Lead all LAN Traffic to external Proxy on WAN Site



  • Hey folks,

    I'm a little stuck here with what I try to achieve.
    I've got the following infrastructure:

    WAN / Internet

    .–---+---------------.
          | Router 10.0.0.1        | 
          '-----+---------------'
                :
                :
                :
          .-----+---------------.
          |  Proxy 10.0.0.3:800  | 
          '-----+---------------'
                |
            WAN | 10.0.0.0/8
                |
          .-----+------10.0.0.99-----.
          |  pfSense                        |
          '-----+-----' 192.168.0.1 '--'
                |
            LAN | 192.168.0.0/24
                |
          .-----+------.
          | LAN-Switch |
          '-----+------'
                |
        ...-----+------... (Clients/Servers)

    So I want to force all LAN traffic from 192.168.0.0/24 to the (non transparent) proxy
    on the WAN side with address 10.0.0.3 on port 800.

    i already achieved this with another connected LAN via OPENVPN but there is no need
    to use a VPN since the LAN in question is directly connected w/o any WAN between it.

    I tried to configure 10.0.0.3 as a gateway and created a rule to direct all HTTP traffic from
    LAN Segment to this Gateway but it's no use.

    I'm able to ping the 10.0.0.3 WAN proxy address from the LAN segment, unfortunately I can't
    just force all http traffic to JUST go to 10.0.0.3.

    Thx for all hints to solve this

    Best regards, Gunnar



  • I've never done this before, but it seems like maybe pfsense + squid could achieve this by:

    loading squid onto pfsense

    setting squid as transparent proxy on the lan

    then go into Proxy server: Upstream proxy settings in squid and enter the hostname, username and password of the external proxy you wish to have all the lan traffic routed through.

    Like I said, I have never tried anything like that, but thats where I'd start.

    Maybe someone else will have a better way.


  • Banned

    Yeah, kejianshi is spot on. This is how we've done it here before we stopped using any proxies…



  • Even a blind squirrel finds an nut once and a while  (-;

    I'm not too hot on using proxies this way either unless all the traffic is purely flat html and no active script of any sort but should work if anonymity is not your major concern.



  • Sorry, I forgot to mention that I really need an external proxy for filtering reasons which pfsense can't provide. (Online filter database etc.) So just making pfsense acting as a proxy won't solve my problem, unfortunately.



  • Yep - We got that, so thats why you would be telling squid to bounce everything through the external proxy.  Right?



  • Guys, I knew s.o. would come along with a great idea. Thanks a lot kejianshi for this easy yet reliable solution. Thumbs up!

    Greetings Gunnar



  • I tried above procedure, (1) installing squid transparently (2) configuring upstream server name and port.  It works for http but for https it is not stable. I think the problem is squid configuration or pfsense's firewall rules. If it is pfsense's firewall, please give me some head up. I am totally new to pfsense firewall.


Log in to reply