Issues with Squid Transparent Proxy since we removed routing from the FW

Slicster

Hey Guys,
We virtualized and upgraded our pfSense yesterday in order to remove the routing from the pfSense and have our switches route instead.  Since then, transparent proxy no longer works and it seems to have something to do with the traffic no longer being from the same subnet as the actual selected proxy interfaces.  I tried to add access controls for the subnets in question but it never works.  Below is a basic diagram of the routing setup and proxy settings…

Configuration...

Internet
                                      |
                                em0 - WAN
                                  pfSense
                    em1 - 192.168.253.1/28 - route 10.96.8.0 255.255.252.0 192.168.253.2
                                      |
              HP 5500 L3 - 192.168.253.18/28 - route 0.0.0.0 0.0.0.0 192.168.253.1
                                      |
                      VLAN1 - 10.96.8.0/22

---

Proxy Settings...

Squid 4.3.9

Upstream Proxy
Enable Forwarding
IP: 10.96.9.1
TCP Port: 3128
ICP Port: 7

General
Proxy Interface: em1
Allow users on interface: Enabled
Transparent Proxy: Enabled
Bypass proxy for Private Address Space (RFC 1918) destination: Enabled
The rest are default which worked for us before

Access Control
Allowed Subnets: 10.96.8.0/22

---

Any ideas?

smcclos

I think that transparent and access controls are mutually exclusive.  Also can you include the section of your config for Squid, it will be between <squid>and</squid>

This concerns me because I am running 4.3.6 and planning to go to 4.3.9 and I don't want to loose my transparent proxy

chris4916

I'm perhaps stupid but I don't understand this:  ??? :o

@Slicster:

Internet
                                      |
                                em0 - WAN
                                  pfSense
                    em1 - 192.168.253.1/28 - route 10.96.8.0 255.255.252.0 192.168.253.2

Slicster

Sorry it's been a while and I've been busy with a few other emergencies to troubleshoot or update.

I did some additional testing today with the transparent proxy setup on a new interface where the pfSense is the default gateway and it works.  The transparent proxy also works at different sites on different pfSense devices towards the same proxy server.  This leads me to think that it is some sort of a looping issue…

Transparent Proxy for directly attached subnet path (WORKS)
Workstation(172.31.255.10) -> pfSense (172.31.255.1) -> ProxyServer (10.96.9.1)-> Internet request -> ProxyServer (10.96.9.1) -> pfSense  (172.31.255.1) -> Workstation (172.31.255.10)

Transparent Proxy from a different site using pfSense (WORKS)
Workstation (192.168.10.222)-> Local pfSense (192.168.253.17) -> VPN -> Remote pfSense (192.168.253.1) -> ProxyServer (10.96.9.1) -> Internet request -> ProxyServer (10.96.9.1) -> Remote pfSense (192.168.253.1)-> VPN -> Local pfSense (192.168.10.222) -> Workstation (192.168.10.222)

Transparent Proxy from routed LAN to pfSense (BROKEN)
Workstation(10.96.9.222) -> pfSense (192.168.253.1) -> ProxyServer (10.96.9.1)-> Internet request -> ProxyServer (10.96.9.1) -> pfSense (192.168.253.1) -> Workstation (10.96.9.222)

Hope the above makes sense.  You can see that in the last scenario, the workstation and proxy are on the same LAN where they pass twice through the pfSense trying to do transparent proxy.  Sort of like a loop that I'm not sure how to get around.

doktornotor

You cannot have any transparent proxy when pfSense is not doing the routing. NFC where does this idea come from and at least 3 people posted similar stuff in past week or so.

Slicster

@doktornotor:

You cannot have any transparent proxy when pfSense is not doing the routing. NFC where does this idea come from and at least 3 people posted similar stuff in past week or so.

Not everyone wants to use a pfSense as a router when they have a great L3 router to do just that.

Strange that it works from all other sites but not the local one.

I'm trying to put my webfilter in a subnet directly connected to my pfSense but it still seems to have issues.

KOM

Not everyone wants to use a pfSense as a router when they have a great L3 router to do just that.

That's not the point he's making.  If pfSense isn't doing your routing, then how on Earth are your clients going to find squid?  Transparent mode only works when the thing doing your routing knows to send HTTP/S traffic to the proxy.

doktornotor

@KOM:

If pfSense isn't doing your routing, then how on Earth are your clients going to find squid?  Transparent mode only works when the thing doing your routing knows to send HTTP/S traffic to the proxy.

Thanks for rewording… I've explained this on two other threads in detail, here comes the third one. People seem to really excel in inventing configurations completely broken by design.

Slicster

@doktornotor:

@KOM:

If pfSense isn't doing your routing, then how on Earth are your clients going to find squid?  Transparent mode only works when the thing doing your routing knows to send HTTP/S traffic to the proxy.

Thanks for rewording… I've explained this on two other threads in detail, here comes the third one. People seem to really excel in inventing configurations completely broken by design.

If it was broken then how come it works from one of my remote sites through an OPENVPN tunnel?  Only difference at my main site where it isn't working is that it doesn't go through an OPENVPN tunnel.  All traffic stays local.  I really need some help figuring this out so here is my detailed configuration.

Local Subnets
10.96.8.0/22 = VLAN1 = Local physically plugged users
192.168.16.0/24 = VLAN16 = WiFi users

Subnet between L3 Router and pfSense
192.168.253.0/29

L3 Router
10.96.8.1/22 - Default gateway for VLAN1
192.168.16.1/24 - Default gateway for VLAN16
192.168.253.2/29 - Interface between L3 and pfSense

ip route 0.0.0.0 0.0.0.0 192.168.253.1 - Forwards all non local traffic to the pfSense

pfSense
192.168.253.1/29

ip route 10.96.8.0 255.255.252.0 192.168.253.2 - forwards 10.96.8.0/22 traffic to the L3 router
ip route 192.168.16.0 255.255.252.0 192.168.253.2 - forwards all 192.168.16.0/24 traffic to the L3 router

Webfilter
10.96.9.1/22 is the address of the Webfilter on VLAN1

Proxy Settings

Squid 4.3.9

Upstream Proxy
Enable Forwarding
IP: 10.96.9.1
TCP Port: 3128
ICP Port: 7

General
Proxy Interface: em1
Allow users on interface: Enabled
Transparent Proxy: Enabled
Bypass proxy for Private Address Space (RFC 1918) destination: Enabled
The rest are default which worked for us before

Access Control
Allowed Subnets: 10.96.8.0/22, 192.168.16.1

Additional
Basically a client will request a website, will pass through his default gateway of 10.96.8.1 which will route to the pfSense.  The pfSense which has the transparent proxy settings enabled, will forward the request to the webfilter at 10.96.9.1.  The webfilter will verify its rules and fetch the site from the pfSense using it's default gateway of 10.96.8.1 that routes to the pfSense(I'm not sure if this is where the issue is in that it loops back to the webfilter?).  The webfilter will send the info back to the client on the local subnet.

I'm thinking that perhaps I need to put the webfilter in a new subnet, perhaps directly attached to the pfSense and leave the rest as is?

Any ideas?

Slicster

So I managed to get everything working.  It is very doable to get a transparent proxy working without directly routed subnets being on the pfSense.  The issue that was blocking me were some of the rules on my FW, specifically traffic shaping.  It seems like that rule was taking precedence over the transparent proxy settings and because of this, the traffic never reached the "Remote Cache" server.

I'm up and running now.