Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
IPsec traffic through Webproxy
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec traffic through Webproxy (Read 1768 times)
Lochkartenknipser
Newbie
Posts: 26
Karma: 0
IPsec traffic through Webproxy
«
on:
September 18, 2023, 03:04:41 pm »
Hello everyone,
I have to contact the professionals now.
I've been testing OPNsense for a few weeks in order to replace a UTM later. In terms of routers, I come from the Lancom corner.
I have an OPNsense installed in the Hetzner Cloud with a public v4 address and a Windows machine behind it for testing. The OPNsense successfully runs Croudsec, GeoIP blocking, ntopng, transparent proxy http and https, ClamAV in the web proxy as well as blacklists and MIMEtypes. Windows updates are not routed via the web proxy because of the certificates, unbound DNS with blacklists and Zenarmor. Until then, everything works as it should on the Windows machine behind the OPNsense in the local network in the Hetzner Cloud.
I have now set up IPsec on the OPNsense so that I can connect my network at home to the Hetzner Cloud. At my house I have a Lancom as the end point of the IPSec tunnel. I can also access the OPNsense and the Windows machine in the cloud through the IPSec tunnel. Everything works as it should.
The next step is to route the internet traffic from home through the IPSec tunnel and use the OPNsense in the Hetznercloud as a main Firewall. This also works perfectly. As a DNS at home I am currently using the UnboundDNS from OPNsense with the blocking lists.
Then I tried to route the internet traffic through Zenarmor as well. This doesn't work because of the netmap module that Zenarmor uses. Then I tried to route the internet traffic through the transparent web proxy so that the traffic is virus checked and the MIME types take effect. But this is exactly where my problem begins. I have set up the NAT from the IPSec network at home on the OPNsense, but I can only select LAN and loopback as proxy interfaces in the web proxy. Then I created a virtual adapter in IPSec, but it is not shown as a possible proxy interface.
I don't see any traffic from my home network in the log from the web proxy. I see the traffic from the home network in the Firewall-log as nat traffic.
How can I ensure that the IPSec traffic also goes through the transparent proxy?
I would be very grateful for your help so that my test project can continue.
Best regards.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1614
Karma: 176
Re: IPsec traffic through Webproxy
«
Reply #1 on:
October 15, 2023, 05:57:26 pm »
I'm posting this here for anybody who tries to use a port forwarding rule after traffic went into the IPsec enc0 interface. It won't work. The return traffic won't go back into the enc0 interface.
https://freebsd-net.freebsd.narkive.com/RiJhgUnH/pf-rdr-statement-ipsec-processing-interaction
It's a long standing issue with no solution.
Using enc0 and forwarding (rdr) traffic to a loopback (or any other) interface IP adress (where squid listens) will simply fail to work.
The problem arises from the order of operations between IPsec processing and pf packet redirection.
- Opnsense has nothing to do with this not working, its upstream.
«
Last Edit: October 15, 2023, 08:10:05 pm by Monviech
»
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
IPsec traffic through Webproxy