Re: Squid on LAN
I've tried the rdrnat without results and I can't put in other vlan, I'm trying this at home. Other issue? Thanks in advance On 09/05/2011 19:06, Stuart Henderson wrote: If possible, put the proxy server on a different vlan. If you can't, try the method in http://www.openbsd.org/faq/pf/rdr.html#rdrnat It works, but your proxy logs will then only show the firewall's address rather than the original client addresses. On 2011-05-09, Alessandro Baggialessandro.ba...@gmail.com wrote: Hi list. I've a question about positioning a proxy server into the LAN. I've tried this in dmz (also in transparent mode + rdr pf), and works great, but now I'm trying to put this proxy in LAN. Also in this case it works, but when I try to set it in transparent mode, and put rdr rules on the firewall (OpenBSD 4.8): match in on $int proto tcp from $int:network to any port 80 rdr-to $proxy port 3128 it does not work, and the request seems not be redirected on the proxy. I've ridden this: http://www.openbsd.org/faq/pf/rdr.html I'm trying to get solution only with pf rules without no results. Could some point me in the right direction? Thanks in advance
Squid on LAN
Hi list. I've a question about positioning a proxy server into the LAN. I've tried this in dmz (also in transparent mode + rdr pf), and works great, but now I'm trying to put this proxy in LAN. Also in this case it works, but when I try to set it in transparent mode, and put rdr rules on the firewall (OpenBSD 4.8): match in on $int proto tcp from $int:network to any port 80 rdr-to $proxy port 3128 it does not work, and the request seems not be redirected on the proxy. I've ridden this: http://www.openbsd.org/faq/pf/rdr.html I'm trying to get solution only with pf rules without no results. Could some point me in the right direction? Thanks in advance
Re: Squid on LAN
If possible, put the proxy server on a different vlan. If you can't, try the method in http://www.openbsd.org/faq/pf/rdr.html#rdrnat It works, but your proxy logs will then only show the firewall's address rather than the original client addresses. On 2011-05-09, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a question about positioning a proxy server into the LAN. I've tried this in dmz (also in transparent mode + rdr pf), and works great, but now I'm trying to put this proxy in LAN. Also in this case it works, but when I try to set it in transparent mode, and put rdr rules on the firewall (OpenBSD 4.8): match in on $int proto tcp from $int:network to any port 80 rdr-to $proxy port 3128 it does not work, and the request seems not be redirected on the proxy. I've ridden this: http://www.openbsd.org/faq/pf/rdr.html I'm trying to get solution only with pf rules without no results. Could some point me in the right direction? Thanks in advance
Re: Squid on LAN
On 2011/05/09 16:31, R0me0 *** wrote: You can too try this: pass in on $int proto tcp from $int:network to port www route-to ( $dmz $ip_of_squid ) pass out on $dmz proto tcp to $ip_of_squid to port www This won't work for machines on the same subnet as the proxy. In that case the return traffic (proxy-client) will bypass the firewall so PF only sees half of the packets so state tracking will break things. (It might initially appear to work but try a larger download and watch for the connection breaking).
Re: Squid on LAN
You can too try this: pass in on $int proto tcp from $int:network to port www route-to ( $dmz $ip_of_squid ) pass out on $dmz proto tcp to $ip_of_squid to port www Cheers 2011/5/9 Stuart Henderson s...@spacehopper.org If possible, put the proxy server on a different vlan. If you can't, try the method in http://www.openbsd.org/faq/pf/rdr.html#rdrnat It works, but your proxy logs will then only show the firewall's address rather than the original client addresses. On 2011-05-09, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a question about positioning a proxy server into the LAN. I've tried this in dmz (also in transparent mode + rdr pf), and works great, but now I'm trying to put this proxy in LAN. Also in this case it works, but when I try to set it in transparent mode, and put rdr rules on the firewall (OpenBSD 4.8): match in on $int proto tcp from $int:network to any port 80 rdr-to $proxy port 3128 it does not work, and the request seems not be redirected on the proxy. I've ridden this: http://www.openbsd.org/faq/pf/rdr.html I'm trying to get solution only with pf rules without no results. Could some point me in the right direction? Thanks in advance
Re: Squid on LAN
Yes, You have the reason, I put DMZ because of this :) 2011/5/9 Stuart Henderson s...@spacehopper.org On 2011/05/09 16:31, R0me0 *** wrote: You can too try this: pass in on $int proto tcp from $int:network to port www route-to ( $dmz $ip_of_squid ) pass out on $dmz proto tcp to $ip_of_squid to port www This won't work for machines on the same subnet as the proxy. In that case the return traffic (proxy-client) will bypass the firewall so PF only sees half of the packets so state tracking will break things. (It might initially appear to work but try a larger download and watch for the connection breaking).