Tryng to Configure Pfsense and Squid3 as a reverse proxy



  • Im trying to set up Pfsense (2.2.4-RELEASE) with the Squid3 package (0.3.9.2) as a reverse proxy.
    The purpose is to publish a few different Http and Https services through one IP based on URI filtering.

    In my lab environment the net design looks as this

    Evil net (aka my simulated internet) is at 192.168.3.0/24 with PFsense Wan interface at 192.168.3.2.
    i have an "external" client here at 192.168.3.5 to do my tests from

    I have a DMZ at 192.168.1.0 with Pfsense DMZ interface at 192.168.1.2.
    There is a webserver at 192.168.1.5

    I also have two more webservers at other nets but I don't think we nedd them currently.

    I have configured two Firewall Rules
    IPv4 TCP * * WAN address 443 (HTTPS) * none Listner for HTTPS published sites
    IPv4 TCP * * WAN address 80 (HTTP) * none Listner for HTTP published Sites

    I have created two Reverse proxy peers
    on WWW 192.168.1.5 80 HTTP www
    on https 192.168.1.5 443 HTTPS https

    I have one mapping
    on test1 WWW,https binding them to the URI of my domain

    I can se the traffic beeing accepted in the firewall log

    However it doesn't work and then I use Wireshark on my "external" computer i see something that really surprised me.

    I get a HTTP 301 Moved Permanently. And then the Pfsense box tells the client to connect to the Admin port of the Pfsense box. in this test port 666

    It shouldn't do that, should it? I don't want that redirect since it's wrong and I don't like it to tell where the admin port is.

    Can anyone assist? I guess it's my config somewhere but I haven't been able to figure out where



  • Found out about the problem with Squid and ports below 1024.

    Added nat rules to 5080 and 5433 and that seems to have fixed some of the problem.

    Now I can do nat from wan to internal.
    I can't do nat from wan to DMZ(opt interface)

    I can ping my webserver from the DMZ interface so there is connectivity between them

    I have a "allow anything" rule om DMZ at the moment
    IPv4 TCP * * * * * none



  • Nailed that one too :)

    In the webgui it said /24 on the interface. On the console it said /32. After changing it on the console to /24 it works



  • IT IS DONEĀ  ;D

    The old TMG is now replaced with a PFsense box.

    Two things i miss from TMG though

    • The External computer set. Makes creating firewall rules so much easier. Just do an allow anything to external and you got unrestricted internet access but no access to other networks on the "inside" like opt
    • The grouping functionality. In tmg you can create a group and then collect rules in the group. For example i can place all rules for my webservers in one group and have the mail servers in another. Makes troubleshooting much faster since i know i only have to look in the mail group when troubleshooting mail

Log in to reply