Messages

Hi all,

I'm working on getting squid running as a transparent proxy for both HTTP and HTTPS traffic (in order to avoid having to configure clients individually and to enable usage reporting from the logs).

I have it setup as per the OPNSense docs and it works OK if i manually configure the proxy in a browser, and tick the box to use the single port (3128) for both HTTP and HTTPS. Inspection and filtering works with a proxy set in the browser (and of course a trusted certificate) although this is not a requirement.

However I can't work out how to make it work as a transparent proxy with the NAT rules.  If I send traffic for both HTTP and HTTPS to 3128 or separately to 3128 and 3129, the HTTPS traffic doesn't work in both cases.

It looks like although the port is defined in the Web GUI, it doesn't actually create a listener. I do see traffic on 3129 allow through the firewall rules, so it appears to be something in squid itself.  Indeed in squid.conf I only see listeners for 3128.  Is this a bug in the WebGUI or have I missed some other setting?

This is the squid config for listeners:

Code Select Expand

# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept
http_port [::1]:3128 intercept

# Setup regular listeners configuration
http_port 192.168.11.251:3128
http_port 127.0.0.1:3128
http_port [::1]:3128

I've tried what feels like every combination of options and got nowhere so any help would be appreciated.

I know full well the limitations of reverse dns, but it doesn't really answer my original question

Yes i do mean DNS domains.  You can use domain names in FW rules, but I'll send logfiles to Spunk to handle the name lookups for the IPs in the logs

Hi,

I have a use case where I need to watch access to a specific domain.  I'd like to create a rule to allow traffic and log it but then to continue to process other rules (which may then subsequently block this traffic either now or in the future).

I can't work a way to do this - is this even possible?

Thanks, David

I've got a strange problem.  I'm running OPN sense on a (standalone) ESXi 6.7 server with two nics. There are a bunch of other Linux VMs also running too.

I can ssh into the OPNSense server from my laptop and i can then ssh from there to the Linux VMs (e.g. keeping in the same virtual switch in ESX)

What I can't do is ssh from my laptop to the either the VMs or  to the host management port (also on the same vswitch as the linux VMs).  I also can't load the management web gui for the host on 443.

I can however ping the Linux VMs from my laptop and I can also get onto the desktop of the VMs using Teamviewer which is luckily installed. I can then ssh between the VMs ok.  I can also browse the web through OPNsense.

I did a packet capture on my laptop and I see acks coming back before getting a reset.

My first thought was IPS/IDS sending the reset packets as the Suricata plugin is installed but I've deactivated it and was only configured for the WAN interface anyway (which is a different vswitch in ESX).  If enable the plugin but stop the Suricata service it makes no difference.

I know it's OPNSense though because when I shut it down, everything suddenly bursts back into life and i have full connectivity.

Could Suricata somehow still be running in the background or is there any other service that might behave the same way (I don't have Sensei installed)

Cheers