Stand-alone Squid web proxy and NAT
Here's my setup :
- 3 sites (2 @home, 1@datacenter)
- 2 ALIX 2D13 pfsense boxes (@home) and 1 pfSense VM (@datacenter) set as default gateway for their respective sites/subnets
- All 3 sites connected via IPSEC VPN
- 1 Debian 7 Squid web proxy machine @datacenter
What I'm trying to do is getting all HTTP traffic to go through the Squid box which is in a datacenter.
I successfully routed http traffic from my 2 @home sites (ALIX boxes) to my squid proxy through the VPN tunnel using a NAT rule :
interface=LAN from=any to=!localnet protocol=tcp source_port=any dest_port=80 => proxy_ip proxy_port
NB : localnet is an alias including all my local subnets
Now when it comes to machines in my datacenter, if i set the same NAT rule on the pfSense VM, it doesn't work. I also tried excluding the proxy itself to avoid loops :
interface=LAN from=!proxy to=!localnet protocol=tcp source_port=any dest_port=80 => proxy_ip proxy_port
Obvisouly i'm using NAT rules to avoid the need for any client-based proxy configuration.
Most things I read so far on that matter only deal with the squid module for pfsense, but in my setup Squid is on a stand alone machine.
Any fresh ideas would be appreciated.
I've been through the following topic : https://forum.pfsense.org/index.php?topic=39736.0
It looks like my issue could be that I try to NAT from and to the same interface (from LAN to LAN).
Maybe I just need to add an extra interface for my Squid box so as to NAT "from LAN to SQUID".
It seems consistent with what I already did for the remote sites : natting "from LAN to IPSEC".
Could anybody confirm that ?
PS : All boxes are running pfSense 2.1.5
Adding a new subnet for SQUID/NAT is not working either… I'm stuck... :-[