Howto : Direct transparent linux proxy on the lan



  • Hi All,

    This little howto is for people who want to use a transparent proxy without installing squid on the pfsense box (I have a alix and running squid there takes a bit too much resources in my point of view)

    First install squid on a linux box on your lan,

    On the Linux Squid Box
    in the squid config add the lines (preferably close to similar lines in the config) :

    http_port 3129 intercept # this sets up transparent proxy support

    acl localnet src 192.168.75.0/24        # replace the network with whatever your network is

    http_access allow localnet # allows your network to use the proxy

    then add an iptables rule that redirects incoming traffic for port 80 with a destination ip different from the one of the squid box to port 3129 (in this example 192.168.75.178 is the ip of the squid box)

    /sbin/iptables -A PREROUTING -t nat -i eth0 -p tcp ! -d 192.168.75.178 –dport 80 -j REDIRECT --to-port 3129

    with that rule you can still run a webserver on port 80 on the same box
    if you want to keep the rule across reboots you can add it to /etc/rc.local

    In pfSense interface:
    add a gateway with the ip address of your squid box, on the lan interface (do not set it as a default gateway and do not monitor it)

    and you can use policy routing in the firewall rules to redirect traffic originating from your lan but the squid box with destination port 80 to be forwarded to the squid box, and in advanced properties choose sloppy state as state type  and choose your "squid gateway" as gateway .

    In the attachment you can see screenshots of pfsense config.

    Cheers,
    Stéphane




  • Thank you very, VERY, much!! The "sloppy state" is the answer to my issue!


Log in to reply