OPNsense Forum
English Forums => General Discussion => Topic started by: SynAck on May 12, 2018, 06:30:44 am
-
I think this may be something of a doozy. Appreciate any insight or advice.
I have three separate "LAN" interfaces configured, one of which is WiFi and the other two are ethernet. For my purposes at the moment, I am treating these all equally with respect to configuration (though I will eventually use them differently).
I have an OpenVPN client connection set up and working properly with an external VPN service. I configured an interface (VPN_DHCP) and set it as a gateway. I've got the appropriate Outbound NAT rules configured and all network traffic destined for the Internet is going through the VPN gateway.
I also have a transparent proxy configured for all 3 LAN interfaces, for both port 80 and 443. The correct port forwarding is in place, and the proxy/filtering is working as expected.
So up to this point, all Internet-destined traffic from any of the three LAN networks is forwarded through the proxy, and then directed through the VPN gateway to the Internet. This makes me about 95% happy.
However... there are some Internet destinations that I want to access directly from my WAN interface (with my true IP address) and NOT have them use the VPN gateway. I have set up an Alias containing these destinations, but I cannot find a way to have them use the WAN gateway instead of the VPN gateway.
Here's a list of what I have tried:
* Set up a FLOATING "pass" rule specifying the WAN gateway for destinations in my Alias list
* Set up a LAN interface "pass" rule specifying the WAN gateway for destinations in my Alias list
* Set up a VPN interface "pass" rule specifying the WAN gateway for destinations in my Alias list
* Set up a FLOATING "block" rule to deny outbound traffic to destinations in my Alias list
* Configured NAT to explicitly avoid my Alias list when translating VPN traffic
...and you may have already guessed that I wouldn't be posting here if any of those worked. They either shut off connectivity completely, or ignored the policy-based routing and just used the VPN gateway for everything.
I have a hunch that the squid proxy may be the culprit -- once I forward the HTTP/S traffic into the squid ports on 127.0.0.1, I'm not really sure where they come "out" and continue on their way. It seems as though squid is simply hardwired to use the VPN gateway (even though WAN is specified as the default) and I can't find any way to convince it to do otherwise *sometimes*.
I think it was working as expected when I disabled transparent proxying and manually added the proxy info to the computers on the network -- this isn't ideal for me, though, since one of these LAN networks is eventually going to be for guest users and I'd prefer to have the transparent proxy enforced.
There are a lot of moving parts, so my apologies for the lengthy post. If anyone actually read this far, I'd appreciate any ideas or sympathy.