Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange problem with my new 2.1 config - NAT port forward strips URL

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Legion
      last edited by

      I've upgraded from my 2.1-BETA setup to a 2.1-RELEASE. I've moved from:

      pfSense -> Dansguardian -> Squid3 -> internet

      to:

      pfSense -> Squid3 -> internet

      This works fine. I've got a fairly diverse range of devices that connect through pfSense and I use a combination of manual proxy settings and wpad to ensure things go through Squid. With my old Dansguardian setup I had a NAT rdr rule that made sure that if a device wasn't set to use the proxy, it would be sent there anyway. I modified my new config to have a similar rule:

      But when I apply this rule, addresses get stripped. Here's Squid's message for slashdot's result, for example:

      With URLs with qualified paths, it strips all the leading path so I end up with a relative path to nowhere. Here are some examples:

      You can see x.x.2.2 is working, which at the time of screenshot had the NAT rdr rule disabled. You can see that the x.x.1.110 device is stripping the URL for some random embedded image - that interface had a corresponding NAT rdr rule enabled at time of screenshot.

      What am I doing wrong? Is it NAT or Squid that I've misconfigured? As I say, no problems with the analogous rules with Dansguardian on 2.1-BETA.

      1 Reply Last reply Reply Quote 0
      • L
        Legion
        last edited by

        Actually, it seems to be an issue with Chrome stripping the http:// part of the URL. Internet Explorer works fine on the same computer with the NAT rdr enabled and the address bar contains the full URI including the http://. Chrome in their wisdom don't, and it appears that for some reason something in my configuration between sending the URL and Squid getting hold of it it gets interpreted without the leading http://.

        1 Reply Last reply Reply Quote 0
        • L
          Legion
          last edited by

          I circumvented the issue by putting Squid into transparent mode, but I'm still curious why this happens - why NAT redirection strips the URL? Is it because the "NAT IP" translates the destination URL to my pfSense box' URL, so instead of getting e.g. 123.456.78.90/something I get 192.168.0.1/something sent to Squid? If so, why did Dansguardian work with the same NAT?

          1 Reply Last reply Reply Quote 0
          • T
            timthetortoise
            last edited by

            Instead of NATing to the pfSense IP, try NATing to 127.0.0.1. I'm not sure that it'd make a difference, but it's how I have mine set up, and I see no such issues.

            1 Reply Last reply Reply Quote 0
            • L
              Legion
              last edited by

              I was hesitant but I tried it anyway - no luck. Thanks anyway. The main computer is on a vlan, and I would expect if I NAT to 127.0.0.1 on any machine but the pfSense box itself it will look for squid on a port on the same machine and find nothing.

              1 Reply Last reply Reply Quote 0
              • T
                timthetortoise
                last edited by

                No, when you NAT to 127.0.0.1, that means the NATing device - not the requesting device. At the NAT layer, VLANs do not matter - only IPs are involved at that point. Hope you find a fix for your issue, as I have been unable to reproduce it.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.