I don't seem to be smart enough to figure this one out.
I have a firewall with six physical interfaces: three local network (wifi, lan, and dmz), and three external interfaces that have been set up with multipath routing and nat and all that good stuff.
I've been trying to get Squid up and running on this thing as a transparent www proxy, to no avail so far. After working with Amos Jeffries a bit, I found that Squid does a "security check" that compares the IP destination of the request to the hostname in the http request when in interception mode; since rdr-to rewrites a packet's destination address, Squid ends up trying to connect to itself and gives up with a forwarding loop error. (This is contrary to every single piece of documentation I've found so far on setting up Squid on OpenBSD ...)
The solution seems to be to use divert-to. But, I can't divert-to on outbound traffic on the external interfaces, I can't trap "inbound" traffic on the external interfaces coming from the internal network without breaking ecmp (I think?), and none of the internal interfaces wants to accept traffic with a destination IP outside their subnet, naturally.
So ... what do I do? Is there a way to set up a "virtual" interface and do something tricky and cool that won't make a mess of nat or outbound ecmp? Do I have to give up and put Squid on its own machine in the DMZ? (I'd rather not, that seems lame.) Is there something more straightforward that I'm missing?
I'd really appreciate any help. I've been working on this for several solid days now.
Thanks, - R. -- [__ Robert Sheldon [__ No Problem [__ Information technology support and services [__ (530) 575-0278
