Modo Transparente no funciona!



  • Buen dia,

    Otra vez por acá dejando mis inquietudes, resulta que tengo configurado 1 pfsense para una empresa (Trabaja bien), me piden que haga una nueva instalacion en otro equipo a modo de respaldo (cuando se dañe o le pase algo al de producción). Este segundo pfsense es igualito al de producción pero no funciona el modo transparente, si quito la dirección del proxy en el navegador, todo el trafico pasa como si nada.

    La pregunta seria, si squid esta en modo transparente por que sucede esto? por que el squid de produccion si funciona y el otro no?

    La configuración del segundo pfsense la hice manualmente, porque la restauracion de un backup me estaba presentando problemas.

    Muchicimas gracias anticipadas



  • :) hola,

    segun te entiendo ya el que esta en produccion pudiera fallar en cualquier momento,
    descarga del de produccion el backup de todo (incluyendo configuracion de programas) de esta manera obtienes el archivo .xml  y despues instalas ese .xml en tu segundo equipo,

    de no ser posibles descargar el .xml entonces buscarlo via putty y obtener el que el sistema genera automaticamente todos los dias.

    ahora que version de pfsense usas?



  • Sorry, this will be in english, but I believe your problem is that you need to change the Squid Proxy Interface, and make sure it is NOT selected on localhost. LAN = yes, Localhost = no.

    Transparent + Localhost listen does not work.



  • Hola y gracias por ayudarme,

    amigo sanchezluys, ese ejecircio lo he hecho, pero la idea es configurarlo desde cero solo teniendo los datos basicos. Lo mas facil seria hacer el restore dek archivo xml, pero si la idea es ubicarme en una situacion en la que no tenga el archivo xml.

    amigo extide, la squid proxy  interface esta en la interface LAN :)

    Estuve haciendo unas pruebas, desmarque la casilla del modo transparente y guarde, volvi y maque la casilla del modo transparente y guarde y asi SI ! funciono, no necesite poner el proxy en el navegador, pero me lleve una gran sorpresa al reiniciar el pfsense. Vuelve y pasa lo mismo, deja pasar todo! como si se borrara esa configuracion del modo transparente, pero voy y verifico y esta tal cual como lo deje antes de reiniciar.

    Esto me ah dejado aun mas loco.

    Gracias de nuevo por su colaboración.



  • Diagnostics - Command

    pfctl -s nat

    Copiar / Pegar en este fórum (sin datos sensibles).



  • hola bellera, los resultados son:


    $ pfctl -s nat
    nat-anchor "pftpx/" all
    nat-anchor "natearly/
    " all
    nat-anchor "natrules/" all
    nat on em1 inet from 10.0.1.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.1.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.1.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.1.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.1.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.1.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 192.168.200.0/28 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 192.168.200.0/28 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 192.168.200.0/28 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 192.168.200.0/28 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 192.168.200.0/28 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 192.168.200.0/28 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.10.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.10.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.10.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.10.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.10.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.10.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.11.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.11.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.11.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.11.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.11.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.11.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.2.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.2.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.2.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.2.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.2.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.2.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.3.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.3.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.3.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.3.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.3.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.3.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.4.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.4.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.4.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.4.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.4.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.4.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.5.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.5.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.5.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.5.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.5.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.5.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.6.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.6.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.6.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.6.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.6.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.6.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.7.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.7.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.7.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.7.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.7.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.7.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.8.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.8.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.8.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.8.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.8.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.8.0/24 to any -> (em2) port 1024:65535 round-robin
    nat on em1 inet from 10.0.9.0/24 port = isakmp to any port = isakmp -> (em1) port 500 round-robin
    nat on em1 inet from 10.0.9.0/24 port = 5060 to any port = 5060 -> (em1) port 5060 round-robin
    nat on em1 inet from 10.0.9.0/24 to any -> (em1) port 1024:65535 round-robin
    nat on em2 inet from 10.0.9.0/24 port = isakmp to any port = isakmp -> (em2) port 500 round-robin
    nat on em2 inet from 10.0.9.0/24 port = 5060 to any port = 5060 -> (em2) port 5060 round-robin
    nat on em2 inet from 10.0.9.0/24 to any -> (em2) port 1024:65535 round-robin
    rdr-anchor "pftpx/
    " all
    rdr-anchor "slb" all
    no rdr on em0 proto tcp from any to <vpns>port = ftp
    no rdr on em0 proto tcp from <onetoonelist>to any port = ftp
    rdr on em0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
    no rdr on em2 proto tcp from any to <vpns>port = ftp
    no rdr on em2 proto tcp from <onetoonelist>to any port = ftp
    rdr on em2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8022
    rdr on em3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023
    rdr on em1 inet proto tcp from any to 190.xxx.xxx.139 port = 6200 -> 10.0.2.205
    rdr on em1 inet proto udp from any to 190.xxx.xxx.139 port = 6200 -> 10.0.2.205
    rdr on em0 inet proto tcp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19000
    rdr on em0 inet proto udp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19001
    rdr on em3 inet proto tcp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19002
    rdr on em3 inet proto udp from any to 190.xxx.xxx.139 port = 6200 -> 127.0.0.1 port 19003
    rdr on em1 inet proto tcp from any to 190.xxx.xxx.139 port = 6400 -> 10.0.4.205
    rdr on em1 inet proto udp from any to 190.xxx.xxx.139 port = 6400 -> 10.0.4.205
    rdr on em0 inet proto tcp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19004
    rdr on em0 inet proto udp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19005
    rdr on em3 inet proto tcp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19006
    rdr on em3 inet proto udp from any to 190.xxx.xxx.139 port = 6400 -> 127.0.0.1 port 19007
    rdr on em1 inet proto tcp from any to 190.xxx.xxx.138 port = 55000 -> 10.0.1.220
    rdr on em1 inet proto udp from any to 190.xxx.xxx.138 port = 55000 -> 10.0.1.220
    rdr on em0 inet proto tcp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19008
    rdr on em0 inet proto udp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19009
    rdr on em3 inet proto tcp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19010
    rdr on em3 inet proto udp from any to 190.xxx.xxx.138 port = 55000 -> 127.0.0.1 port 19011
    rdr on em1 inet proto tcp from any to 190.xxx.xxx.139 port = 6100 -> 10.0.1.205
    rdr on em1 inet proto udp from any to 190.xxx.xxx.139 port = 6100 -> 10.0.1.205
    rdr on em0 inet proto tcp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19012
    rdr on em0 inet proto udp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19013
    rdr on em3 inet proto tcp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19014
    rdr on em3 inet proto udp from any to 190.xxx.xxx.139 port = 6100 -> 127.0.0.1 port 19015
    rdr-anchor "imspector" all
    rdr-anchor "miniupnpd" all
    binat on em1 inet from 10.0.1.220 to any -> 192.192.1.3


    Espero me puedan ayudar</onetoonelist></vpns></onetoonelist></vpns>



  • Algún lío hay. Deberías tener algo como:

    rdr on em0 inet proto tcp from any to ! (em0) port = http -> 127.0.0.1 port 3128
    rdr on lo0 inet proto tcp from any to ! (lo0) port = http -> 127.0.0.1 port 3128
    

    1. Cualquier cosa que llegue por LAN (em0) y no vaya a LAN (emo) con destino TCP 80 tiene que irse al propio pfSense (127.0.0.1) puerto TCP 3128. Es decir, a squid.

    2. Cualquier cosa que llegue por el propio pfSense (lo0) y no vaya al propio pfSense (lo0) con destino TCP 80 tiene que irse al propio pfSense (127.0.0.1) puerto TCP 3128. Es decir, a squid.

    Si al marcar que quieres el proxy (squid) en modo transparente eso no te aparece en los nat entonces hay alguna incompatibilidad con el resto de cosas que tienes configuradas. O un bug, claro.

    Cerciórate que tienes las interfases LAN y loopback activadas en la configuración de squid (proxy server).

    ¿Puedes postear tus NAT Outbound, NAT 1:1 y NAT Port Forward? Quiero decir las imágenes del configurador web. Enmascara datos que puedan ser delicados (ips públicas, por ejemplo).



  • Hola de nuevo, bellera te adjunto las imagenes del NAT y una de la conf del Squid(Proxy server) :)










  • Bueno, veo que no te funciona bien esto.

    También veo que debes estar con una versión 1.x

    Tendrías que hacer un upgrade a la última versión. De lo contrario es complicado mantener la instalación.

    Lo único que se me ocurre con la versión que tienes es que hagas el NAT Port Forward a mano (ver imagen).



Locked