Need help with getting transparent proxy working across WAN

curard bandage cbandage at msn.com
Mon Jul 17 12:48:22 UTC 2006 

I have a FreeBSD transparent proxy working on local lan. Where the 
workstation's NIC
has its gateway set to the proxy server's internal ip address. Everything 
works fine.

Problem is when I move my workstation from the local lan where the proxy
server resides,  on to the 10.4.0.0 network,  this is across a WAN link,  
Transparent proxy stops working it appears no web traffic is getting to the 
proxy, and I'm not able to get to ant web site.  I am able to ping the proxy 
server, and use the proxy if I utilize a pac file, and drop the IPFW rules.

I should also note that I have transparent proxy running under Debian using 
iptables, across the WAN link,  but want to move to FreeBSD. So I feel my 
routers are setup correctly.

I suspect the problem is with my IPFW rules or NAT configuration but I'm not 
sure.

FreeBSD 6.1
Kernel was recompiled with:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT

RC.CONF contains
gateway_enable="YES"
ifconfig_xl0="inet x.x.x.x. netmask 255.255.255.0"
ifconfig_xl1="inet x.x.x.x  netmask 255.255.255.0"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="xl1"
natd_flags=""

CISCO router has the following configured

access-list 199 permit tcp 10.4.0.0 0.0.255.255 any eq www
access-list 199 deny   ip any any

route-map redirect-proxy permit 10
match ip address 199
set ip next-hop <proxy server internal ip>

My IPFW rules:
ipfw -q flush
ipfw add divert natd all from not me to any via <outside interface>
ipfw add fwd 127.0.0.1:8000 tcp from any to any 80

squid complied with
SQUID_CONFIGURE_ARGS+=--enable-pf-transparent"

SQUID.CONF
httpd_accel_host virtual
httpd_accel_port 0
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
header_access Via deny all
header_access X-Forwarded-For deny all


Thank you for taking the time to look. Any advice or troubleshooting tips 
are welcome.

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

More information about the freebsd-questions mailing list