Need help with getting transparent proxy working across WAN

Mon, 17 Jul 2006 05:48:58 -0700

I have a FreeBSD transparent proxy working on local lan. Where the workstation's NIC has its gateway set to the proxy server's internal ip address. Everything works fine. 

Problem is when I move my workstation from the local lan where the proxy
server resides, on to the 10.4.0.0 network, this is across a WAN link, Transparent proxy stops working it appears no web traffic is getting to the proxy, and I'm not able to get to ant web site. I am able to ping the proxy server, and use the proxy if I utilize a pac file, and drop the IPFW rules. 


I should also note that I have transparent proxy running under Debian using 
iptables, across the WAN link,  but want to move to FreeBSD. So I feel my 
routers are setup correctly.



I suspect the problem is with my IPFW rules or NAT configuration but I'm not 
sure.


FreeBSD 6.1
Kernel was recompiled with:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT

RC.CONF contains
gateway_enable="YES"
ifconfig_xl0="inet x.x.x.x. netmask 255.255.255.0"
ifconfig_xl1="inet x.x.x.x  netmask 255.255.255.0"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="xl1"
natd_flags=""

CISCO router has the following configured

access-list 199 permit tcp 10.4.0.0 0.0.255.255 any eq www
access-list 199 deny   ip any any

route-map redirect-proxy permit 10
match ip address 199
set ip next-hop <proxy server internal ip>

My IPFW rules:
ipfw -q flush
ipfw add divert natd all from not me to any via <outside interface>
ipfw add fwd 127.0.0.1:8000 tcp from any to any 80

squid complied with
SQUID_CONFIGURE_ARGS+=--enable-pf-transparent"

SQUID.CONF
httpd_accel_host virtual
httpd_accel_port 0
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
header_access Via deny all
header_access X-Forwarded-For deny all



Thank you for taking the time to look. Any advice or troubleshooting tips 
are welcome.


_________________________________________________________________

Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"














    











					Reply via email to