Maybe this screen shot will help: http://www.pfsense.com/screens/redirect_lan_to_another_mail_server.PNG
Scott On 10/26/05, Kyle Mott <[EMAIL PROTECTED]> wrote: > Is there a way to set this up in pfSense though? I'm a bit confused as to > what my rules need to be (my first thought is LAN Subnet 80/TCP => DMZ > Host:6060 via port forward). Is that correct? > > > -Kyle > > > Gary Buckmaster wrote: > I think the confusion here stems from where squid lives on the network. If > you run squid on your firewall, then a simple redirect rule can be used to > redirect LAN->WAN http traffic up to the port squid is listening on. If, > however, you are running squid on a separate machine somewhere on your > network (I believe the OP is running his squid box in the DMZ) then you can > (and should) have your firewall do the work of redirecting traffic to the > squid box. Squid, in this scenario, acts as a second gateway for the > network but only for squid-relevant traffic. I hope this clarifies things. > > -Gary > > -----Original Message----- > From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 26, 2005 9:24 AM > To: [email protected] > Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? > > > Hi! > Gary, maybe I do not understand perfectly your point of view, because > I used Squid mainly under Linux. > I understand we are speaking about using Squid as lan->wan web cache; > the only thing I cannot understand is why, in your opinion, transproxy > could not work simply by redirecting web traffic (instead of using > route-to). In linux this is the only possible way of doing this (at > least, without using iproute and tc), so I always configured my squid > as transproxy, and used the iptables redirection. > Anyway, I understand you are speaking about a totally different way of > doing it (and in my opinion, both the ways can work.), so I am very > happy to learn smthg new! > > On 10/26/05, Gary Buckmaster <[EMAIL PROTECTED]> wrote: > > > Because of the way squid works, a squid box should be treated as a second > gateway, in this case for http-based traffic only. As a result, using a > route-to (or in Cisco parlance, policy-based route) is the solution. To > avoid confusion, this is for outbound (LAN->WAN) traffic for the purposes > > of > > > web caching and content filtering. There are perfectly valid reasons for > using squid as an http accelerator sitting in front of web servers, which > may have been what confused Tomasso. > > -Gary > > -----Original Message----- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 26, 2005 8:48 AM > To: [email protected] > Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? > > > On 10/26/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: > > > Maybe I did not undestand well, but redirecting http traffic to a host > located in DMZ is not a policy-based routing... In my opinion it is a > simple redirect for 80/tcp to a particular host. Obviously, here the > host is in DMZ. > Sorry if I understood wrong.. > > Depends on if you use port forwarding (rdr) to achieve the goal or > treat the squid box as another gateway and use 'route-to' for port 80 > traffic. I suspect the latter is what Gary was talking about and is > an interesting concept. > > --Bill > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
