Trouble with pfSense 2.2.6 + external transparent proxy



  • Hi,

    I have a new installation of pfSense 2.2.6 on an alix 2d3 board. Since the board is limited I want to enable squid + squidguard as a transparent proxy on an external machine (A raspberry pi3), but I'm failing miserably so I ask for some help:

    I have 3 interfaces set up the following way:
    WAN -> Internet modem
    LAN -> All internal devices, subnet 192.168.25.x
    OPT1 -> Proxy, subnet 192.168.35.x

    I can load any website from both LAN and OPT1, I can see all machines from both LAN and OPT1. So it seems that everything can talk to each other as it should.

    I have the latest versions of squid3 + squidguard installed on the proxy machine listening to ports 3128 (Transparent) and 8080.

    If I configure the proxy on any of the LAN machines, in non-transparent mode, it works perfectly. Pages load from the cache, squidguard blocks the appropriate pages and if I visit http://www.lagado.com/proxy-test it tells me that I'm behind a proxy server.

    Now things get strange when I try to set it up in transparent proxy mode, I have followed the advice in some forum topics (Also in many other places) and the pfSense NAT rules I think I should have are the following:

    Interface: LAN
    Protocol: tcp
    Source: *
    Source port: *
    Destination: *
    Destination port: 80
    Redirect IP: My proxy IP, 192.168.35.40 (located on OPT1 subnet)
    Redirect port: 3128

    Nat Reflection: I have tried all options with no help, so now it's on disable.

    That's all I do on pfSense. But, once I enable this rule no http website loads.

    If i try to visit bbcnews.com (Non https) what I get is a ERR_EMPTY_RESPONSE. The relevant log information (In my opinion) is the following:

    Squid3 log:

    2016/03/14 22:38:00 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.35.40:3128 remote=192.168.25.30:50683 FD 12 flags=33: (92) Protocol not available

    On pfSense states I have the following info:

    LAN tcp 192.168.35.40:3128 (212.58.244.57:80) <- 192.168.25.30:50683 FIN_WAIT_2:FIN_WAIT_2
    OPT1 tcp 192.168.25.30:50683 -> 192.168.35.40:3128 FIN_WAIT_2:FIN_WAIT_2

    Once I am here I don't know how to solve :(

    By the way, if I try to visit https pages they work perfectly. Also, if I enable the transparent proxy once the page is loaded I can visit it normally (For example once I'm in bbc.com/news I enable the transparent proxy and I can visit the different articles, but if I try to load another website it doesn't work)

    I have read multiple forum topics, everywhere it ends with the rule I have enabled and says it should work but I can’t seem to accomplish it. Can somebody give me a hint on how to solve?



  • Ok, so I've solved it in a non quite elegant way.

    I've installed the squid package on the alix machine, set it up with no cache and no logging, and I've placed the external proxy as an upstream proxy.

    Now it works, but it goes through 3 proxies!!  >:( >:(

    But I can cache and filter contents through the external proxy.  :) :) :)

    If anybody has a more elegant way to do it I will gladly try, meanwhile I will use the non elegant way.



  • Were you able to figure out another solution than the "three proxy layers?"

    I am in a similar situation. I have pfSense 2.3.3 nano on a Firebox x1250. I have Squid 3.5 and SARG 2.3.10 running on ubuntu server 16.04. I tried to create a NAT rule to forward all traffic on the LAN requesting port 80 to the internal ubuntu server running Squid on the default set port of 3128. I want to set it up as a Transparent Proxy but not having any luck.

    I've added this to the /etc/squid/squid.conf file:

    http_port 3128 transparent
    http_port 80 vhost

    Instead of the older method (which I've read stopped working after Squid 2.6):
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    Thanks for any help or advice on what you did to get this to work!

    Anthony