External squid3 server, Correct NAT Rules?



  • so i have pfsense running on a thin client and running squid3 on it is just too heavy. That being said i have booted up a VM of ubuntu 13.10 and installed squid3 on it. Im trying to figure out how to get the setup to work so that pfsense will NAT redirect port 80 to 3128 of my proxy vm.

    
    if: lan
    protocol: TCP
    source: 192.168.1.100 - this is an IP of a machine on my lan im using for testing
    source port range: any - any
    destination: any
    desitnation port range: http - http
    redirect targ ip: 192.168.1.145 - IP of my squid3 vm
    redirect targ port: 3128
    NAT Reflection: Enable Pure NAT
    
    

    Then in my squid conf i have the following..

    
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl localnet src 192.168.1.0/24
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    
    acl CONNECT method CONNECT
    
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    
    http_access deny to_localhost
    icp_access deny all
    htcp_access deny all
    
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid3/access.log squid
    
    #Suggested default:
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern .               0       20%     4320
    # Leave coredumps in the first cache dir
    coredump_dir /mnt/cache
    
    # Allow localnet machines to whitelisted sites
    http_access allow localnet
    
    # block all other access
    http_access deny all
    
    

    also i'm not sure, do i need to add any iptables configs to the squid vm?



  • I have the same question, I can't figure out how to edit the firewall rules for using an external separate transparent Squid machine :)

    In the old fashion, there is a need for a prerouting, a postrouting and a forward rule. I have tried the same scenario as ndboost mentioned above, seems not to work.

    P.S. i've tried this on pfsense 2.1

    L.E. As I discovered on http://lukasz.cepowski.com/devlog/10,setup-squid-as-a-transparent-cache-proxy-for-lan, it seems that there is a bug with forwarding one port into another in the same lan subnet. And indeed I've checked the squid access log, and it was empty all the time (meaning it received no connections at all).
    Following the guide on that page, i cannot follow it because port 80 is already used by other process, so I must find a new workaround (or setup a new computer … more energy consumed haha)