[pfSense Support] Transparent proxy to a separate Squid box.
I'm in the process of (hopefully) migrating from a Linux router running Shorewall to a pfSense box. One of the things we were able to do on our Linux router was transparently proxy to a separate machine on our network running Squid. We accomplished this with a mix of iproute and iptables. First, the web packets on port 80 from any machine except the Squid box are marked for a separate routing table by an iptables rule: iptables -t mangle -A PREROUTING -i eth0 -s ! 192.168.0.12 -p tcp --dport 80 -j MARK --set-mark 3 A routing table was set up for that mark, so the result of ip route show table 3 is: default via 192.168.0.12 dev eth0 On the Squid box, packets to port 80 are redirected to port 8080 with an iptables rule: iptables -t nat -A PREROUTING -i eth0 -d ! 165.78.125.12 -p tcp --dport 80 -j REDIRECT --to-ports 8080 What I have gotten to work with pfSense is a NAT rule to redirect port 80 to the Squid box. That worked, but probably only because the Squid box is still using our Linux router as it's default gateway. Otherwise, I think that once its gateway is set to the new pfSense firewall, it will try to redirect it's port 80 traffic back to itself. The other issue I found, is that by using NAT, the Squid logs show the source IP address of the web requests as the IP of the pfSense firewall - not the local client that is actually making the request. This will really throw off our usage reporting software, MySAR (http://giannis.stoilis.gr/software/mysar/). I'm also not sure how this will affect our MAC address-based ACLs in Squid. Being new to BSD and pfSense, I'm not sure if it is even possible to replicate the setup that we currently have with Linux. Hoping that someone here can give me some insight on how I can accomplish this or whether I need to use a Linux-based router. Thanks, Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Transparent proxy to a separate Squid box.
If you search on the forums you should be able to find more information, but basically you can't currently do this with pfSense because you can't do source based redirection. The underlying firewall pf can do it just fine but the functionality is not exposed through the pfSense web gui. I was going to work on that but I've been a little too busy lately. To: support@pfsense.com From: [EMAIL PROTECTED] Date: Wed, 28 Mar 2007 12:50:52 -0400 Subject: [pfSense Support] Transparent proxy to a separate Squid box. I'm in the process of (hopefully) migrating from a Linux router running Shorewall to a pfSense box. One of the things we were able to do on our Linux router was transparently proxy to a separate machine on our network running Squid. We accomplished this with a mix of iproute and iptables. First, the web packets on port 80 from any machine except the Squid box are marked for a separate routing table by an iptables rule: iptables -t mangle -A PREROUTING -i eth0 -s ! 192.168.0.12 -p tcp --dport 80 -j MARK --set-mark 3 A routing table was set up for that mark, so the result of ip route show table 3 is: default via 192.168.0.12 dev eth0 On the Squid box, packets to port 80 are redirected to port 8080 with an iptables rule: iptables -t nat -A PREROUTING -i eth0 -d ! 165.78.125.12 -p tcp --dport 80 -j REDIRECT --to-ports 8080What I have gotten to work with pfSense is a NAT rule to redirect port 80 to the Squid box. That worked, but probably only because the Squid box is still using our Linux router as it's default gateway. Otherwise, I think that once its gateway is set to the new pfSense firewall, it will try to redirect it's port 80 traffic back to itself. The other issue I found, is that by using NAT, the Squid logs show the source IP address of the web requests as the IP of the pfSense firewall - not the local client that is actually making the request. This will really throw off our usage reporting software, MySAR (http://giannis.stoilis.gr/software/mysar/). I'm also not sure how this will affect our MAC address-based ACLs in Squid. Being new to BSD and pfSense, I'm not sure if it is even possible to replicate the setup that we currently have with Linux. Hoping that someone here can give me some insight on how I can accomplish this or whether I need to use a Linux-based router. Thanks, Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Your friends are close to you. Keep them that way. http://spaces.live.com/signup.aspx
Re: [pfSense Support] Transparent proxy to a separate Squid box.
I think I figured out a means of doing it. I created a load balancer pool with just the Squid server listed as a gateway. Then I created a firewall rule on the LAN that sends port 80 traffic from any IP but the Squid box to that load balancer pool. The only part that I haven't confirmed as functional is that the Squid box won't be redirected. I'll see whether that's the case once I get this router fully configured and make it the default gateway for the Squid box. But I'm confident that it will work. The inspiration came to me when I was going over the load balancing instructions and saw the diagrams about routing traffic through a particular gateway. On Mar 28, 2007, at 7:37 PM, Adam Van Ornum wrote: If you search on the forums you should be able to find more information, but basically you can't currently do this with pfSense because you can't do source based redirection. The underlying firewall pf can do it just fine but the functionality is not exposed through the pfSense web gui. I was going to work on that but I've been a little too busy lately. To: support@pfsense.com From: [EMAIL PROTECTED] Date: Wed, 28 Mar 2007 12:50:52 -0400 Subject: [pfSense Support] Transparent proxy to a separate Squid box. I'm in the process of (hopefully) migrating from a Linux router running Shorewall to a pfSense box. One of the things we were able to do on our Linux router was transparently proxy to a separate machine on our network running Squid. We accomplished this with a mix of iproute and iptables. First, the web packets on port 80 from any machine except the Squid box are marked for a separate routing table by an iptables rule: iptables -t mangle -A PREROUTING -i eth0 -s ! 192.168.0.12 -p tcp --dport 80 -j MARK --set-mark 3 A routing table was set up for that mark, so the result of ip route show table 3 is: default via 192.168.0.12 dev eth0 On the Squid box, packets to port 80 are redirected to port 8080 with an iptables rule: iptables -t nat -A PREROUTING -i eth0 -d ! 165.78.125.12 -p tcp --dport 80 -j REDIRECT --to-ports 8080 What I have gotten to work with pfSense is a NAT rule to redirect port 80 to the Squid box. That worked, but probably only because the Squid box is still using our Linux router as it's default gateway. Otherwise, I think that once its gateway is set to the new pfSense firewall, it will try to redirect it's port 80 traffic back to itself. The other issue I found, is that by using NAT, the Squid logs show the source IP address of the web requests as the IP of the pfSense firewall - not the local client that is actually making the request. This will really throw off our usage reporting software, MySAR (http://giannis.stoilis.gr/software/mysar/). I'm also not sure how this will affect our MAC address-based ACLs in Squid. Being new to BSD and pfSense, I'm not sure if it is even possible to replicate the setup that we currently have with Linux. Hoping that someone here can give me some insight on how I can accomplish this or whether I need to use a Linux-based router. Thanks, Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Your friends are close to you. Keep them that way. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
