Squid Transparent Proxy Issue



  • When I enable Transparent Proxy and try to navigate to a website such as apple.com it asks me to login and takes me to the pfsense web interface. When I turn it off it's fine but obviously then the proxy isn't being used. Why is this happening?



  • I'd like to add that I'm using Squid 2.6.5_1-p15 and pfSense 1.2-RC3. Thanks.



  • Any chance you set your proxy port to pfSense's webGUI port?

    Put the transparent proxy on 3128 and do not allow traffic to the outside on port 80.
    Also the admin port for pfSense should be https and not http (port 80)



  • The proxy port is the default of 3128. I changed to using https (443) for web interface. Now websites(e.g. microsoft.com)  go nowhere instead of to the web interface login. Thanks though.

    It seems like it's forwarding anything that has a destination port 80 to pfsense's internal port 80 instead of pfsense's port 3128. I assume that's how it works but I may be wrong. Maybe there's a way to manually set up a transparent proxy?



  • From  Proxy server | General settings did you enable LAN as interface and 'Allow users on interface' is ticked?
    And just to be sure 'Transparent proxy' is enabled as well?
    Upstream Proxy is empty and what about 'Access control'?



  • LAN is the interface and yes 'Allow users on interface' is ticked. I have no acl rules at all. Transparent proxy is definitely enabled. Everything else in the Squid config is default.

    I recently restored pfsense to factory settings. Didn't help. So I reinstalled pfsense from the live cd and it worked great. So then I started restoring previous and it broke again. So again I've reformatted and installed pfsense along with squid. I am in the process of tweaking one thing at a time to figure out what is breaking it and causing this strange behavior.



  • So far so good except the internet definitely seems slower and on a fast machine. One more clue to the puzzle; I happened to stop the squid service from the services page to see if squid was slowing things down and it made all websites start pointing to the pfsense login again. Very strange. I turned the service back on and everything was back to normal.

    Also, the lightsquid config page says "shedule" in a few places. How do we get that fixed?



  • Also, the lightsquid config page says "shedule" in a few places. How do we get that fixed?

    What this mean? Can you show screenshot?
    Only create please new topic. Lightsquid different package, and I was able quickly to find a new theme.
    –-
    Must be 2 shedule items
    Refresh sheduler
    Squid rotate log sheduler



  • Hi dvserg, glad you're on this thread!

    @dvserg:

    Also, the lightsquid config page says "shedule" in a few places. How do we get that fixed?

    What this mean?

    It think Eric complains about spelling. It should be: schedule



  • @jahonix:

    Hi dvserg, glad you're on this thread!
    ..
    It think Eric complains about spelling. It should be: schedule

    Ohm.. This is grammatic error. :(  I learned English poorly in school.:_(
    If you can - please check Lightsquid interface for grammatic and write me - i fix this.
    ps
    Sorry to me, all.



  • Dvserg, do you have an idea why Eric's traffic is redirected to the pfSense webGUI when disabling the transparent proxy?



  • It actually happens when I turn transparent proxy on. It also happened when I shut down the squid service though. Doesn't make sense to me.



  • @jahonix:

    Dvserg, do you have an idea why Eric's traffic is redirected to the pfSense webGUI when disabling the transparent proxy?

    On transparent mode squid make self redirect rules
    May be have incorrect switching from transparent to non-transparent mode
    Try switch to transparent and them to non-transparent once more.
    If problem also exists - paste you /tmp/rules.debug in topic or in PM
    –-
    Also what installed packages you have?



  • @EricTyrrell:

    So far so good except the internet definitely seems slower and on a fast machine. One more clue to the puzzle; I happened to stop the squid service from the services page to see if squid was slowing things down and it made all websites start pointing to the pfsense login again. Very strange. I turned the service back on and everything was back to normal.

    I am seeing the same issues where the internet is far slower when the proxy is enabled.  Please see my post here…
    http://forum.pfsense.org/index.php/topic,7186.0.html

    Also, as suggested above, I have included my rules.debug - though I am not having issues with traffic being redirected to the GUI.

    # System Aliases 
    loopback = "{ lo0 }"
    lan = "{ rl0  }"
    wan = "{ xl0  }"
    enc0 = "{ enc0 }"
    # User Aliases 
    
    set loginterface xl0
    set loginterface rl0
    set optimization normal
    
    scrub all random-id  fragment reassemble
    
    nat-anchor "pftpx/*"
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    # FTP proxy
    rdr-anchor "pftpx/*"
    
    # Outbound NAT rules
    nat on $wan from 10.21.1.0/24 port 500 to any port 500 -> (xl0) port 500
    nat on $wan from 10.21.1.0/24 port 5060 to any port 5060 -> (xl0) port 5060
    nat on $wan from 10.21.1.0/24 to any -> (xl0)
    
    #SSH Lockout Table
    table <sshlockout> persist
    
    # Load balancing anchor - slbd updates
    rdr-anchor "slb"
    
    # FTP Proxy/helper
    table <vpns> {   }
    no rdr on rl0 proto tcp from any to <vpns> port 21
    rdr on rl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
    
    # Setup Squid proxy redirect
    rdr on rl0 proto tcp from any to !(rl0) port 80 -> 127.0.0.1 port 80
    
    # IMSpector rdr anchor
    rdr-anchor "imspector"
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    # Setup squid pass rules for proxy
    pass in quick on rl0 proto tcp from any to !(rl0) port 80 flags S/SA keep state
    pass in quick on rl0 proto tcp from any to !(rl0) port 3128 flags S/SA keep state
    
    anchor "ftpsesame/*" 
    anchor "firewallrules"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # snort2c
    table <snort2c> persist
    block quick from <snort2c> to any label "Block snort2c hosts"
    block quick from any to <snort2c> label "Block snort2c hosts"
    
    # loopback
    anchor "loopback"
    pass in quick on $loopback all label "pass loopback"
    pass out quick on $loopback all label "pass loopback"
    
    # package manager early specific hook
    anchor "packageearly"
    
    # carp
    anchor "carp"
    
    # permit wan interface to ping out (ping_hosts.sh)
    pass quick proto icmp from 205.158.217.134 to any keep state
    
    # NAT Reflection rules
    
    # allow access to DHCP server on LAN
    anchor "dhcpserverlan"
    pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
    pass in quick on $lan proto udp from any port = 68 to 10.21.1.1 port = 67 label "allow access to DHCP server on LAN"
    pass out quick on $lan proto udp from 10.21.1.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"
    block in log quick on $wan proto udp from any port = 67 to 10.21.1.0/24 port = 68 label "block dhcp client out wan"
    
    pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"
    
    # LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
    antispoof for rl0
    
    anchor "spoofing"
    # Support for allow limiting of TCP connections by establishment rate
    anchor "limitingesr"
    table <virusprot>
    block in quick from <virusprot> to any label "virusprot overload table"
    # pass traffic from firewall -> out
    anchor "firewallout"
    pass out quick on xl0 all keep state label "let out anything from firewall host itself"
    pass out quick on rl0 all keep state label "let out anything from firewall host itself"
    pass out quick on $enc0 keep state label "IPSEC internal host to host"
    # make sure the user cannot lock himself out of the webGUI or SSH
    anchor "anti-lockout"
    pass in quick on rl0 from any to 10.21.1.1 keep state label "anti-lockout web rule"
    
    # SSH lockout
    block in log proto tcp from <sshlockout> to any port 22 label "sshlockout"
    
    anchor "ftpproxy"
    anchor "pftpx/*"
    
    # User-defined aliases follow
    
    # User-defined rules follow
    block in quick on $lan proto tcp from any to any port = 80  label "USER_RULE"
    pass in quick on $lan from 10.21.1.0/24 to any keep state  label "USER_RULE: Default LAN -> any"
    
    # VPN Rules
    
    pass in quick on rl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on rl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on xl0 inet proto tcp from port 20 to (xl0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    # enable ftp-proxy
    
    # IMSpector
    anchor "imspector"
    
    # uPnPd
    anchor "miniupnpd"
    
    #---------------------------------------------------------------------------
    # default rules (just to be sure)
    #---------------------------------------------------------------------------
    block in log quick all label "Default block all just to be sure."
    block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout>
    


  • Please see also this ticket http://cvstrac.pfsense.com/tktview?tn=1557, i can duplicate this behaviour.



  • Eric & Heiko:

    What type of hardware are you using when you can see the decrease in speed?



  • this one…

    http://www.ipc2u.de/catalog/M/MB/33531.html

    with 1 GB RAM and 40 GB HDD


Log in to reply