Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
OPNsense 18.7 bypass transparent proxy completely
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense 18.7 bypass transparent proxy completely (Read 5601 times)
Zoldan
Newbie
Posts: 4
Karma: 0
OPNsense 18.7 bypass transparent proxy completely
«
on:
September 28, 2018, 06:41:12 pm »
Hi,
I´m new here and rolled out some OPNsense installations with clients.
So far OPNsense supersedes my expectations (am also fanatic pfSense user), so keep up the good work!
With one client I have problems with the bypassing the transparent proxy for some government sites in Brazil.
I added the domain to SSL no bump, whitelist in access control, but still it is giving an error.
It says:
"ERROR requested URL could not be retrieved" Failed to establish secure connection to 200.x.x.x (IP from site)"
(92) Protocol error (TLS code X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
SSL Certificate error: certificate issuer (CA) not known: "issuer from certificate (which is valid)"
This proxy and the remote host failed tonegociate a mutually acceptable security settings for handling your request......
Locally (desktop browser) installed the self issued CA certificate from OPNsense and locally installed the certificate needed to access this site (government).
So I added the URL, IP, to mentioned sections, but still it looks like the proxy is in between.
I´m a little lost now...
Anyone an idea?
regards
Logged
rabievdm
Newbie
Posts: 30
Karma: 2
Re: OPNsense 18.7 bypass transparent proxy completely
«
Reply #1 on:
September 28, 2018, 07:04:40 pm »
How have you implemented the transparent proxy?
Ie how do you pass the traffic to squid?
In my setup I do a port redirect for all http traffic, so im my case I would add a firewall rule to not forward the traffic for the destinations to the proxy. The downside would be that you cannot work on named sites (ie
www.mysite.com
... I think
)
Logged
Zoldan
Newbie
Posts: 4
Karma: 0
Re: OPNsense 18.7 bypass transparent proxy completely
«
Reply #2 on:
September 28, 2018, 07:19:49 pm »
I followed the tutorial described on the OPNsense site HOWTO
https://wiki.opnsense.org/manual/how-tos/proxytransparent.html
So like described there the rules for 3128 & 3129.
Weird thing is SSL nobump is configured for the site in question (
https://www.nfe.fazenda.gov.br
) but it is still in the middle......
Logged
Zoldan
Newbie
Posts: 4
Karma: 0
Re: OPNsense 18.7 bypass transparent proxy completely
«
Reply #3 on:
September 28, 2018, 10:25:00 pm »
I added now firewall alias for the site (IP and FQDN) HOST and added a rule before all other rules:
Source LAN net -> port * -> Destination "ALIAS" -> port 80 & 443 -> gateway *
But still! blocked by proxy
What am I doing wrong?
Logged
Zoldan
Newbie
Posts: 4
Karma: 0
Re: OPNsense 18.7 bypass transparent proxy completely
«
Reply #4 on:
October 01, 2018, 07:22:12 pm »
Figured it out!
I added the rdr rule in the wrong place, should be on NAT, PortForward
Source LAN net -> port * -> Destination "ALIAS" -> port 80 & 443 -> gateway *
And for the unrestricted IPs on LAN:
Source ADMIN alias -> port * -> Destination * -> port * -> gateway *
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
OPNsense 18.7 bypass transparent proxy completely