Transparent firewall and squid



  • Hi everybody,
    I have set up a transparent firewall and it's worked fine.
    I've a question: can work squid proxy with this configuration ?

    Thank!



  • If It's transparent But has an Ip on same network, then you can.

    I have never tried Transparent proxy with bridges.



  • Yes, my proxy server has a IP on same network, I've installed the Squid and Squid guard and I've configured the transparent proxy, the proxy it's listening on interface lan in the bridge, but the pc not goes to internet, while the ping work fine.
    So, I've looked the firewall logs and the 80 port is redirect to 3128.

    I have not idea, what I can try?

    This is my configuration:

    alix mainboard  with 3 NIC (vr0, vr1, vr2).

    vr0 is set to 192.168.2.10, a this interface I've connected the PC for configure the firewall.

    vr1 and vr2 are set a IP a none and I have created with these interfaces the bridge
    with name BRIDGE.

    The bridge interface I have set IP 192.168.1.200, and my IP gateway.

    I have created the rules on vr1 and vr2 for traffic and they work correctly.

    Sorry for my English.

    Thank all!



  • Try to listen squid on all internal interfaces(lan,bridge,etc) and see what happens.



  • Hi,
    I have tried the solution but not work.
    I have disabled the transparent proxy and enable the proxy in the options internet the Windows, it's work fine.

    In the pfsense I have set wich the squid listen on internal lan of bridge.

    Thanks for suggestions!



  • Same problem with bridged pfsense+squid transparent.
    Please help anyone :) I`m trying fwd http streams manually to proxy….

    PS And another question by bridge:
    My scheme: Client-Pfsense Bridged->server.
    Im start to ping client1->server. Pass rule on any traffic enabled. All Ok.
    Change rule to block any traffic. Apply. But ping continues to go.
    If i ctrl+c on client1, and try ping again. All Ok. Packet droped.
    WTF?



  • @linco:

    Same problem with bridged pfsense+squid transparent.
    Please help anyone :) I`m trying fwd http streams manually to proxy….

    Configure autodetect proxy using WPAD/PAC. This way you will be abe to filter http and https urls.

    @linco:

    PS And another question by bridge:
    My scheme: Client-Pfsense Bridged->server.
    Im start to ping client1->server. Pass rule on any traffic enabled. All Ok.
    Change rule to block any traffic. Apply. But ping continues to go.
    If i ctrl+c on client1, and try ping again. All Ok. Packet droped.
    WTF?

    This is how a statefull firewall works.
    If you want to force new rule apply, you will need to reset firewall states.



  • Im trying redirect traffic to squid manually throw rdr rule. As i find at freebsd we have worked decision. Something as:
    Squid:
    http_port 127.0.0.1:3128 transparent

    PF:
    rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
    pass in quick on $int_if route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state

    But in pfsense we have some problems and stranges:
    1. PFSense Squid3 in transparent mode at loopback has 2 records:
    http_port 127.0.0.1:3128
    http_port 127.0.0.1:80 intercept

    2. We cannot generate rdr rule on interface without ip, becouse pfsense generate 2 nat rules with rdr rule.
    For Example i have
    Wan -> no ip
    Opt1-> no ip
    They are bridged.
    Bridge0 -> no ip

    Lan -> public ip for webgui control

    generated rule for redirect on opt1:
    rdr on igb2 proto tcp from any to any port 80 -> 127.0.0.1 3128
    no nat on igb2 proto tcp from (igb2) to /
    nat on igb proto tcp ftom / to 127.0.0.1 port 80 -> igb2

    i dont need nat at all. its bridged if.

    3. Ок. trying set ip on opt for example 10.1.1.1.
    Rules with nat created.
    I dont know how implement route-to lo0 at linked firewall rule.

    I trying many combinations but dont see any traffic on lo0 interface. I.e. redirection doesnt work.
    1-st question how redirect traffic?

    Global problem - we goes from L2->L3 and squid L3, as my mind, cant put traffic back to bridge. Squid gets traffic make some actions and goes traffic according system routing policy. How define policy for bridge, its second question?



  • I've just been playing with the same setup… and I've narrowed it down to this... (but let's talk my setup first too)

    10.1.1.102                                    10.1.1.3                      10.1.1.1  |    some pub IP
    (WinXP Host) -> switch -> (LAN | Bridge0 on OPT1 | WAN) -> (inside [router] outside) -> Internet
                                        noIP                            noIP

    So everything in Bridged mode everything is working as I'd expect.

    If I bind squid to OPT1 (and then in the shell do a 'netstat -na') I see it running on 10.1.1.3:3128.

    If I config my host for Proxy use through 10.1.1.3:3128 – squid works as I would expect.
    If I go back on my host to just go to 10.1.1.1 direct, and then add a NAT redirect for TCP:80 to 10.1.1.3:3128 and create the needed rule to allow on OPT1 to 10.1.1.3:3128 and then try to load any website.. nothing happens.

    I don't think squid needs to be bound on 127.0.0.1 being bound to OPT1 should be ok?

    but the NAT redirect part isn't working as expected...

    net.link.bridge.pfil_member = 0
    net.link.bridge.pfil_bridge = 1

    as I've seen mentioned.

    I also have the proxy set to ALLOW USERS on interface
    and NOT SET for transparent proxy.

    So it does seem as if the NAT redirection is broken somehow.
    (I've tried Reflection Enabled and Default (which I think is "disabled"))

    -Ben



  • Any thoughts from anyone?

    (btw, I updated my config by adding another NIC)

    Config is now:

    10.1.1.102                                    10.1.1.3                      10.1.1.1  |    some pub IP
    (WinXP Host) -> switch -> (em2 |  Bridge0  | em1) -> (inside [router] outside) -> Internet
                                        noIP            |                noIP
                                                          |
                                                192.168.125.198
                                                        em0
    Admin System  –----------------------/



  • Additional info for anyone watching this thread:

    If I use tcpdump and watch the bridge0 interface, the packets from my PC come in and get redirected to 10.1.1.3:3128 –- but nothing every responds.

    If I connect directly to 10.1.1.3:3128 via  telnet or browser proxy settings... that works fine.

    It's like something in the packet filter/rewrite isn't sending the packet to where it needs to go or squid is ignoring it.

    I'm really trying to avoid using "routed" mode vs "bridged" mode...

    Am I missing a system tweakable?

    Thanks,

    -Ben


Log in to reply