Squid - bypass transparent proxy when going through IPsec {SOLVED}



  • I'm running pfSense 1.2RC2 with squid in transparent mode.

    1. How do I disable the forwarding of port 80 to squid if destination host is on a private subnet (not on LAN, accessed via IPSec tunnel)?

    2. How do I exclude certain source IP's from being forwarded to squid?

    Any hints much appreciated.

    thanks!

    updated
    3) is squid.inc the only place I need to edit to accomplish point #1 and #2?

    switch($type) {
    case 'nat':
    foreach ($ifaces as $iface){
    $rules .= "# Setup Squid proxy redirect\n";
    $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";
    $rules .= "\n";
    };
    break;
    case 'filter':
    foreach ($ifaces as $iface){
    $rules .= "# Setup squid pass rules for proxy\n";
    $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
    $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
    $rules .= "\n";
    };
    break;

    ***** Solved:

    1. created two aliases dontProxySRC and dontProxyDST using WebGUI
    2. created fake rule using aliases from #1 to force pfsense to setup a pf table
    3. replaced nat case in file /usr/local/pkg/squid.inc with the following:

    case 'nat':
    foreach ($ifaces as $iface){
    $rules .= "# Setup Squid proxy redirect\n";
                            $rules .= "no rdr on $iface proto tcp from <dontproxysrc>to  any port 80\n";
                            $rules .= "no rdr on $iface proto tcp from any to <dontproxydst>port 80\n";
    $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";
    $rules .= "\n";
    };
    break;</dontproxydst></dontproxysrc>



  • HI MrSense,

    Thank you for your help.
    Forgive my poor English, would you please tell me how to "created fake rule using aliases from #1 to force pfsense to setup a pf table" ?

    Do you mean that I create two rules, one is from dontProxySRC to any in LAN interface, another is from any to dontProxyDST ?

    if one of aliases is blank without any records, will this modification get wrong ?

    Please advise me.
    Thank you in advance.



  • Hi dogz.

    I noticed that pfsense would not setup pf table unless alias is used by one of the rules.  Therefore you'll need to create a rule that uses particular alias(es) (in this case DontProxyDST and DontProxySRC).  The examples that you gave would work but I feel that a rule created for the sole purpose of making sure that pf table has been created should not do anything important (hence I called it a "fake" rule).  For example you could setup a LAN rule to pass TCP protocol with source DontProxySRC and destination DontProxyDST on port 80.

    PFsense will not allow an alias to have no records.  If you don't want to use one of the aliases you might consider to either omit the line that is using it:
    $rules .= "no rdr on $iface proto tcp from <dontproxysrc>to  any port 80\n";
    or
    $rules .= "no rdr on $iface proto tcp from any to <dontproxydst>port 80\n";

    or fill it in with a private IP address that does not belong to your network. For example, if you don't use private class B subnet you could enter 172.17.1.1</dontproxydst></dontproxysrc>



  • Dear Mrsense,

    Thank you so much, it works and solves my problem.

    :D :-*



  • I added an option to let squid NOT redirect RFC1918 subnets…

    just reinstall the package and have a look :-)


Log in to reply