Routing Proxy Traffic



  • Hi,

    I've been searching the forums for days trying to get a configuration working.  My configuration is similar to this thread:

    http://forum.pfsense.org/index.php/topic,6229.0.html

    I know there are other similar threads on the boards, but I haven't seen any that mention the same release.  I'm using 1.2-RELEASE.  I'm trying to redirect all port 80 traffic to a transparent proxy server that has an interface that sits on the same subnet as my LAN.  The proxy server is squid 3.0 and is using iptables to redirect from 80 to 3128.  I have my load balancer set up as a "gateway" with the monitor IP as the internal interface of the proxy.  I notice that the pool says "wan|10.254.100.1" even though the proxy is on the lan.  Does that matter?  The LAN interface isn't an option for load balancing.

    Can anyone tell me if this configuration will work with the 1.2 release?  If not, is there a hack I could do to the config to make this work?

    I want to redirect traffic to an additional proxy because this pfSense box is currently responsible for NATing 2000 machines minus http (they  currently configure the browser to a proxy).  I don't want to integrate the proxy into pfSense because I don't want the pfSense box to have to handle the extra load.

    I also realize I could use port forward, but I would really like to keep the proxy logs with the original source IP of the users.

    Thanks



  • You can use a port forward on the LAN to redirect to your proxy.



  • @cmb:

    You can use a port forward on the LAN to redirect to your proxy.

    Thanks for the reply.  With the port forward I lose the source address, which is important to me in the proxy logs.  Can anyone confirm that they've used the 1.2-Release and had this working?  When I configure it with the link in the original post, I can browse the web, but the traffic isn't being redirected.

    I have also confirmed that the proxy will work transparently by hard-coding routes to a site on the requesting machine and then trying to access the site.

    I should also mention, I use advanced outbound NAT.  Does that affect this configuration?  It seems like all traffic is ignoring my firewall rule and going right to the outbound NAT rule for that subnet range.



  • For anyone searching later on, I wanted to give an update on this thread.  I finally got the configuration working, and the problem wasn't because of the pfSense box.  The problem resulted because the proxy server is dual-homed to two networks that had routes between them.  Since the proxy server and the pfsense box had 2 networks in common, things were getting screwed up.

    The relevant lines from my config (manually configured) are:
    For the load balancer:
    <type>gateway</type>
    <behaviour>balance</behaviour>
    <monitorip>192.168.75.1</monitorip>
    <name>Proxy_Server</name>
    <desc><port><servers>192.168.75.1|192.168.75.1</servers>
    <monitor>For the fw rules:
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>

    <address>192.168.75.1</address>

    <not><destination><any><port>80</port></any></destination>
    <descr>Allow HTTP</descr>
    <gateway>Proxy_Server</gateway></not></os></statetimeout></max-src-states></max-src-nodes></rule>

    In my configuration, I have a NAT router (pfsense) that has a LAN, WAN, and OPT1 interfaces.  LAN is set up internally, WAN goes to the Internet, and OPT1 is cross-cabled into the proxy.  The proxy server is a Solaris 2.8 Squid 3.0 box configured for transparent connections.  It has 3 interfaces, bge0, bge1, and bge2.  Bge0 goes to the internet, BGE1 goes to the same network as the LAN on the NAT, and bge2 is cross cabled into the pfsense box.  It may sound confusing, but we did it this way so the proxy has it's own public IP, and doesn't have to have traffic flow through the NAT if a client configures their browser to go directly to it (which almost all do).

    The proxy server has the following ipnat rule applied:
    rdr bge2 0.0.0.0/0 port 80 -> 192.168.75.1 port 3128

    What I saw happening was confusing for a while, but I was able to figure it out.  When traffic from a client who was using the transparent proxy would go through the pfsense box, it would be routed correctly to the proxy server.  The proxy server would see it, and respond back but it would go through the wrong interface (bge1 rather than bge2).  This resulted in the client receiving the packets, but from the wrong source.  If I created a route to force the traffic back through the pfsense box on the proxy, it would work, but then all traffic from the proxy would go through pfsense, which is unnecessary.

    Finally, from reading TONS of online material, I figured out that ipfilter would solve this problem with source based routing.  I know have the following line in ipf.conf:

    pass out quick on bge1 to bge2:192.168.75.254 from 192.168.75.1 to any

    This tells all traffic seen on the bge1 (LAN) interface that came from from the proxy subnet (bge2) to go back the way it came (bge2) to the ip of the OPT1.  This means that all traffic originated from the LAN goes back through LAN, and all traffic based from the Proxy-Pfsense highway goes back that way.

    I know nobody may need to read about this, but I wanted to put my experience here just in case there was someone else with the same problem later on down the road.  It certainly cost me a lot of time.

    I appreciate all the work others did to get me to this point.</monitor></port></desc>


Log in to reply