Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dansguardian with transparent pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ethit
      last edited by

      I've scoured the forums looking for an answer to my problem, but everything I've found has said my setup should work.

      I have pfSense setup and working in transparent mode (WAN, LAN, and BRIDGE). I have squid and dansguardian installed.

      I've tried every combination of listening interfaces I can think of for squid and dansguardian, but I can't get it to work transparently. Currently, I have this:

      dansguardian -> WAN (10.1.1.80:8080), proxy 127.0.0.1:3128 (explicitly filled in)

      squid -> loopback

      When I configure the client to proxy to 10.1.1.80:8080 I do get filtering via dansguardian. When I try to create a NAT port forward to do this transparently I can't get any HTTP traffic to pass. Here's my current NAT port forward rule:

      If - LAN
      Proto    - TCP
      Src. addr - *
      Src. ports - *
      Dest. addr - *
      Dest. ports - 80
      NAT IP - 10.1.1.80
      NAT Ports  - 8080

      So, I want to forward all traffic from the LAN destined for port 80 to 10.1.1.80:8080 (the WAN IP, where dansguardian is currently listening).

      I've read in several places that in order to get this to work I should have Dansguardian listening on the LAN, and have squid on the loopback. When you're using the Bridge the LAN doesn't have an IP address, so I can't create a port forwarding rule that points to the LAN.

      Maybe it's not possible with a transparent (bridged) setup, but it seems like other folks have gotten it to work. I have to think I'm missing a step somewhere. Any ideas?

      Thanks,

      e

      1 Reply Last reply Reply Quote 0
      • R
        rjcrowder
        last edited by

        Dans should be on the LAN interface… not the WAN.

        What do you mean that the bridge doesn't have an IP? What address is the pfSense Web GUI on?

        1 Reply Last reply Reply Quote 0
        • E
          ethit
          last edited by

          Sorry, should have had more detail in the first post. Here's the setup:

          WAN - DHCP (just for testing) 10.1.1.80
          LAN - IPv4 and IPv6 types set to none (That's as per the Transparent Firewall/Filtering Bridge document)
          Bridge - Contains WAN and LAN interfaces. IPv4 and IPv6 types set to none (as above)

          So, the webgui is on the WAN ip of 10.1.1.80.

          With the LAN not having an IP in this scenario, maybe it's not possible to setup dansguardian the way I want?

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by

            remove the bridge..

            WAN should be connected to your ISP.

            Set an ip address for the LAN… setup the NAT rule for the LAN interface

            dans upstream to proxy via loopback is fine, this is what I do today

            1 Reply Last reply Reply Quote 0
            • R
              rjcrowder
              last edited by

              I can take a look at how to setup your bridge. I assume you have two NIC's bridged that should be on the same subnet and serving up DHCP, etc. for the LAN? Someone else may be able to chime in and tell you off the top of their head…

              Regardless... as Cino pointed out... your current config is wrong. The WAN should connect to the ISP (most likely getting its IP via DHCP from your ISP). The webgui should run on the LAN and Dans should listen on the LAN

              1 Reply Last reply Reply Quote 0
              • E
                ethit
                last edited by

                Cino,

                I want to apply this filtering to only a segment of my network. I also don't want to make any configuration changes to the affected clients. DHCP, etc. will be served by other devices on the WAN side of pfSense. Those requirements seem to necessitate using pfSense in a transparent setup.

                If I understand correctly (which I clearly may not), and I remove the bridge I will no longer be using pfSense transparently. That would mean I'd need to make changes to the clients to use the pfSense box as their gateway.

                So, can I use dansguardian with pfsense and still keep pfsense transparent? If not, that's fine, I'll just have to go back to the drawing board and figure something else out.

                e

                1 Reply Last reply Reply Quote 0
                • E
                  ethit
                  last edited by

                  rjcrowder,

                  Yeah, I want this to sit on one segment of the network and not need any client changes to work. Both the WAN and LAN sides will be on a 10.1.1.x network. On a lark, I did try giving the LAN a 10.1.1.x address and tried setting up the NAT port forwarding to point there, but still no luck. Nothing gets served back to the client machine.

                  e

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    On most tests I did, bridge is not the best setup for packages. If you use it only as a firewall, try to create a forward rule to send http traffic to a third gateway/machine with dansguardian and squid.

                    clients –-> pfsense bridge ---> lan --->
                                                              |---> second pfsense as a server with dansguardian and nat rule to transparent proxy.

                    Remember that a lot of sites today uses https, so this setup will not work for them.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.