PfSense 2.2: Squid 3.4.10_2 pkg 0.2.6 redirection not working in transparent mode
-
This is a follow-on from THIS thread. I've overcome the hurdles highlighted there with respect to the /tmp/rules.test.packages syntax error, so I thought I'd best start a more focussed thread.
If I enable tranparency mode on my LAN (on interface msk2) the only difference I see in the output of
pfctl -s rules -s natis the addition of
rdr on msk2 inet proto tcp from any to ! (msk2) port = http -> 127.0.0.1 port 3128which appears correct.
I have a firewall rule setup to allow outbound traffic from my LAN on port 3128 on which I've enabled logging for the moment.
If I manually enable the proxy on my laptop (MacBook Pro if that's of relevance) and access a webpage I see the following in my firewall log and the accesses are recorded in /var/log/squid/access.log.
If I turn on the transparent proxy and attempt to access the same webpage, the redirected access is logged as shown, but nothing appears in the squid access log, and the browser hangs.
Why might this be?
Thanks,
Steve
-
The notable thing about the screenshots above is that in transparent mode the request is forwarded to the loopback interface. Squid is not listening on that interface when not in transparent mode.
: netstat -an | grep LISTEN | grep 3128 tcp4 0 0 10.5.1.1.3128 *.* LISTENHowever in transparent mode it starts listening on loopback.
: netstat -an | grep LISTEN | grep 3128 tcp4 0 0 127.0.0.1.3128 *.* LISTEN tcp4 0 0 10.5.1.1.3128 *.* LISTENWhy then is nothing being logged?
Steve
-
Logged on squid or system logs?
If you have enabled logs, the default dir is /var/squid/logs instead of /var/log/squid.
-
Squid logs. I changed the default logging directory some time ago (under 2.1) as all the other pfSense logs are under /var/logs. I'll switch it back in case that makes a difference.
When accessing the proxy direct I see the expected per access entries in access.log.
Steve
-
Regardless of logging path, using squid direct I see logging, such as
: tail /var/squid/logs/access.log 1422370314.239 61 10.5.1.144 TCP_MISS/200 681 GET http://stat.flashtalking.com/reportV3/ft.stat? - HIER_DIRECT/172.224.35.210 text/plain 1422370314.284 16 10.5.1.144 TCP_MISS/304 360 GET http://cdn.flashtalking.com/38651/O2UKL0861C_JanSale_samsung_300x250.swf - HIER_DIRECT/172.224.35.210 application/x-shockwave-flash 1422370314.293 16 10.5.1.144 TCP_MISS/304 360 GET http://cdn.flashtalking.com/38651/O2UKL0861C_JanSale_samsung_728x90.swf - HIER_DIRECT/172.224.35.210 application/x-shockwave-flash 1422370314.296 223 10.5.1.144 TCP_MISS/200 1056 GET http://a.dpmsrv.com/dpmpxl/index.php? - HIER_DIRECT/107.23.105.222 text/javascript 1422370314.696 24 10.5.1.144 TCP_MISS/200 631 GET http://pagead2.googlesyndication.com/activeview? - HIER_DIRECT/64.233.167.154 image/gif 1422370315.170 49 10.5.1.144 TCP_MISS/302 939 GET http://ib.adnxs.com/seg? - HIER_DIRECT/37.252.163.24 text/html 1422370315.215 94 10.5.1.144 TCP_MISS/200 971 GET http://a.dpmsrv.com/dpmpxl/index.php? - HIER_DIRECT/107.23.105.222 text/javascript 1422370315.239 64 10.5.1.144 TCP_MISS/302 965 GET http://ib.adnxs.com/bounce? - HIER_DIRECT/37.252.163.24 text/html 1422370315.370 243 10.5.1.144 TCP_MISS/200 674 GET http://rtd.tubemogul.com/upi/? - HIER_DIRECT/107.21.248.242 image/png 1422370316.718 48 10.5.1.144 TCP_MISS/200 358 GET http://dt.adsafeprotected.com/dt? - HIER_DIRECT/69.172.216.111 image/gifBut with transparent mode, nothing.
Thanks,
Steve
-
Not sure if it's relevant, but I'd noted the following in cache.log.
2015/01/27 15:17:02 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1... 2015/01/27 15:17:02| pinger: Initialising ICMP pinger ... 2015/01/27 15:17:02| icmp_sock: (1) Operation not permitted 2015/01/27 15:17:02| pinger: Unable to start ICMP pinger. 2015/01/27 15:17:02| icmp_sock: (1) Operation not permitted 2015/01/27 15:17:02| pinger: Unable to start ICMPv6 pinger. 2015/01/27 15:17:02| FATAL: pinger: Unable to open any ICMP sockets. 2015/01/27 15:17:04 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1... 2015/01/27 15:17:05| pinger: Initialising ICMP pinger ... 2015/01/27 15:17:05| icmp_sock: (1) Operation not permitted 2015/01/27 15:17:05| pinger: Unable to start ICMP pinger. 2015/01/27 15:17:05| icmp_sock: (1) Operation not permitted 2015/01/27 15:17:05| pinger: Unable to start ICMPv6 pinger. 2015/01/27 15:17:05| FATAL: pinger: Unable to open any ICMP sockets.Not sure why this should be so I'd enabled the Disable ICMP option on the General settings tab which then gives a clean start thus.
2015/01/27 15:21:09 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1... 2015/01/27 15:21:11 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...Steve
-
It's not too clear what happening from a browser perspective, but using telnet may be a little more informative.
From my laptop
$ telnet news.bbc.co.uk 80 Trying 212.58.244.56...and then nothing.
Whereas
$ telnet pfsense 3128 Trying 10.5.1.1... Connected to pfsense. Escape character is '^]'.clearly connects.
Trying the connection locally from the pfSense console
: telnet 127.0.0.1 3128 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.works.
This suggests that the redirection is not working, or at least squid is not accepting redirected connections.
This is making me think that the redirected request may not even be reaching squid. I've tried adding a pass all rule to the firewall, but this had no effect. As mentioned before I see the firewall logging TCP packets being passed on port 3128 so I'm somewhat confused.
Steve
-
I note the following applicable rule even if I disable my explicit rule such that I see the firewall log blocking access to 127.0.0.1:3128.
: pfctl -s rules | grep 3128 pass in quick on msk2 proto tcp from any to ! (msk2) port = 3128 flags S/SA keep stateI this state I see, from my laptop, immediate refused connections thus.
$ telnet news.bbc.co.uk 80 Trying 212.58.244.56... telnet: connect to address 212.58.244.56: Connection refused Trying 212.58.244.57... telnet: connect to address 212.58.244.57: Connection refused telnet: Unable to connect to remote hostIf I re-enable my explicit rule such that the firewall logs the packet being passed, I see the following rules.
: pfctl -s rules | grep 3128 pass in log quick on msk2 inet proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy" pass in log quick on msk2 inet6 proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy" pass in quick on msk2 proto tcp from any to ! (msk2) port = 3128 flags S/SA keep stateThen the firewall logs a packet passed, but telnet hangs as per my previous post.
If I disable transparency mode I see that the extra rule is no longer there.
: pfctl -s rules | grep 3128 pass in log quick on msk2 inet proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy" pass in log quick on msk2 inet6 proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy"Is this extra rule somehow broken?
Steve
-
Did you selected lan on transparent interface?
if you execute grep 3128 /tmp/rules.debug you should see two rules, one for redirect and other to allow traffic.
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128 pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state -
Hi Marcelloc,
Your assistance with this is much appreciated.
Yes, LAN is selected as shown below. Note that SkyPlus is an alias for my Sky+ box which historically has refused to work with VOD services if proxied. It's presence in the config makes no difference.
I see the following
: grep 3128 /tmp/rules.debug SquidProxy = "{ 3128 }" rdr on msk2 proto tcp from any to !(msk2) port 80 -> 127.0.0.1 port 3128 pass in quick on msk2 proto tcp from any to !(msk2) port {80,3128} flags S/SA keep stateShould I need to define a rule to allow LAN access to port 3128? It looks like the above should cover it, but this alone results in blocked packets.
Thanks,
Steve
-
OK, so I just found the following in /tmp/rules.debug, between my rule for port 3128 and the one added by squid.
block return in log quick on $LAN inet from any to any tracker 1422139962 label "USER_RULE: IPv4 block"As I block all traffic by default and only allow out what's explicitly permitted, and the squid rule is simply being appended to the ruleset, this makes sense now.
I'll try amending my rule to be an exact match and report back.
Steve
-
So, due to my use of aliases my rule did show up with your grep.
: grep SquidProxy /tmp/rules.debug SquidProxy = "{ 3128 }" pass in log quick on $LAN inet proto tcp from any to any port $SquidProxy tracker 1422139913 flags S/SA keep state label "USER_RULE: Squid Proxy"I realise my rules for proxy access were too weak as they would have allowed somebody on my network to use alternate proxy, so I've modified my rules thus, but this hasn't fixed transparency mode. :(
pass in log quick on $LAN inet proto tcp from any to $pfSense port $SquidProxy tracker 1422139913 flags S/SA keep state label "USER_RULE: Squid Proxy" pass in log quick on $LAN inet proto tcp from any to (self) port $SquidProxy tracker 1422382055 flags S/SA keep state label "USER_RULE: Squid Proxy loopback"Thanks,
Steve
-
Include 127.0.0.1 on your 3128 rule too.
-
Is that not the same as self?
Steve
-
-
Changed rules to
: grep SquidProxy /tmp/rules.debug SquidProxy = "{ 3128 }" pass in log quick on $LAN inet proto tcp from any to $pfSense port $SquidProxy tracker 1422139913 flags S/SA keep state label "USER_RULE: Squid Proxy" pass in log quick on $LAN inet proto tcp from any to 127.0.0.1 port $SquidProxy tracker 1422382055 flags S/SA keep state label "USER_RULE: Squid Proxy loopback"No improvement.
Steve
-
To prove the point that the redirected transparent connection is not getting through to squid, I stopped the squid process and then ran the following on the pfSense console.
: nc -l 3128I then telnetted to pfsense from my laptop and a connection was established and characters passed.
$ telnet 10.5.1.1 3128 Trying 10.5.1.1... Connected to pfsense.scevans.com. Escape character is '^]'. hello: nc -Dl 3128 helloI repeated trying to telnet to port 80 on news.bbc.co.uk which should have been directed by the redirect, and no connection was made.
Steve
-
I've now turn off transparent mode and then added a NAT rule.
This appears in /tmp/rules.debug thus.
rdr on msk2 proto tcp from any to !10.5.1.0/24 port 80 -> 10.5.1.1 port 3128I see the resulting packet to port 3128 being passed by the firewall in the logs on an attempt to access an external host on port 80 from LAN.
With squid stopped and running
nc -vl 3128instead on the pfSense console this connection attempt is not seen.
Contacting pfSense directly from the LAN on port 3128 does get through.
Clearly the HTTP request gets redirected to port 3128, makes it through the firewall, but then gets lost.
I'm stumped.
Steve
-
May be not related to the issue but do you have pfsense gui redirect enabled under system -> advanced?
All my testes were on pfsense 2.2 amd64, no cf or nanobsd.
What 2.2 version are you using?
-
I have the Disable webConfigurator redirect rule checkbox ticked as I have WPAD running on port 80 using the vHosts web server. Unfortunately iPhones etc don't use WPAD so I need transparency mode, but I've left it turned on for now.
I'm using the recent full 2.2 release.
I've just tried putting a pass all rule at the start of my LAN rules to see if that would fix any firewall issue, but it did no good.
Steve
