PfSense 2.2: Squid 3.4.10_2 pkg 0.2.6 redirection not working in transparent mode

Steve Evans

Hi Marcelloc,

Your assistance with this is much appreciated.

Yes, LAN is selected as shown below. Note that SkyPlus is an alias for my Sky+ box which historically has refused to work with VOD services if proxied. It's presence in the config makes no difference.

I see the following

: grep 3128 /tmp/rules.debug
SquidProxy = "{   3128 }"
rdr on msk2 proto tcp from any to !(msk2) port 80 -> 127.0.0.1 port 3128
pass in quick on msk2 proto tcp from any to !(msk2) port {80,3128} flags S/SA keep state

Should I need to define a rule to allow LAN access to port 3128? It looks like the above should cover it, but this alone results in blocked packets.

Thanks,

Steve

ProxySetting.png_thumb

Steve Evans

OK, so I just found the following in /tmp/rules.debug, between my rule for port 3128 and the one added by squid.

block return  in log  quick  on $LAN inet from any to any tracker 1422139962  label "USER_RULE: IPv4 block"

As I block all traffic by default and only allow out what's explicitly permitted, and the squid rule is simply being appended to the ruleset, this makes sense now.

I'll try amending my rule to be an exact match and report back.

Steve

Steve Evans

So, due to my use of aliases my rule did show up with your grep.

: grep SquidProxy /tmp/rules.debug
SquidProxy = "{   3128 }"
pass  in log  quick  on $LAN inet proto tcp  from any to any port $SquidProxy tracker 1422139913 flags S/SA keep state  label "USER_RULE: Squid Proxy"

I realise my rules for proxy access were too weak as they would have allowed somebody on my network to use alternate proxy, so I've modified my rules thus, but this hasn't fixed transparency mode. :(

pass  in log  quick  on $LAN inet proto tcp  from any to $pfSense port $SquidProxy tracker 1422139913 flags S/SA keep state  label "USER_RULE: Squid Proxy"
pass  in log  quick  on $LAN inet proto tcp  from any to (self) port $SquidProxy tracker 1422382055 flags S/SA keep state  label "USER_RULE: Squid Proxy loopback"

Thanks,

Steve

marcelloc

Include 127.0.0.1 on your 3128 rule too.

Steve Evans

Is that not the same as self?

Steve

marcelloc

@Steve:

Is that not the same as self?

I don't know if is lan ip or any local ip (including lo0)

Steve Evans

Changed rules to

: grep SquidProxy /tmp/rules.debug
SquidProxy = "{   3128 }"
pass  in log  quick  on $LAN inet proto tcp  from any to $pfSense port $SquidProxy tracker 1422139913 flags S/SA keep state  label "USER_RULE: Squid Proxy"
pass  in log  quick  on $LAN inet proto tcp  from any to 127.0.0.1 port $SquidProxy tracker 1422382055 flags S/SA keep state  label "USER_RULE: Squid Proxy loopback"

No improvement.

Steve

Steve Evans

To prove the point that the redirected transparent connection is not getting through to squid, I stopped the squid process and then ran the following on the pfSense console.

: nc -l 3128

I then telnetted to pfsense from my laptop and a connection was established and characters passed.

$ telnet 10.5.1.1 3128
Trying 10.5.1.1...
Connected to pfsense.scevans.com.
Escape character is '^]'.
hello

: nc -Dl 3128
hello

I repeated trying to telnet to port 80 on news.bbc.co.uk which should have been directed by the redirect, and no connection was made.

Steve

Steve Evans

I've now turn off transparent mode and then added a NAT rule.

This appears in /tmp/rules.debug thus.

rdr on msk2 proto tcp from any to !10.5.1.0/24 port 80 -> 10.5.1.1 port 3128

I see the resulting packet to port 3128 being passed by the firewall in the logs on an attempt to access an external host on port 80 from LAN.

With squid stopped and running

nc -vl 3128

instead on the pfSense console this connection attempt is not seen.

Contacting pfSense directly from the LAN on port 3128 does get through.

Clearly the HTTP request gets redirected to port 3128, makes it through the firewall, but then gets lost.

I'm stumped.

Steve

redirectNAT.png_thumb

marcelloc

May be not related to the issue but do you have pfsense gui redirect enabled under system -> advanced?

All my testes were on pfsense 2.2 amd64, no cf or nanobsd.

What 2.2 version are you using?

Steve Evans

I have the Disable webConfigurator redirect rule checkbox ticked as I have WPAD running on port 80 using the vHosts web server. Unfortunately iPhones etc don't use WPAD so I need transparency mode, but I've left it turned on for now.

I'm using the recent full 2.2 release.

I've just tried putting a pass all rule at the start of my LAN rules to see if that would fix any firewall issue, but it did no good.

Steve

marcelloc

2.2 amd64?

Steve Evans

: uname -a
FreeBSD pfsense.scevans.com 10.1-RELEASE-p4 FreeBSD 10.1-RELEASE-p4 #0 36d7dec(releng/10.1)-dirty: Thu Jan 22 15:19:32 CST 2015     root@pfsense-22-i386-builder:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_wrap.10.i386  i386
: cat /etc/version
2.2-RELEASE

I've just rebooted the firewall with all pf rules reverted to those in /conf.default/config.xml. This should eliminate any firewall rule peculiarities. I'll let you know how that works once it's up.

Thanks,

Steve

marcelloc

I have two users on portuguese forum with same version 2.2-RELEASE-i386 and same issue.

Maybe it's related to squid pbi package compilation under i386 system.

Steve Evans

Interesting.

Given that I see the lack of redirection with nc as well as squid I'm inclined to think this may not be an issue with squid at all, but rather with pf. That'd be quite a fundamental problem for pfSense!

I made THIS post in the Firewalling forum to see if that provides any insight. For now I'm going to see if a minimal pf configuration helps.

Thanks,

Steve

Steve Evans

With the default firewall rules, squid is still not working in transparent mode.

As you're seeing multiple reports of this, could you please raise a bug report that captures the collective experience.

Thanks,

Steve

marcelloc

@Steve:

With the default firewall rules, squid is still not working in transparent mode.

As you're seeing multiple reports of this, could you please raise a bug report that captures the collective experience.

Thanks,

Steve

I'll need to create an i386 virtual machine to get same problem. On all my labs, transparent proxy is working fine.

Steve Evans

OK, thanks.

I thought the following might be of use to confirm the squid configuration I have installed.

: squid -v
Squid Cache: Version 3.4.10
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd10.1' 'build_alias=i386-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing  -Wno-unused-private-field' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience

Steve

Steve Evans

Now here's an oddity. There are two squid binaries installed. Potential for inconsistencies here…

: which squid
/usr/local/sbin/squid
: /usr/local/sbin/squid -v 
Squid Cache: Version 3.4.10
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd10.1' 'build_alias=i386-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing  -Wno-unused-private-field' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience
: /usr/pbi/squid-i386/local/sbin/squid -v
Shared object "libmd5.so.0" not found, required by "squid"

Steve

marcelloc

@Steve:

Now here's an oddity.

This is one of pbi behaviors. same binary, different folder, different results. (Imagine get all it working together :))

And here is the confirmation that pbi build on i386 is outdated

'--disable-ipf-transparent' '--disable-ipfw-transparent'

Go to amd64 and it will work :)

Thanks for your feedback