I don't understand your statement that NAT is required for forgery
prevention.
Squid does not depend on NAT for anything, just normal IP traffic.
Questions requiring an answer for my understanding:
1) Where are the squid servers logically, relative to users and the
pfsense boxes?
Could it be a simple ACL error on your squid box?
Try connecting a browser straight to squid, and see what the logs show.
Bevan wrote on 05/06/15 11:56:
There is no squid on the pfsense wifi gateway they just nat
portforward everything on http to the linux squid server. The current
squid servers (3.1) don't have iptables enabled because the pfsense
gateways are doing the role of the firewall. However of course this
wont work on any squid server 3.2 onwards because there needs to be
some natting done on the squid server itself. Something to do with
preventing host head forgeries.
On 5 June 2015 at 11:24, C. Falconer <[email protected]
<mailto:[email protected]>> wrote:
Bevan wrote on 05/06/15 10:09:
HI
We have a several pfsense embebbed boxes as wifi gateways acting
as captive portals with give unsecured wi-fi access to several
libraries around the country. The internet traffic then comes to
one of our two squid servers acting as tranparent proxies which
sees ip address as the gateway itself. We are currently running
squid 3.1 but we want to start using squid 3.3 however because
the port forward natting is done on the on the pfsense gateway
squid from 3.2 onwards is refusing to accept the traffic from
these gateways. Is there anyway to use iptables and renat the
traffic from gateways so squid will see original ip of the device
connected to the wifi are the other end and allow access?
It appears the traffic just loops inside squid on localhost.
Reiterating for understanding...
You have clients behind a pfsense box, which is running captive
portal and transparent proxy on http with Squid.
The traffic is then picked up by other squid processes, using
transparent proxy again?
And the problem is that the squid boxes keep forwarding to themselves?
*If adding NAT seems like a good answer, you're asking the wrong
question.*
The pfsense squid boxes can use the main squid boxes as parents if
you want, but realistically its primarily about logging and/or
filtering, not about bandwidth saving.
Perhaps it would be better to break the problem down - first try
connecting explicitly to the squid process from a client, and then
test the transparent proxy part of the main squid boxes.
In your squid configs, do you have any of these options?
follow_x_forwarded_for allow all
acl_uses_indirect_client on
log_uses_indirect_client on
delay_pool_uses_indirect_client on
Questions:
What do the squid access logs say?
What are you doing with the https traffic like google and facebook?
Are the main squid boxes internal to the LAN on each site, or
connected somewhere else?
A network map might go a long way to explaining it with less
typing - do you have one?
What are your goals / outcomes for this setup ?
--
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
