Squid transparent proxy breaks 1:1 NAT + NAT reflection again



  • I'm facing with a painful problem, with nat 1:1 reflection and squid in transparent mode, the same of this topic http://forum.pfsense.org/index.php?topic=43613.0
    I tried jimp solution without results!

    My test conf is the following:

    –----------------
                      |                      |
        X.Y.Z.244|                      |
                WAN    pfsenseFW    LAN: 10.6.100.254
        X.Y.Z.245|      Squid        |
                      |                      |
                        ------DMZ------
                            10.6.107.1
                                  |
                                  |
                            10.6.107.2
                            mailserver

    •X.Y.Z.244: pfsense internet address;

    •X.Y.Z.245: virtual ip nat 1:1 to 10.6.107.2 (with reflection)

    From internet nat 1:1 works fine. i.e. I can reach mailsever on http, smtp, pop3, etc
    From LAN clients reflection works for every port (rdp, smtp, etc) but not for the http (80) port! Disabling squid transparent mode everything works as expected.
    Otherwise, also setting X.Y.Z.245 on "Bypass proxy for these destination IPs"  squid option (as stated on the thread above) no http connection is gained.

    I tested this behaviour on a fresh  pfSense 2.1-RELEASE install.

    I digged the forum to find a solution, but thread above apart(maybe it was on pfSense 1.2?), I didn't find any solution…
    I seem impossible no one has had to face with that "issue" ... ???



  • I'm "happy" to read that I'm not alone.

    I have exactly the same problem as you describe. PfSense 2.1 (Latest stable version), squid proxy and NAT 1:1 reflection is not working fine for HTTP (80). Even I specify to bypass proxy for the specific address I need.

    Only if proxy is disabled, NAT reflection works fine.

    Any help or more information about how to solve or workaround this behaviour is welcome.

    Thanks,



  • never tried this setup with pfsense 2.0 but in 2.1 transparent proxy breaks NAT-Reflection on my setup too..



  • I'm happy to see I'm not alone (in the dark)…
    But I do not understand why no one consider "our" (I think common) problem.

    Indeed I think the problem is on the way nat rules apply on fw. I mean, it seems like transparent proxy nat rule still "translate" although DMZ LAN is on "Bypass proxy for these destination IPs". Hence the "transparent proxy nat rule" take precendence over the "bypass" rules.

    I'd hope some admin could clarify that issues…pleeeeeeeease! :)

    Thanks for now.
    F



  • I've solved the problem right after replied to you. SO I want to modify the post.

    Our Problem is same and I'm sure about it. And solution is in >System>Advanced and Firewall/Nat tab choose "NAT Reflection mode for port forwards : Enable (Nat+Proxy)"

    This solves the problem.

    ![Screen Shot 2014-01-15 at 11.52.42.png](/public/imported_attachments/1/Screen Shot 2014-01-15 at 11.52.42.png)
    ![Screen Shot 2014-01-15 at 11.52.42.png_thumb](/public/imported_attachments/1/Screen Shot 2014-01-15 at 11.52.42.png_thumb)



  • by the way don't forget to add your external IPs of your servers to the bypass list in proxy settings.

    For now it works for me. but dunno if it fails after a time.



  • @fatiher:

    I've solved the problem right after replied to you. SO I want to modify the post.

    Our Problem is same and I'm sure about it. And solution is in >System>Advanced and Firewall/Nat tab choose "NAT Reflection mode for port forwards : Enable (Nat+Proxy)"

    This solves the problem.

    That's great! Thank you fatiher!
    I'm going to test it asap and I'll let you know…



  • @fatiher:

    by the way don't forget to add your external IPs of your servers to the bypass list in proxy settings.

    For now it works for me. but dunno if it fails after a time.

    Unfortunately It does not for me! :(

    I set
    System>Advanced and Firewall/Nat tab choose "NAT Reflection mode for port forwards : Enable (Nat+Proxy) as in your image above,
    and I put public DMZ ip on"Bypass proxy for these destination IPs"…

    On nat 1:1 I tried Nat reflection: "Enable and System default"... same result. :(

    but no way...
    Maybe I missed something? Could you post your squid conf page image pleaaase?
    Thank you



  • It doesn't works for me either right now. i pretty sure there is a bug!. For a time I thought I managed to make it work but later I figured I bypassed proxy for my computer. Other computers in the network doesn't resolve the DMZ address in reflection.. :(



  • I have exactly the same problem!
    pfsense 2.1(latest stable)
      + squid package 2.7.9 (latest stable)
    if I disable transparent proxy it works.

    if I use port forwarding "telnet www.site.com 80" is working.
    if I use nat 1:1 "telnet www.site.com 80" is NOT working.
    if I disable transparent proxy then nat 1:1 "telnet www.site.com 80" is working.

    my only solution is (1) disable transparen proxy or (2) use port forwards instead of nat 1:1

    someone has other solutions?
    has someone tried if package squid 3.x.x. (beta) has the same problem? I cannot since my pfsense is in production.

    in any case thanks for posting! after 3 days of work you help me finding the cause of my problem!


Log in to reply