External squid3 server, Correct NAT Rules?
so i have pfsense running on a thin client and running squid3 on it is just too heavy. That being said i have booted up a VM of ubuntu 13.10 and installed squid3 on it. Im trying to figure out how to get the setup to work so that pfsense will NAT redirect port 80 to 3128 of my proxy vm.
if: lan protocol: TCP source: 192.168.1.100 - this is an IP of a machine on my lan im using for testing source port range: any - any destination: any desitnation port range: http - http redirect targ ip: 192.168.1.145 - IP of my squid3 vm redirect targ port: 3128 NAT Reflection: Enable Pure NAT
Then in my squid conf i have the following..
acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny to_localhost icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid #Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Leave coredumps in the first cache dir coredump_dir /mnt/cache # Allow localnet machines to whitelisted sites http_access allow localnet # block all other access http_access deny all
also i'm not sure, do i need to add any iptables configs to the squid vm?
I have the same question, I can't figure out how to edit the firewall rules for using an external separate transparent Squid machine :)
In the old fashion, there is a need for a prerouting, a postrouting and a forward rule. I have tried the same scenario as ndboost mentioned above, seems not to work.
P.S. i've tried this on pfsense 2.1
L.E. As I discovered on http://lukasz.cepowski.com/devlog/10,setup-squid-as-a-transparent-cache-proxy-for-lan, it seems that there is a bug with forwarding one port into another in the same lan subnet. And indeed I've checked the squid access log, and it was empty all the time (meaning it received no connections at all).
Following the guide on that page, i cannot follow it because port 80 is already used by other process, so I must find a new workaround (or setup a new computer … more energy consumed haha)