OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Zoldan on September 28, 2018, 06:41:12 pm

Title: OPNsense 18.7 bypass transparent proxy completely
Post by: Zoldan on September 28, 2018, 06:41:12 pm: Hi,

I´m new here and rolled out some OPNsense installations with clients.
So far OPNsense supersedes my expectations (am also fanatic pfSense user), so keep up the good work!

With one client I have problems with the bypassing the transparent proxy for some government sites in Brazil.
I added the domain to SSL no bump, whitelist in access control, but still it is giving an error.
It says:
"ERROR requested URL could not be retrieved" Failed to establish secure connection to 200.x.x.x (IP from site)"
(92) Protocol error (TLS code X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
SSL Certificate error: certificate issuer (CA) not known: "issuer from certificate (which is valid)"
This proxy and the remote host failed tonegociate a mutually acceptable security settings for handling your request......

Locally (desktop browser) installed the self issued CA certificate from OPNsense and locally installed the certificate needed to access this site (government).

So I added the URL, IP, to mentioned sections, but still it looks like the proxy is in between.
I´m a little lost now... :o
Anyone an idea????

regards
Title: Re: OPNsense 18.7 bypass transparent proxy completely
Post by: rabievdm on September 28, 2018, 07:04:40 pm: How have you implemented the transparent proxy?
Ie how do you pass the traffic to squid?

In my setup I do a port redirect for all http traffic, so im my case I would add a firewall rule to not forward the traffic for the destinations to the proxy. The downside would be that you cannot work on named sites (ie www.mysite.com ... I think :) )
Title: Re: OPNsense 18.7 bypass transparent proxy completely
Post by: Zoldan on September 28, 2018, 07:19:49 pm: I followed the tutorial described on the OPNsense site HOWTO https://wiki.opnsense.org/manual/how-tos/proxytransparent.html
So like described there the rules for 3128 & 3129.
Weird thing is SSL nobump is configured for the site in question (https://www.nfe.fazenda.gov.br) but it is still in the middle......
Title: Re: OPNsense 18.7 bypass transparent proxy completely
Post by: Zoldan on September 28, 2018, 10:25:00 pm: I added now firewall alias for the site (IP and FQDN) HOST and added a rule before all other rules:
Source LAN net -> port * -> Destination "ALIAS" -> port 80 & 443 -> gateway *

But still! blocked by proxy
What am I doing wrong?
Title: Re: OPNsense 18.7 bypass transparent proxy completely
Post by: Zoldan on October 01, 2018, 07:22:12 pm: Figured it out!

I added the rdr rule in the wrong place, should be on NAT, PortForward

Source LAN net -> port * -> Destination "ALIAS" -> port 80 & 443 -> gateway *

And for the unrestricted IPs on LAN:

Source ADMIN alias -> port * -> Destination * -> port * -> gateway *