I think I figured out a means of doing it. I created a load balancer
pool with just the Squid server listed as a gateway. Then I created a
firewall rule on the LAN that sends port 80 traffic from any IP but the
Squid box to that load balancer pool. The only part that I haven't
confirmed as functional is that the Squid box won't be redirected. I'll
see whether that's the case once I get this router fully configured and
make it the default gateway for the Squid box. But I'm confident that
it will work.
The inspiration came to me when I was going over the load balancing
instructions and saw the diagrams about routing traffic through a
particular gateway.
On Mar 28, 2007, at 7:37 PM, Adam Van Ornum wrote:
If you search on the forums you should be able to find more
information, but basically you can't currently do this with pfSense
because you can't do source based redirection. The underlying
firewall "pf" can do it just fine but the functionality is not exposed
through the pfSense web gui. I was going to work on that but I've
been a little too busy lately.
> To: support@pfsense.com
> From: [EMAIL PROTECTED]
> Date: Wed, 28 Mar 2007 12:50:52 -0400
> Subject: [pfSense Support] Transparent proxy to a separate Squid box.
>
> I'm in the process of (hopefully) migrating from a Linux router
running
> Shorewall to a pfSense box. One of the things we were able to do on
our
> Linux router was transparently proxy to a separate machine on our
> network running Squid.
>
> We accomplished this with a mix of iproute and iptables. First, the
web
> packets on port 80 from any machine except the Squid box are marked
for
> a separate routing table by an iptables rule:
>
> iptables -t mangle -A PREROUTING -i eth0 -s ! 192.168.0.12 -p tcp
> --dport 80 -j MARK --set-mark 3
>
>
> A routing table was set up for that mark, so the result of "ip route
> show table 3" is:
>
> default via 192.168.0.12 dev eth0
>
>
> On the Squid box, packets to port 80 are redirected to port 8080 with
> an iptables rule:
>
> iptables -t nat -A PREROUTING -i eth0 -d ! 165.78.125.12 -p tcp
> --dport 80 -j REDIRECT --to-ports 8080
>
>
>
> What I have gotten to work with pfSense is a NAT rule to redirect
port
> 80 to the Squid box. That worked, but probably only because the Squid
> box is still using our Linux router as it's default gateway.
Otherwise,
> I think that once its gateway is set to the new pfSense firewall, it
> will try to redirect it's port 80 traffic back to itself.
>
> The other issue I found, is that by using NAT, the Squid logs show
the
> "source" IP address of the web requests as the IP of the pfSense
> firewall - not the local client that is actually making the request.
> This will really throw off our usage reporting software, MySAR
> (http://giannis.stoilis.gr/software/mysar/). I'm also not sure how
this
> will affect our MAC address-based ACLs in Squid.
>
> Being new to BSD and pfSense, I'm not sure if it is even possible to
> replicate the setup that we currently have with Linux. Hoping that
> someone here can give me some insight on how I can accomplish this or
> whether I need to use a Linux-based router.
>
> Thanks,
>
> Dave
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
Your friends are close to you. Keep them that way.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
