OPNsense Forum
English Forums => Development and Code Review => Topic started by: iosense on January 19, 2016, 12:42:23 am
-
Captive Portal and Transparent Proxy works well with HTTP traffic. You can see the rules below.
but unfortunately it does not work with https traffic.
How do I set Captive portal and https traffic with Transparent Proxy ?
Firewall: NAT: Port Forward rules
If Proto Address Ports Address Ports IP Ports Description
LAN TCP LAN net * * 80 (HTTP) 127.0.0.1 3128 redirect traffic to proxy
-
How did you get this to work for HTTP traffic? I suppose as soon as you enable Captive portal, it makes a default rule in IPFW to pass all port 80 traffic to 127.0.0.1,9000 or 127.0.0.1,8000 i.e. to the captive portal. Therefore, when a port 80 traffic hits Opnsense, won't this rule take precedence over the PF rule to pass port 80 traffic to the proxy.
Captive Portal works well with Forward Proxy. I somehow am not able to get it to work with Transparent proxy. Am I missing something.
-
Can someone help me pass authenticated traffic to proxy on port 3128. Basically, here are the IPFW rules:
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2
# pass authorized
add 65533 pass ip from any to any
I need help in passing the authenticated traffic to proxy_IP:3128. Then the proxy will hopefully pass the traffic out. This way I may be able to use Captive Portal with Transparent Proxy.
-
I have a slightly different setup, I have setup captive portal and transparent proxy on the LAN interface. I, have finally managed to get it to work, with a workaround. Here is what I have done.
1. When you enable captive portal, it creates IPFW rules:
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2
This is to throw the Captive Portal to users.
2. After getting authenticated, the traffic passes through the following rules:
# pass authorized
add 65533 pass ip from any to any
3. I have create two IPFW rules to pass the authenticated traffic to the Transparent Proxy:
# pass authorized
add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2
add 65530 allow ip from any to any dst-port 80 via em2
add 65533 pass ip from any to any
It then passes the traffic to the proxy. You just need to ensure that in the Firewall Rules, there is no rule to either block port 80 traffic, neither a NAT rule to redirect it to the transparent proxy.
Everything needs to be done via the IPFW ruleset.
-
Sorry for dragging up an old thread, but I was wondering if the above method should still work in 16.7 because I am having issues with the captive portal separate thread https://forum.opnsense.org/index.php?topic=4113.0
I have tried the above method and all is working except that the authorized traffic is not passed to the proxy server. Are you sure with this method that the authorized traffic was actually hitting the proxy??
-
FWIW, the captive portal now has a per-zone setting to use the transparent proxy, which seemed to fix all known issues WRT the two subsystems working in tandem.