There is no squid on the pfsense wifi gateway they just nat portforward everything on http to the linux squid server. The current squid servers (3.1) don't have iptables enabled because the pfsense gateways are doing the role of the firewall. However of course this wont work on any squid server 3.2 onwards because there needs to be some natting done on the squid server itself. Something to do with preventing host head forgeries.
On 5 June 2015 at 11:24, C. Falconer <[email protected]> wrote: > Bevan wrote on 05/06/15 10:09: > > HI > > We have a several pfsense embebbed boxes as wifi gateways acting as > captive portals with give unsecured wi-fi access to several libraries > around the country. The internet traffic then comes to one of our two squid > servers acting as tranparent proxies which sees ip address as the gateway > itself. We are currently running squid 3.1 but we want to start using squid > 3.3 however because the port forward natting is done on the on the pfsense > gateway squid from 3.2 onwards is refusing to accept the traffic from these > gateways. Is there anyway to use iptables and renat the traffic from > gateways so squid will see original ip of the device connected to the wifi > are the other end and allow access? > > It appears the traffic just loops inside squid on localhost. > > Reiterating for understanding... > > You have clients behind a pfsense box, which is running captive portal and > transparent proxy on http with Squid. > > The traffic is then picked up by other squid processes, using transparent > proxy again? > > And the problem is that the squid boxes keep forwarding to themselves? > > > > *If adding NAT seems like a good answer, you're asking the wrong question.* > > The pfsense squid boxes can use the main squid boxes as parents if you > want, but realistically its primarily about logging and/or filtering, not > about bandwidth saving. > > > Perhaps it would be better to break the problem down - first try > connecting explicitly to the squid process from a client, and then test the > transparent proxy part of the main squid boxes. > > > > In your squid configs, do you have any of these options? > > follow_x_forwarded_for allow all > acl_uses_indirect_client on > log_uses_indirect_client on > delay_pool_uses_indirect_client on > > > > > > Questions: > What do the squid access logs say? > What are you doing with the https traffic like google and facebook? > Are the main squid boxes internal to the LAN on each site, or connected > somewhere else? > A network map might go a long way to explaining it with less typing - do > you have one? > > What are your goals / outcomes for this setup ? > > > -- > > CF > > _______________________________________________ > Linux-users mailing list > [email protected] > http://lists.canterbury.ac.nz/mailman/listinfo/linux-users > > -- Regards Bevan Linux Aficionado and Arch Linux fanboy In a world without fences and walls, who needs Gates and Windows?
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
