Is there a way to do the equivalent of "pass in quick proto tcp" in the GUI?

Started by marcosscriven, April 15, 2023, 11:46:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 15, 2023, 11:46:14 PM Last Edit: April 15, 2023, 11:49:01 PM by marcosscriven
I searched the forum for this, and the closest I could find was this: https://forum.opnsense.org/index.php?topic=2063.0

I'm just trying to setup redirection to a transparent proxy, following the instructions here for OpenBSD (as this is what opnsense is under the hood) https://docs.mitmproxy.org/stable/howto-transparent/#openbsd

It says to add this to /etc/pf.conf:

Code Select
mitm_if = "re2"
pass in quick proto tcp from $mitm_if to port { 80, 443 } divert-to 127.0.0.1 port 8080


This assumes running on a local machine, but on my opnsense router I'd have to tell it another IP address on the vlan.

However, it's not clear to me how to achieve the same in opnsense. Originally I simply tried port forwarding, before realising that wouldn't work.

Any ideas here please? If it's not possible in the GUI, how do I do it manually?
April 16, 2023, 07:59:32 AM #1
Port forwarding is correct. There is a field on that page "associated firewall rule". Set that to "pass".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 16, 2023, 09:16:54 AM #2 Last Edit: April 16, 2023, 09:33:35 AM by marcosscriven
Thanks - I just tried that, and all it seems to have done is not create a firewall rule.

When I look at Wireshark on the target, I see traffic coming from the original source, but the destination is the server targeted by the NAT rule, and not the original target.

The documentation at https://docs.mitmproxy.org/stable/concepts-modes/#transparent-proxy specifically warns about this:

QuoteThis distinction is important: when the packet arrives at the mitmproxy machine, it must still be addressed to the target server. This means that Network Address Translation should not be applied before the traffic reaches mitmproxy, since this would remove the target information, leaving mitmproxy unable to determine the real destination.

Any ideas here please?

I somehow need to send traffic from one host to another on the same subnet, but keep the original destination (something called "masquerade" I think, in Linux parlance).
April 22, 2023, 11:46:28 AM #3
Just bumping this in the hope someone can help here please? I'm essentially trying to forward traffic from one host to another, while preserving the source IP.
Print
Go Up Pages1
User actions