination: any
    Destination Port: 80
    Redirect Target IP: 192.168.99.2 (the filter/proxy server)
    Redirect Target Port: 8080



  • Thanks, I was trying to make the rule as non-restrictive as possible, just in case I was missing something.

    But either way, the NAT still does not do anything, even when I make the changes you suggested.


  • Rebel Alliance Developer Netgate

    And that 99.2 box is on a separate subnet from LAN?

    Unless you have something else above that rule that would be overriding it, that should work. That would also including having the squid package installed on the firewall and running in transparent mode there.



  • Yeah, it's on a separate subnet and actually on it's own interface. This worked perfectly under pfSense 1.2 and I have not changed anything on the proxy side.

    I guess I will have to dig a little deeper. Just wanted to make sure that nothing significant about NAT behavior had changed in 2.0.



  • Hi guys.

    Hey I want to do the same thing and u right, in 1.2.3 this setup works, in 2.0 it haven't been working, do u found how to do this  ???

    Thanks!!!

    2.0-RC3 (i386) built on Fri Aug 12 16:23:11 EDT 2011



  • i use this configuration to redirect ALL LAN traffic to my transparent proxy that using port 3128

    interface : LAN
    external address : any
    protocol : TCP
    external port range : HTTP
    nat ip : my transparent proxy IP
    local port : transparent proxy port

    and it works under pfsense 1.2.3 :)



  • Thanks gendit.

    Like miafya/me say, on 1.2.3 works, but now we want to setup this on 2.0RC3.

    Thanks  :)



  • After my posts a few days ago I left things alone for a day. When I came in the next morning, I realized that the NAT was working. I did not do anything different that I can think of, but it seems to be working just like with 1.2.3.

    The only thing I can think of is that perhaps I still had some active states in the firewall that needed time to die before the NAT settings took effect.

    I've attached the current rules I have. The first is of the NAT rule, the second is the firewall rule.






  • Just want to confirm what I had read.

    I got my pfsense LAN/WAN nics.

    Squid listen in LAN address port 3128.

    LAN 192.168.50.1

    I cannot setup a port forward from my LAN subnet X port to LAN address Y port?

    If I add another NIC in my pfsense box:

    opt1 192.168.50.2

    I setup squid to listen on this nic, I can do the port forward?

    Or I must be on different subnet?

    Pfsense 2.0 doubts.

    Thanks!!!



  • The process I'm talking about is if you have an external squid box outside of pfSense and want to forward traffic to it. In version 1.2.x you had to have the external box on another interface in order to be able to NAT to it.

    However under pfsense 2 you can install the squid package and do a transparent proxy directly in pfsense without using NAT or other interfaces. It is pretty simple to set up. Once you install the squid package, a "Proxy server" item will show up under the Services menu.



  • Thanks miafya.

    In my  case, my pfsense box have squid running?

    Thanks.



  • If your pfsense box has squid running and you want to use that, just enable squid for the interfaces you wish to use. The settings are under "Services -> Proxy Server". It has a nice transparent proxy option too.

    If you want to use an external squid box, make sure to remove squid from your pfsense box or disable it from the interface you wish to use. Then use the NAT settings to forward to your external box.



  • I had done this, my squid settings have the new interface, I cannot use transparent mode because I need to use my ldap users.
      Thanks miafya.



  • @jimp:

    Unless you have something else above that rule that would be overriding it, that should work. That would also including having the squid package installed on the firewall and running in transparent mode there.

    jimp, what about https? I can't get it to work on 2.0, forwarding 443 on LAN to proxy_ip port 3128.

    
    TCP_DENIED/400 3012 NONE error:unsupported-request-method - NONE/- text/html
    

    thanks


  • Rebel Alliance Developer Netgate

    You cannot transparently proxy https.


Locked