Firewall to Transparent Proxy

Started by bruci3, February 28, 2019, 01:46:46 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 28, 2019, 01:46:46 AM Last Edit: February 28, 2019, 02:08:52 AM by bruci3
Hi guys,

I am pretty confused and cant get my setup to work.

All on same network/subnet.

- Opnsense firewall 10.0.0.1
- Opnsense proxy 10.0.0.2

" Enable Transparent HTTP proxy" is checked.

- Certificates are installed on clients

Firewall and proxy both work completely fine alone, if I set my PC client with proxy settings to point to the proxy server it works as should for both HTTP and HTTPS.

I am trying to make it a transparent proxy i.e. no need to put Proxy settings on client but it wont work.

So on the firewall 10.0.0.1 I have these rules:

NAT Port forward
LAN TCP Src: LAN - Dest: port 80 redirect to IP 10.0.0.2 Port 3128
LAN TCP Src: LAN - Dest: port 443 redirect to IP 10.0.0.2 Port 3129

Am I missing other firewall rules or what else is needed?

Please help I have been struggling with this for a very long time.
February 28, 2019, 02:45:57 AM #1 Last Edit: February 28, 2019, 02:56:33 AM by bruci3
Still not working.
February 28, 2019, 02:26:29 PM #2
I think you cannot just forward packets to a second device, since squids interception listens on localhost.

But you can enable transparent proxy on localhost 127.0.0.1, apply the necessary  NAT rules to intercept local traffic and then in squid enable 'parent proxy' and enter your proxy server ip (10.0.0.2).
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
February 28, 2019, 10:19:26 PM #3
Hi hbc, thanks for trying to help.

Sorry, do you mind breaking down those steps you mentioned?

So just to clarify, you are saying to enable "Transparent Proxy" on the proxy server 10.0.0.2 (this is already done) or on the firewall 10.0.0.1?
March 01, 2019, 02:19:56 AM #4 Last Edit: March 01, 2019, 02:24:07 AM by bruci3
Ok I found something that should be the solution to my problem.

This link here says how to route when Firewall and Proxy are on seperate servers: http://tldp.org/HOWTO/TransparentProxy-6.html

Apparently I need these rules on the firewall, but not sure how to interpret these rules in Opnense?

iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

That first rule I assume would be:
LAN  TCP   ! 10.0.0.2   *   *   80 (HTTP)   10.0.0.2   3128   

But I am completely lost on the 2nd and 3rd rules.
March 01, 2019, 08:07:57 AM #5
Quote from: bruci3 on February 28, 2019, 10:19:26 PM
So just to clarify, you are saying to enable "Transparent Proxy" on the proxy server 10.0.0.2 (this is already done) or on the firewall 10.0.0.1?

Nope. 10.0.0.2 does not need to run transparent. It would just act as ordinary parent proxy. You would need to run proxies on both machines.

  • 10.0.0.1 transparent, forwarding proxy (no caching) with parent proxy 10.0.0.2
  • 10.0.0.2 as caching proxy maybe with filtering, ICAP, etc.

Then you have your NAT rule on 10.0.0.1 that intercepts traffic to port 80 and directs to 127.0.0.1:3128 (local, transparent squid). Your gateway, local squid will query your caching, scanning, filtering proxy server at 10.0.0.2
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
March 01, 2019, 10:30:20 AM #6
Ah I see, thanks for clarifying and thanks so much for your help. That sounds like it should work.  ;D
Print
Go Up Pages1
User actions