OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: kyferez on February 28, 2017, 06:13:09 pm
-
I used the basic Setup Web Filtering guide (https://docs.opnsense.org/manual/how-tos/proxywebfilter.html) and bound it to my VLAN2 interface. I did not do Step 6 as I was just testing. Everything else is exactly the same as per defaults or as per the guide.
Proxy is started. I set a browser to use it and get Proxy not responding for any page, http or https. Firewall rules are same as pics from post here: https://forum.opnsense.org/index.php?topic=4582.msg17627#msg17627
If I telnet from a PC on Vlan2 to the VLAN2 Firewall Interface IP (192.168.2.1) on port 3128, it connects with a blank screen.
Is something missing from the guide? Do I need to do something extra since I have multiple VLANs?
You can see from the trace the packets are received and there is no reply from OPNsense.
Thanks!
-
So the guide does leave out :o 2 very important steps:
-Add a firewall rule to allow traffic on the interface, to the Firewall Interface address, for the proxy ports 3128-3129.
-Also, if accessing from another subnet, you need to add that subnet under Forward Proxy->Access Control Lists->Allowed Subnets.
I would update the guide, but it appears it does not provide for user-contributed updates unless we email them in :-\
-
you need to send an email to Jos if you want to contribute changes to the documentation.
-
Now I'm trying to do transparent and can't get a response. Added the NAT rules, added firewall rules, disabled other firewall rules for port 80 just in case they interfered; don't see what's happening yet...
I tried modifying the auto-created NAT rules to point to the VLAN2 Interface address instead of the loopback, and when I do I actually get a response from Squid, however it says cannot find path / so obviously it's trying to answer the traffic instead of filtering and sending it to the website.
With the NAT rules pointed to loopback IP, I do see the traffic marked as passed for the loopback in the firewall logs. But no response from proxy.
Thanks!
-
Did you enable the transparent interface in the squid configuration as well?
-
At Services->Forward Proxy->Enable Transparent? Yes. I also tried adding 127.0.0.1/24 and 192.168.2.1/24 as allowed subnets.
-
So for a test, I deployed OPNsense 16.7 and configured Transparent proxy exactly according to the guides. Still does not work... So something is missing from the guide... I followed these:
https://docs.opnsense.org/manual/how-tos/cachingproxy.html
https://docs.opnsense.org/manual/how-tos/proxytransparent.html
-
Got it working on 16.7. Going to test on 17.1 shortly. [UPDATE: It works on 17.1.2]
Complete guide to Proxy with AV Scanning: http://www.tcptechs.com/opnsense-transparent-caching-filtering-proxy-with-virus-scanning/
Had to add the following rules with specific order.
This one for Transparent, and set to top of rules:
Interface: VLAN2, Source: VLAN2 net, Destination: 127.0.0.1, Dst Port: 3128-3129
This one for Standard, and set just below above rule:
Interface: VLAN2, Source: VLAN2 net, Destination: VLAN2 address, Dst Port: 3128-3129
And finally, you need this one to simply allow web traffic for transparent:
Interface: VLAN2, Dst Port: 80 and 443
Essentially the problem was that the auto-created rules are created at the bottom, so I had another rule that was causing them not to get hit.
Unfortunately I also had to disable anti-lockout rules.
Also unfortunately there is no way to add logging (that I saw) to auto-created rules when the NAT rules are created, so I disabled them and created my own listed above.
It would be nice if the auto-rules from NAT could have logging enabled.
It would be REALLY nice if the firewall rules were numbered and the logs said which rule they hit.
It would also be REALLY REALLY nice if the NAT rules were numbered and the firewall logs logged when a NAT rule was hit.
-
Got it working on 16.7. Going to test on 17.1 shortly. [UPDATE: It works on 17.1.2]
Complete guide to Proxy with AV Scanning: http://www.tcptechs.com/opnsense-transparent-caching-filtering-proxy-with-virus-scanning/
-snip-
Thank you very much! ^ guide got me out of hours of fiddling unsuccessfully with the default guide ruleset :)