OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: Wallachia on March 04, 2020, 11:27:31 am

Title: Pf blocks Squid listening port
Post by: Wallachia on March 04, 2020, 11:27:31 am

Hello,

I have recently installed OPNSense on PC with 1 NIC (configured as LAN) with the goal to set it up as web proxy. I have configured Squid as non-transparent proxy with default port (3128) bound to LAN interface, but I can not connect to it from LAN - nothing is listening on port 3128 (nMap  and telnet). Weird thing is, when I go to CLI and enter netstat -a -n | egrep 'Proto|LISTEN', there is Squid process listening:

Code: [Select]

tcp4       0      0 10.116.44.195.3128     *.*                    LISTENIf I stop pf from CLI and restart Squid, I now can connect to port 3128 and everything works just fine (browser connects to proxy and goes to Internet). Firewall settings are all default ("allow all to all"), I have tried to explicitly permit access to and from Squid port, but to no avail.
I suspect I'm doing some rookie mistake, but I can't understand where. Can the community help me?

Title: Re: Pf blocks Squid listening port
Post by: echo_123 on June 16, 2020, 06:57:28 pm

Hi Wallachia,

apparently you have to create a firewall to allow the LAN clients to access the SQUID Proxy on default port 3128.

Action: Pass
Interface: LAN
Direction: in
TCP/IP Version: IPv4
Source: LAN net
Destination: This Firewall
Dest Port Range: 3128 - 3128
Category/Description: HTTP Proxy Access

That's how I made it work. Cheers

Title: Re: Pf blocks Squid listening port
Post by: PaddyMac on October 06, 2020, 09:01:19 pm

I'm having this same problem on a fresh install of 20.7. I'm trying to implement echo_123's solution, but the destination port setting is greyed out so that I can't change it. I tried setting up a firewall rule with every other setting as suggested, and that didn't help. It works fine without any additional setup on pfSense, so this seems to be a bug in OPNsense.

Title: Re: Pf blocks Squid listening port
Post by: lfirewall1243 on October 29, 2020, 08:04:16 am

Quote from: PaddyMac on October 06, 2020, 09:01:19 pm

I'm having this same problem on a fresh install of 20.7. I'm trying to implement echo_123's solution, but the destination port setting is greyed out so that I can't change it. I tried setting up a firewall rule with every other setting as suggested, and that didn't help. It works fine without any additional setup on pfSense, so this seems to be a bug in OPNsense.

I think you need to choose a Protocol at the top of the Rule Options. When you choose "Protocol:ANY" you cant change the Destination Port :)