Hi guys, Help me please, I have a small LAN in my office, the scenary is:
Internet----Router ISP----(wm0-NetBSD-wm1,wm2)----LAN1, LAN2 wm0=192.168.1.85/24 wm1=192.168.2.85/24 wm2=192.168.3.85/24 I am going to do proxy on wm1, currently NetBSD is a firewall and router, I use ipfilter, my rules are: +ipf.conf (basic rules) pass in from any to any pass out from any to any +ipnat.conf #wm1 interface map wm0 192.168.2.0/24 -> 0/32 portmap tcp/udp auto map wm0 192.168.2.0/24 -> 0/32 #wm2 interface map wm0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto map wm0 192.168.3.0/24 -> 0/32 #Proxy server rdr wm1 0/0 port 80 -> 192.168.2.85 port 3129 tcp My rc.conf: #Firewall ipfilter=YES ipfilter_flags="" ipnat=YES #Service squid=YES My sysctl.conf to forwarding ipv4 is enable net.inet.ip.forwarding=1 NetBSD as router is OK, but as proxy I have some problem, the setup to squid is basic ... #My simple acl acl lan1 src 192.168.2.0/24 acl expno url_regex "/usr/pkg/etc/squid/expno" acl dono dstdomain "/usr/pkg/etc/squid/dono" #My rules http_access allow localhost http_access deny expno http_access deny dono http_access allow lan1 http_access deny all http_port 192.168.2.85:3129 intercept cache_dir ufs /var/squid/cache/squid 100 16 256 cache_mem 128 MB ... The files expno and dono are into the path The proxy is running, but I think that some thing I need to add or modify, because when I want to use some url the log of cache.log say: ...ERROR: No forward-proxy ports configured. ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.85:3129 remote=192.168.2.85:65508 FD 22 flags=33... The message is when I put in the browser a url for example www.netbsd.org or another that no use https protocol, but when I use some url that I put in dstdomain rule into dono for example xvideos.com, the proxy works, access deny say, BUT WHEN PU SOME URL normal without https the message says: empty response (zero size) Help me please, what is my mistake? I try to change the port, also add http_port 3128 and http_port 3129 intercept, I read the squid-cache http://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts, but I THINK THAT I need to add some thing, I remember that I did a similar proxy in early version of NetBSD and it was working perfect with ipfilter, the same rule, the rule copy of ipnat.conf man page. Thanks in advice for you reply, please help me.