Howto : Direct transparent linux proxy on the lan

stefb

Hi All,

This little howto is for people who want to use a transparent proxy without installing squid on the pfsense box (I have a alix and running squid there takes a bit too much resources in my point of view)

First install squid on a linux box on your lan,

On the Linux Squid Box
in the squid config add the lines (preferably close to similar lines in the config) :

http_port 3129 intercept # this sets up transparent proxy support

acl localnet src 192.168.75.0/24        # replace the network with whatever your network is

http_access allow localnet # allows your network to use the proxy

then add an iptables rule that redirects incoming traffic for port 80 with a destination ip different from the one of the squid box to port 3129 (in this example 192.168.75.178 is the ip of the squid box)

/sbin/iptables -A PREROUTING -t nat -i eth0 -p tcp ! -d 192.168.75.178 –dport 80 -j REDIRECT --to-port 3129

with that rule you can still run a webserver on port 80 on the same box
if you want to keep the rule across reboots you can add it to /etc/rc.local

In pfSense interface:
add a gateway with the ip address of your squid box, on the lan interface (do not set it as a default gateway and do not monitor it)

and you can use policy routing in the firewall rules to redirect traffic originating from your lan but the squid box with destination port 80 to be forwarded to the squid box, and in advanced properties choose sloppy state as state type  and choose your "squid gateway" as gateway .

In the attachment you can see screenshots of pfsense config.

Cheers,
Stéphane

jazzl0ver

Thank you very, VERY, much!! The "sloppy state" is the answer to my issue!