Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    When enabled, proxy sending traffic over WAN not VPN

    Cache/Proxy
    3
    6
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ILLCOMM
      last edited by

      I recently added Squid3/SquidProxy to my pfSense environment. I currently have it set up as a transparent proxy, but intend to get more sophisticated over time.

      I have firewall rules that route certain hosts through a VPN and others directly through the WAN.

      It appears that despite not changing these rules, when the transparent proxy is enabled any traffic that goes through it exits over my WAN regardless of whether the host is supposed to be using the VPN. As soon as I turn the proxy off, traffic is routed as I would expect.

      Are there additional rules I have to put in place to get the proxy to route through the VPN gateway?

      1 Reply Last reply Reply Quote 0
      • kesawiK
        kesawi
        last edited by

        I have a similar situation and have found that in order to force HTTP traffic out through the VPN for specific hosts with the transparent proxy enabled then I need to specify the host IPs in the Bypass Proxy for These Source IPs option under the transparent proxy settings. You can also use firewall aliases in this setting as well. Downside is that traffic from these hosts will not use the proxy.

        1 Reply Last reply Reply Quote 0
        • I
          ILLCOMM
          last edited by

          That's a pretty material downside.  ;D

          There has to be a way to do this.

          Thanks for this, though!

          1 Reply Last reply Reply Quote 0
          • kesawiK
            kesawi
            last edited by

            You could try using the squid3 tcp_out_mark ACL to mark packets from a particular source IP in combination with a floating rule that that passes any outgoing packets with a matching mark through the VPN gateway.

            To do this you would enter a custom ACL under the Advanced Features in the General Proxy Settings. I don't know if it matters whether you use enter the custom ACL before or after Auth, but you could try and see which works. An example entry could be:

            acl vpn_clients 192.168.1.5 192.168.1.9  192.168.2.14/31 #Enter the corresponding ip addresses or ip ranges of the hosts you wish to forward proxy traffic through the vpn
            tcp_outgoing_mark 0x20 vpn_clients
            
            

            Next create a floating rule with the following:
            Action: Pass
            Quick: Apply the action immediately on match (you may not need to do this. See what works)
            Interface: (I don't think you need to specify an interface here. Again see what works. You could try WAN)
            Direction: Out
            TCP/IP Version: IPv4 (I'm assuming you're not routing IPv6 traffic. If so, then enable IPv4 + IPv6)
            Protocol: TCP/UDP
            Source: This Firewall (I'm assuming the traffic will appear as coming from the firewall. If this doesn't work you could leave it as any or try 127.0.0.1).
            Advanced Options: Match packet on a mark: 0x20
            Gateway: Whatever your VPN gateway is called

            My knowledge on using floating rules is a little limited so you may need to play around with the settings to get it to work. The critical settings will be the packet matching and gateway. Everything else just hardens the rule and makes it less likely to inadvertently impact other traffic.

            You could also try using the squid3 tcp_outgoing_address ACL and specify the ip of the VPN interface, although I'm not certain whether that will work.

            1 Reply Last reply Reply Quote 0
            • S
              Soyokaze
              last edited by

              You probably using rules in LAN section of FW (so, to pfsense they are inbound to LAN interface).
              You can:
              a) disable proxy (for particular addresses)
              b) create outbound NAT rule (without NAT in your case)
              c) use floating rule which will forward outbound traffic for specific IPs to needed gateway
              From my POV your only options is a and b.

              I'm used c variant in some situations, but without proxy.

              Need full pfSense in a cloud? PM for details!

              1 Reply Last reply Reply Quote 0
              • kesawiK
                kesawi
                last edited by

                I've been playing around with the squid settings and have been able to get it to work on my setup using the tcp_outgoing_address setting in the custom ACL (before auth) option under Proxy Server: General Settings. This only works provided you have a static address for the VPN interface.

                acl vpn_clients src 192.168.1.5 192.168.1.9  192.168.2.14/31 #replace with corresponding ip addresses for you src clients going via VPN
                tcp_outgoing_address 172.10.10.10 vpn_clients #replace with IP of VPN interface
                

                You will also need to add a firewall rule on your LAN interface to route traffic for these source IP addresses via the VPN so that HTTPS is also routed via the proxy.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.