I'm guessing squid is listening on your inside interface, so the remote users dont have to pass through it to get to the internet. The encrypted traffic comes into the outside interface and gets decrypted. The firewall sees the IP header, and makes a routing decision. Internet traffic will match the default route, so it will pass right back out the outside interface, never crossing the inside.
Even if you assign remote access vpn users with a local IP address from the inside network, if they are going out to the internet, the never actually cross the inside interface regardless of the source IP address on the packet headers. if that makes any sense? it's early and I'm low on coffee On Thu, Feb 2, 2012 at 10:15 AM, Fuchs, Martin < [email protected]> wrote: > Correct…**** > > So that the mobile users are completely separated from the internet and > connect to the internet and our lan through the firewall…**** > > ** ** > > *Von:* [email protected] [mailto: > [email protected]] *Im Auftrag von *Ian Bowers > *Gesendet:* Donnerstag, 2. Februar 2012 16:07 > *An:* pfSense support and discussion > *Betreff:* Re: [pfSense] squid over ipsec dial-in**** > > ** ** > > If I understand your scenario right, mobile users VPN to your site in full > tunnel mode, then backhaul the internet over that VPN? **** > > On Thu, Feb 2, 2012 at 9:58 AM, Fuchs, Martin < > [email protected]> wrote:**** > > Hi !**** > > **** > > I have a few clients (mobile phones) that connect via corporate data > access (IPSec tunnel from the provider to our pfSense cluster) to the > internet.**** > > **** > > We have squid here in transparent mode and it seems as if the connected > clients cannot access http through squid.**** > > I have already added the remote subnet to the allowed subnets in squid.*** > * > > **** > > There is no IPSec interface I can choose from, because it’s not physical, > but is it possible for ipsec or openvpn clients to browse the web through > squid ?**** > > **** > > Does anyone have it working ?**** > > **** > > Regards,**** > > **** > > martin**** > > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list**** > > ** ** > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
