Route traffic on a gateway through SSH tunnel

Steve Bertrand steve at
Sat Apr 18 22:10:06 UTC 2009

>From what I believe, I'm attempting to do something that has most likely
been achieved before, but there is something that I'm missing. This is
for my personal home setup.

I've built a flash-based CPE, which connects to our DSL network with
mpd5. I've enabled NAT, and am using IPFW as the packet filter.

I have a Squid proxy/content filter at my office that I would like to
route all 80/443 traffic from my home connection, through the proxy. The
proxy and the termination point of my home connection are located in two
different PoPs, within different ASs.

My desire is to have this proxy-routing enabled within the network
hardware, as to not need to set application layer details on the PC(s)
at home.

At this point, I have the FBSD (7.2) gateway device set up with an SSH
tunnel. The local tunnel endpoint terminates on a LAN interface which
utilizes 1918 space. It listens for traffic on, and
forwards it to the proxyIP:8080. When I configure a workstation's
Firefox to use as a proxy, everything works as expected.

Now, I need to figure out a way so that the same setup will work, but
with no proxy configured within Firefox.

At this time, I'm recompiling the kernel on the gateway device to
include IPFIREWALL_FORWARD. I'm going to try a fwd rule to pass all
traffic destined to *:80 to, in hopes that the traffic
will be first redirected to itself, and therefore through the SSH tunnel
to the proxy.

My past experience with this however, is that FBSD will complain that
the dst IP doesn't reside on the box.

Does anyone have any suggestions or comments they can share regarding
such a setup?


More information about the freebsd-net mailing list