Transparent Proxy with IPv6

[andbaum]

I'm trying to implement a transparent squid proxy with OPNSense. In IPv4 everything works, but the IPv6 way doesn't do anything. The settings seem correct to me.

My guess: Squid is IPv6 capable

Code Select Expand


cat /var/log/squid/cache.log
[...]
2019/01/22 10:00:54 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::1]:3128 remote=[::] FD 14 flags=41
but IPv6 NAT redirect is not implemented in BSD (so in OPNSense).
I can create an IPv6 rule under "Firewall: NAT: Port Forward" but it seems to be ignored by the system. Is this correct?

Yours, Andreas

[andbaum]

No one out there having a transparent proxy with IPv6 enabled?  :-\

[franco]

This seems to be the case still: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735


Cheers,
Franco

[andbaum]

Really sad - update to 19.1 (BTW: cool product 8)) didn't fix it?
Does anyone know a workaround how to bring IPv6 http traffic transparent over the OPNsense squid?

Yours,

Andreas

[hbc]

but IPv6 NAT redirect is not implemented in BSD (so in OPNSense).
I can create an IPv6 rule under "Firewall: NAT: Port Forward" but it seems to be ignored by the system. Is this correct?

you mean this rule is ignored? :o

Code Select Expand


rdr on lagg0_vlanXXXX inet6 proto tcp from (InterceptNets:network) port 1024:65535 to any port = http -> <Host_localhost> port 3128 round-robin


That would explain why there are just ipv4 source addresses in squids access.log  ::) Either rule is ignored or there are no clients that use direct ipv6 web traffic because of using wpad.dat proxy configs.

I will have to tcpdump and have a look.

Update: I dumped 90mins and there was very little ipv6 http traffic, but it failed. Just SYN was logged. That is correct, because since I thought port 80 was directed transparently through proxy, there is no firewall rule to pass ipv6:80.

Keen to know how to use transparent IPv6 proxy.

See https://github.com/opnsense/core/issues/1784

Continuing to talk to myself:

I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568

There is this comment:

Your PF rule redirects a packet to ::1, but doesn't change the receiving interface.  Thus, it violates scoping rules.  You can tell by running 'netstat -s -f inet6 | grep "violated scope"' before and after generating the traffic that you want to redirect.  The check is in in6_setscope().

The simple workaround is to change your rdr rule to redirect to your actual link-local, site-local, or global IPv6 address instead of ::1.

Will try to redirect to receiving interface instead local

[hbc]

Update:
Success. Hurray  8) It is really this scope thing. But it seems I possibly also found a little bug (at least if you are not running HA CARP).

Since I could not use ::1 for ip6 redirects (the scope thing), I had to use the local ip6 address of the interface. But while squid binds to all ip4 addresses for activated interfaces (like expected), it does NOT bind to its corresponding  ip6 addresses unless you configured an ip6 CARP address.

So in a CARP world everything is ok, because the redirect rule for transparent proxy should use the CARP ip due to rule sync. In a standalone scenario maybe you would have to define an IP alias and redirect to its ip6 or developers have to fix OPNsense to add all ip6 addresses for listening (maybde the better way. Why just listen on ip4 on dual stack system?).

Well, this was the positive news. The ip6 redirect worked BUT I get an error in squid about malformed URL.
But sometime its good to write about things, because when writing these lines I think I got an idea. The local ip ::1 is configured for intercept, the CARP ip6 which I used instead not.

So as next step I will make a manual change to squid config and add the 'intercept' option and hope that requests are processed right. ATM I get TAG_NONE/400 when doing ip6 transparent redirect.

Final result:
Transparent ip6 proxy works if:

• you take care of ip6 scope, i.e. you redirect to same ip scope (=local ip6 address on interception interface)
• you allow port 80/tcp/ip6 to pass on this interface
  
• you add carp/ip alias, so that ip6 address gets added to squid.conf
• you manually add intercept to the local ip6 address

So except for the intercept option, you can do everything from gui and which each change in web proxy configuration, you manually have to set 'intercept' or you patch the generating file.

[BigSnicker]

I'm trying to enable an IPv6 Transparent proxy and found this thread.

Both my original attempt to use an ::1 loopback address and this thread's suggestion to use a link-local interface doesn't seem to work.

Is this the latest and greatest on the issue?

[hbc]

What do you mean? You need an out of the box solution with gui options? Then you should create a feature request on github.

The manual way works perfect:

• assign static ipv6 address to lan interface
• add 'http_port static-ipv6 intercept' line to /usr/local/etc/squid/squid.con (just copy the 127.0.0.1 line and replace ip)
• add forwarding rule and redirect lan http(s) traffic to your opnsense lan ipv6 address and squid port(s)

Of course first you have to make sure that ipv6 works. Means your clients get an ipv6 address (dhcpv6, slaac, ra), your dns returns AAAA records, etc.

Then your clients resolve dns name, get AAAA record, browser contacts ipv6 address, opnsense redirects to local squid on its interface ipv6 address, squid fetches content and returns content. Voilá.

[fabian]

I would think that it makes sense to allow that out of the box.

[BigSnicker]

My IPv6 works fine (in fact, as someone moving over from pfsense, it was easier to configure and seems to acquire ipv6 addresses more reliably than pfsense).

I'll go through that checklist and see if I can get it working fine, but yes, as IPv6 become more ubiquitous, surely having total feature parity with IPv4 should be an objective, including the very elegant way that IPv4 transparent proxy configuration has been set-up.

One of the big differentiators I find with OPNSense vs.pfsense is that much of the management has been simplified, particularly wrt package configuration.   This would be a great way to continue investing in that OPNS way of doing things.

I'll report back after I have a few moments to try the manual approach.

[hbc]

I would think that it makes sense to allow that out of the box.

Well, I added a pull request that would add the ipv6 addresses as listeners. Since not familar how to get the lan interface ipv6 address, I could not add a patch that would extend the sample forwarding rule that exists for ipv4 to ipv6, but I made a remark in my pull request. For devs it should be an easy part to extend the "transparent_proxy" template in firewall_nat_edit.php

[ctr]

If you put those statements into an include dir it also survives a reconfig in the GUI.
I'm using /usr/local/etc/squid/pre-auth/39-ipv6-bind.conf

[tokade]

Hi all,

thanks to this thread I could get my transparent proxy work with IPv6.

Only two things still give me some question marks:

• If I test with https://ipv6-test.com/ my IPv6 connectivity from my Windows 10 Client, only the browser fallback from IPv6 to IPv4 fails. Without the proxy it had worked.
  
• When I connect from my bowser (chrome and edge) to an undefined IP address via http, I got the squid error page as expected. Doing the same with https a browser error message is displayed "Site is not reachable" and "ERR_CONNECTION_CLOSED"
  I tried with lower connection timeout, but still not the squid error page.

Any suggestions what is wrong or what other parameters I can set?

Kind regards
Torsten