Strange problem with my new 2.1 config - NAT port forward strips URL

  • I've upgraded from my 2.1-BETA setup to a 2.1-RELEASE. I've moved from:

    pfSense -> Dansguardian -> Squid3 -> internet


    pfSense -> Squid3 -> internet

    This works fine. I've got a fairly diverse range of devices that connect through pfSense and I use a combination of manual proxy settings and wpad to ensure things go through Squid. With my old Dansguardian setup I had a NAT rdr rule that made sure that if a device wasn't set to use the proxy, it would be sent there anyway. I modified my new config to have a similar rule:

    But when I apply this rule, addresses get stripped. Here's Squid's message for slashdot's result, for example:

    With URLs with qualified paths, it strips all the leading path so I end up with a relative path to nowhere. Here are some examples:

    You can see x.x.2.2 is working, which at the time of screenshot had the NAT rdr rule disabled. You can see that the x.x.1.110 device is stripping the URL for some random embedded image - that interface had a corresponding NAT rdr rule enabled at time of screenshot.

    What am I doing wrong? Is it NAT or Squid that I've misconfigured? As I say, no problems with the analogous rules with Dansguardian on 2.1-BETA.

  • Actually, it seems to be an issue with Chrome stripping the http:// part of the URL. Internet Explorer works fine on the same computer with the NAT rdr enabled and the address bar contains the full URI including the http://. Chrome in their wisdom don't, and it appears that for some reason something in my configuration between sending the URL and Squid getting hold of it it gets interpreted without the leading http://.

  • I circumvented the issue by putting Squid into transparent mode, but I'm still curious why this happens - why NAT redirection strips the URL? Is it because the "NAT IP" translates the destination URL to my pfSense box' URL, so instead of getting e.g. 123.456.78.90/something I get sent to Squid? If so, why did Dansguardian work with the same NAT?

  • Instead of NATing to the pfSense IP, try NATing to I'm not sure that it'd make a difference, but it's how I have mine set up, and I see no such issues.

  • I was hesitant but I tried it anyway - no luck. Thanks anyway. The main computer is on a vlan, and I would expect if I NAT to on any machine but the pfSense box itself it will look for squid on a port on the same machine and find nothing.

  • No, when you NAT to, that means the NATing device - not the requesting device. At the NAT layer, VLANs do not matter - only IPs are involved at that point. Hope you find a fix for your issue, as I have been unable to reproduce it.

Log in to reply