Issues with Squid Transparent Proxy since we removed routing from the FW



  • Hey Guys,
    We virtualized and upgraded our pfSense yesterday in order to remove the routing from the pfSense and have our switches route instead.  Since then, transparent proxy no longer works and it seems to have something to do with the traffic no longer being from the same subnet as the actual selected proxy interfaces.  I tried to add access controls for the subnets in question but it never works.  Below is a basic diagram of the routing setup and proxy settings…

    Configuration...

    Internet
                                          |
                                    em0 - WAN
                                      pfSense
                        em1 - 192.168.253.1/28 - route 10.96.8.0 255.255.252.0 192.168.253.2
                                          |
                  HP 5500 L3 - 192.168.253.18/28 - route 0.0.0.0 0.0.0.0 192.168.253.1
                                          |
                          VLAN1 - 10.96.8.0/22


    Proxy Settings...

    Squid 4.3.9

    Upstream Proxy
    Enable Forwarding
    IP: 10.96.9.1
    TCP Port: 3128
    ICP Port: 7

    General
    Proxy Interface: em1
    Allow users on interface: Enabled
    Transparent Proxy: Enabled
    Bypass proxy for Private Address Space (RFC 1918) destination: Enabled
    The rest are default which worked for us before

    Access Control
    Allowed Subnets: 10.96.8.0/22


    Any ideas?



  • I think that transparent and access controls are mutually exclusive.  Also can you include the section of your config for Squid, it will be between <squid>and</squid>

    This concerns me because I am running 4.3.6 and planning to go to 4.3.9 and I don't want to loose my transparent proxy



  • I'm perhaps stupid but I don't understand this:  ??? :o

    @Slicster:

    Internet
                                          |
                                    em0 - WAN
                                      pfSense
                        em1 - 192.168.253.1/28 - route 10.96.8.0 255.255.252.0 192.168.253.2



  • Sorry it's been a while and I've been busy with a few other emergencies to troubleshoot or update.

    I did some additional testing today with the transparent proxy setup on a new interface where the pfSense is the default gateway and it works.  The transparent proxy also works at different sites on different pfSense devices towards the same proxy server.  This leads me to think that it is some sort of a looping issue…

    Transparent Proxy for directly attached subnet path (WORKS)
    Workstation(172.31.255.10) -> pfSense (172.31.255.1) -> ProxyServer (10.96.9.1)-> Internet request -> ProxyServer (10.96.9.1) -> pfSense  (172.31.255.1) -> Workstation (172.31.255.10)

    Transparent Proxy from a different site using pfSense (WORKS)
    Workstation (192.168.10.222)-> Local pfSense (192.168.253.17) -> VPN -> Remote pfSense (192.168.253.1) -> ProxyServer (10.96.9.1) -> Internet request -> ProxyServer (10.96.9.1) -> Remote pfSense (192.168.253.1)-> VPN -> Local pfSense (192.168.10.222) -> Workstation (192.168.10.222)

    Transparent Proxy from routed LAN to pfSense (BROKEN)
    Workstation(10.96.9.222) -> pfSense (192.168.253.1) -> ProxyServer (10.96.9.1)-> Internet request -> ProxyServer (10.96.9.1) -> pfSense (192.168.253.1) -> Workstation (10.96.9.222)

    Hope the above makes sense.  You can see that in the last scenario, the workstation and proxy are on the same LAN where they pass twice through the pfSense trying to do transparent proxy.  Sort of like a loop that I'm not sure how to get around.


  • Banned

    You cannot have any transparent proxy when pfSense is not doing the routing. NFC where does this idea come from and at least 3 people posted similar stuff in past week or so.



  • @doktornotor:

    You cannot have any transparent proxy when pfSense is not doing the routing. NFC where does this idea come from and at least 3 people posted similar stuff in past week or so.

    Not everyone wants to use a pfSense as a router when they have a great L3 router to do just that.

    Strange that it works from all other sites but not the local one.

    I'm trying to put my webfilter in a subnet directly connected to my pfSense but it still seems to have issues.



  • Not everyone wants to use a pfSense as a router when they have a great L3 router to do just that.

    That's not the point he's making.  If pfSense isn't doing your routing, then how on Earth are your clients going to find squid?  Transparent mode only works when the thing doing your routing knows to send HTTP/S traffic to the proxy.


  • Banned

    @KOM:

    If pfSense isn't doing your routing, then how on Earth are your clients going to find squid?  Transparent mode only works when the thing doing your routing knows to send HTTP/S traffic to the proxy.

    Thanks for rewording… I've explained this on two other threads in detail, here comes the third one. People seem to really excel in inventing configurations completely broken by design.



  • @doktornotor:

    @KOM:

    If pfSense isn't doing your routing, then how on Earth are your clients going to find squid?  Transparent mode only works when the thing doing your routing knows to send HTTP/S traffic to the proxy.

    Thanks for rewording… I've explained this on two other threads in detail, here comes the third one. People seem to really excel in inventing configurations completely broken by design.

    If it was broken then how come it works from one of my remote sites through an OPENVPN tunnel?  Only difference at my main site where it isn't working is that it doesn't go through an OPENVPN tunnel.  All traffic stays local.  I really need some help figuring this out so here is my detailed configuration.

    Local Subnets
    10.96.8.0/22 = VLAN1 = Local physically plugged users
    192.168.16.0/24 = VLAN16 = WiFi users

    Subnet between L3 Router and pfSense
    192.168.253.0/29

    L3 Router
    10.96.8.1/22 - Default gateway for VLAN1
    192.168.16.1/24 - Default gateway for VLAN16
    192.168.253.2/29 - Interface between L3 and pfSense

    ip route 0.0.0.0 0.0.0.0 192.168.253.1 - Forwards all non local traffic to the pfSense

    pfSense
    192.168.253.1/29

    ip route 10.96.8.0 255.255.252.0 192.168.253.2 - forwards 10.96.8.0/22 traffic to the L3 router
    ip route 192.168.16.0 255.255.252.0 192.168.253.2 - forwards all 192.168.16.0/24 traffic to the L3 router

    Webfilter
    10.96.9.1/22 is the address of the Webfilter on VLAN1

    Proxy Settings

    Squid 4.3.9

    Upstream Proxy
    Enable Forwarding
    IP: 10.96.9.1
    TCP Port: 3128
    ICP Port: 7

    General
    Proxy Interface: em1
    Allow users on interface: Enabled
    Transparent Proxy: Enabled
    Bypass proxy for Private Address Space (RFC 1918) destination: Enabled
    The rest are default which worked for us before

    Access Control
    Allowed Subnets: 10.96.8.0/22, 192.168.16.1

    Additional
    Basically a client will request a website, will pass through his default gateway of 10.96.8.1 which will route to the pfSense.  The pfSense which has the transparent proxy settings enabled, will forward the request to the webfilter at 10.96.9.1.  The webfilter will verify its rules and fetch the site from the pfSense using it's default gateway of 10.96.8.1 that routes to the pfSense(I'm not sure if this is where the issue is in that it loops back to the webfilter?).  The webfilter will send the info back to the client on the local subnet.

    I'm thinking that perhaps I need to put the webfilter in a new subnet, perhaps directly attached to the pfSense and leave the rest as is?

    Any ideas?



  • So I managed to get everything working.  It is very doable to get a transparent proxy working without directly routed subnets being on the pfSense.  The issue that was blocking me were some of the rules on my FW, specifically traffic shaping.  It seems like that rule was taking precedence over the transparent proxy settings and because of this, the traffic never reached the "Remote Cache" server.

    I'm up and running now.


Log in to reply