When enabled, proxy sending traffic over WAN not VPN



  • I recently added Squid3/SquidProxy to my pfSense environment. I currently have it set up as a transparent proxy, but intend to get more sophisticated over time.

    I have firewall rules that route certain hosts through a VPN and others directly through the WAN.

    It appears that despite not changing these rules, when the transparent proxy is enabled any traffic that goes through it exits over my WAN regardless of whether the host is supposed to be using the VPN. As soon as I turn the proxy off, traffic is routed as I would expect.

    Are there additional rules I have to put in place to get the proxy to route through the VPN gateway?



  • I have a similar situation and have found that in order to force HTTP traffic out through the VPN for specific hosts with the transparent proxy enabled then I need to specify the host IPs in the Bypass Proxy for These Source IPs option under the transparent proxy settings. You can also use firewall aliases in this setting as well. Downside is that traffic from these hosts will not use the proxy.



  • That's a pretty material downside.  ;D

    There has to be a way to do this.

    Thanks for this, though!



  • You could try using the squid3 tcp_out_mark ACL to mark packets from a particular source IP in combination with a floating rule that that passes any outgoing packets with a matching mark through the VPN gateway.

    To do this you would enter a custom ACL under the Advanced Features in the General Proxy Settings. I don't know if it matters whether you use enter the custom ACL before or after Auth, but you could try and see which works. An example entry could be:

    acl vpn_clients 192.168.1.5 192.168.1.9  192.168.2.14/31 #Enter the corresponding ip addresses or ip ranges of the hosts you wish to forward proxy traffic through the vpn
    tcp_outgoing_mark 0x20 vpn_clients
    
    

    Next create a floating rule with the following:
    Action: Pass
    Quick: Apply the action immediately on match (you may not need to do this. See what works)
    Interface: (I don't think you need to specify an interface here. Again see what works. You could try WAN)
    Direction: Out
    TCP/IP Version: IPv4 (I'm assuming you're not routing IPv6 traffic. If so, then enable IPv4 + IPv6)
    Protocol: TCP/UDP
    Source: This Firewall (I'm assuming the traffic will appear as coming from the firewall. If this doesn't work you could leave it as any or try 127.0.0.1).
    Advanced Options: Match packet on a mark: 0x20
    Gateway: Whatever your VPN gateway is called

    My knowledge on using floating rules is a little limited so you may need to play around with the settings to get it to work. The critical settings will be the packet matching and gateway. Everything else just hardens the rule and makes it less likely to inadvertently impact other traffic.

    You could also try using the squid3 tcp_outgoing_address ACL and specify the ip of the VPN interface, although I'm not certain whether that will work.



  • You probably using rules in LAN section of FW (so, to pfsense they are inbound to LAN interface).
    You can:
    a) disable proxy (for particular addresses)
    b) create outbound NAT rule (without NAT in your case)
    c) use floating rule which will forward outbound traffic for specific IPs to needed gateway
    From my POV your only options is a and b.

    I'm used c variant in some situations, but without proxy.



  • I've been playing around with the squid settings and have been able to get it to work on my setup using the tcp_outgoing_address setting in the custom ACL (before auth) option under Proxy Server: General Settings. This only works provided you have a static address for the VPN interface.

    acl vpn_clients src 192.168.1.5 192.168.1.9  192.168.2.14/31 #replace with corresponding ip addresses for you src clients going via VPN
    tcp_outgoing_address 172.10.10.10 vpn_clients #replace with IP of VPN interface
    

    You will also need to add a firewall rule on your LAN interface to route traffic for these source IP addresses via the VPN so that HTTPS is also routed via the proxy.


Log in to reply