OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: bruci3 on February 28, 2019, 01:46:46 am

Title: Firewall to Transparent Proxy
Post by: bruci3 on February 28, 2019, 01:46:46 am

Hi guys,

I am pretty confused and cant get my setup to work.

All on same network/subnet.

- Opnsense firewall 10.0.0.1
- Opnsense proxy 10.0.0.2

" Enable Transparent HTTP proxy" is checked.

- Certificates are installed on clients

Firewall and proxy both work completely fine alone, if I set my PC client with proxy settings to point to the proxy server it works as should for both HTTP and HTTPS.

I am trying to make it a transparent proxy i.e. no need to put Proxy settings on client but it wont work.

So on the firewall 10.0.0.1 I have these rules:

NAT Port forward
LAN TCP Src: LAN - Dest: port 80 redirect to IP 10.0.0.2 Port 3128
LAN TCP Src: LAN - Dest: port 443 redirect to IP 10.0.0.2 Port 3129

Am I missing other firewall rules or what else is needed?

Please help I have been struggling with this for a very long time.

Title: Re: Firewall to Transparent Proxy
Post by: bruci3 on February 28, 2019, 02:45:57 am

Still not working.

Title: Re: Firewall to Transparent Proxy
Post by: hbc on February 28, 2019, 02:26:29 pm

I think you cannot just forward packets to a second device, since squids interception listens on localhost.

But you can enable transparent proxy on localhost 127.0.0.1, apply the necessary  NAT rules to intercept local traffic and then in squid enable 'parent proxy' and enter your proxy server ip (10.0.0.2).

Title: Re: Firewall to Transparent Proxy
Post by: bruci3 on February 28, 2019, 10:19:26 pm

Hi hbc, thanks for trying to help.

Sorry, do you mind breaking down those steps you mentioned?

So just to clarify, you are saying to enable "Transparent Proxy" on the proxy server 10.0.0.2 (this is already done) or on the firewall 10.0.0.1?

Title: Re: Firewall to Transparent Proxy
Post by: bruci3 on March 01, 2019, 02:19:56 am

Ok I found something that should be the solution to my problem.

This link here says how to route when Firewall and Proxy are on seperate servers: http://tldp.org/HOWTO/TransparentProxy-6.html

Apparently I need these rules on the firewall, but not sure how to interpret these rules in Opnense?

iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

That first rule I assume would be:
LAN  TCP   ! 10.0.0.2   *   *   80 (HTTP)   10.0.0.2   3128   

But I am completely lost on the 2nd and 3rd rules.

Title: Re: Firewall to Transparent Proxy
Post by: hbc on March 01, 2019, 08:07:57 am

Quote from: bruci3 on February 28, 2019, 10:19:26 pm

So just to clarify, you are saying to enable "Transparent Proxy" on the proxy server 10.0.0.2 (this is already done) or on the firewall 10.0.0.1?

Nope. 10.0.0.2 does not need to run transparent. It would just act as ordinary parent proxy. You would need to run proxies on both machines.

• 10.0.0.1 transparent, forwarding proxy (no caching) with parent proxy 10.0.0.2
• 10.0.0.2 as caching proxy maybe with filtering, ICAP, etc.

Then you have your NAT rule on 10.0.0.1 that intercepts traffic to port 80 and directs to 127.0.0.1:3128 (local, transparent squid). Your gateway, local squid will query your caching, scanning, filtering proxy server at 10.0.0.2

Title: Re: Firewall to Transparent Proxy
Post by: bruci3 on March 01, 2019, 10:30:20 am

Ah I see, thanks for clarifying and thanks so much for your help. That sounds like it should work.  ;D