Transparent proxy not working after upgrade to 2.2

rixseu

After update to 2.2 and some fixes, seems that squid is working, but transparent mode is not available. If I configure a client to navigate through port 3128, proxy filters connection, but in transparent mode proxy doesn't listen. May be config error? Any rule to add in 2.2 not needed in 2.1?

I've x86 version and 2.1 was working like a charm.

Thx.

FIRST LINES OF squid.conf - is correct to entries with http_port at 3128?

# Do not edit manually !
http_port 192.168.0.254:3128
http_port 127.0.0.1:3128 transparent
icp_port 0

tobiascapin

I get the same configuration and the same problem: in transparent mode the connection doesn't work. No squid log available.

First lines of squid.conf are the same:

http_port (laninterface):3128
http_port 127.0.0.1:3138 intercept

Maybe it is a routing (tcp *:80 to 127.0.0.1:3138) problem?

rixseu

@tobiascapin:

I get the same configuration and the same problem: in transparent mode the connection doesn't work. No squid log available.

First lines of squid.conf are the same:

http_port (laninterface):3128
http_port 127.0.0.1:3138 intercept

Maybe it is a routing (tcp *:80 to 127.0.0.1:3138) problem?

Yes, it seems only a routing problem. But this redirection (tcp *:80 to 127.0.0.1:3138)  should be done by squid itself checking transparent proxy option. I've tested squid on 3128 and it's working fine, but port 80 comunications aren't redirected. Any ideas?

Thx

Brandhor

@rixseu:

@tobiascapin:

I get the same configuration and the same problem: in transparent mode the connection doesn't work. No squid log available.

First lines of squid.conf are the same:

http_port (laninterface):3128
http_port 127.0.0.1:3138 intercept

Maybe it is a routing (tcp *:80 to 127.0.0.1:3138) problem?

Yes, it seems only a routing problem. But this redirection (tcp *:80 to 127.0.0.1:3138)  should be done by squid itself checking transparent proxy option. I've tested squid on 3128 and it's working fine, but port 80 comunications aren't redirected. Any ideas?

Thx

from what I remember from my tests it's a firewall issue, if you manually try to create a nat rule that redirects outgoing connections to the firewall address(either 127.0.0.1 or the LAN one) it doesn't work
the only thing I can think of is that maybe it's a driver issue with some nics since pfsense 2.2 uses freebsd 10, my lan nic is an intel 82801BA/BAM/CA/CAM  (device id 2449) and is listed as fxp0 on pfsense

NetVicious

I had these errors on my squid log:

2015/03/18 12:54:28 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...
2015/03/18 12:54:28 kid1| commBind: Cannot bind socket FD 18 to 192.168.2.1:800: (13) Permission denied
2015/03/18 12:54:28 kid1| commBind: Cannot bind socket FD 19 to 192.168.16.1:800: (13) Permission denied
FATAL: Unable to open HTTP Socket
Squid Cache (Version 3.4.10): Terminated abnormally.

Using sockstats I didn't have nothing on the 800 port. I lurked around and I found the solution on the Bugtracker of pfSense [1]. Run this command on console or add it to System/Advanced/Tunables

sysctl net.inet.ip.portrange.reservedhigh=0

[1] https://redmine.pfsense.org/issues/4196