Stand-alone Squid web proxy and NAT



  • Hello,

    Here's my setup :

    • 3 sites (2 @home, 1@datacenter)
    • 2 ALIX 2D13 pfsense boxes (@home) and 1 pfSense VM (@datacenter) set as default gateway for their respective sites/subnets
    • All 3 sites connected via IPSEC VPN
    • 1 Debian 7 Squid web proxy machine @datacenter

    What I'm trying to do is getting all HTTP traffic to go through the Squid box which is in a datacenter.

    I successfully routed http traffic from my 2 @home sites (ALIX boxes) to my squid proxy through the VPN tunnel using a NAT rule :

    interface=LAN from=any to=!localnet protocol=tcp source_port=any dest_port=80 => proxy_ip proxy_port

    NB : localnet is an alias including all my local subnets

    Now when it comes to machines in my datacenter, if i set the same NAT rule on the pfSense VM, it doesn't work. I also tried excluding the proxy itself to avoid loops :

    interface=LAN from=!proxy to=!localnet protocol=tcp source_port=any dest_port=80 => proxy_ip proxy_port

    Obvisouly i'm using NAT rules to avoid the need for any client-based proxy configuration.

    Most things I read so far on that matter only deal with the squid module for pfsense, but in my setup Squid is on a stand alone machine.
    Any fresh ideas would be appreciated.

    Thank you.



  • I've been through the following topic  : https://forum.pfsense.org/index.php?topic=39736.0
    It looks like my issue could be that I try to NAT from and to the same interface (from LAN to LAN).

    Maybe I just need to add an extra interface for my Squid box so as to NAT "from LAN to SQUID".
    It seems consistent with what I already did for the remote sites : natting "from LAN to IPSEC".

    Could anybody confirm that ?
    Thanks.

    PS : All boxes are running pfSense 2.1.5



  • Adding a new subnet for SQUID/NAT is not working either… I'm stuck... :-[


Log in to reply