# Gateway and Transparent Proxy in separated machines



## welkson (Jun 18, 2010)

Hello,


When you configure transparent *proxy and gateway on the SAME machine*, it works (shows the correct ip in the access.log). On *SEPARATE MACHINES *shows the gateway ip in the squid  log 

Gateway: *192.168.0.254* (FreeBSD 8 AMD64)
Proxy Server: *192.168.0.250* (FreeBSD 8 AMD64)
User: *192.168.0.200* (Windows XP)
Squid Version: *3.1.4* (compiled with pf-transparent) - Also tested with 2.6 and 2.6

Details:

Redirect www port to proxy server on  *GATEWAY (192.168.0.254)*:


```
nat on $int_if from ! 192.168.0.250 to 192.168.0.250 port { 80, 8080 } -> $int_if
rdr inet proto tcp from ! 192.168.0.250 to any port www -> 192.168.0.250 port 8080
pass all # lab test
```

Rules on *PROXY SERVER (192.168.0.250)*

```
pass all # lab test
```

squid.conf on *PROXY SERVER (192.168.0.250)*

```
http_port 8080 transparent
â€¦
always_direct allow all
â€¦
forwarded_for on  # tested
```

Checking service:

```
[root@services:/] # sockstat -4 | grep 8080
squid    squid      1900  11 tcp4   *:8080                *:*
```

By testing the transparent proxy on the user's machine works normally (Windows XP/192.168.0.200) But in the squid log *shows the  gateway IP* (192.168.0.254â€¦ correct is: *192.168.0.200*).


```
[root@services:/] # tail -f /usr/local/squid/logs/access.log
[color="Red"][B]192.168.0.254[/B][/color] - - [17/Jun/2010:11:53:48 -0300] "GET [url]http://comentarios.uol.com.br/ws/v1/message/retrieve/subject/104?callback=callbackColetarComentarios&product=esporte&limit=50[/url] HTTP/1.1" 0 0 TCP_MISS:DIRECT
```

What is the problem? The NAT  changes the  SOURCE IP? if I disable the NAT, it does not work.

Sorry by my poor english =)

Regards ïŠ

Welkson Renny 
Sysadmin


----------



## dbi (Jun 19, 2010)

You don't need the nat rule. You need the rdr rule only. Try the following two rules, they work for me:


```
rdr on $int_if inet proto tcp from ! $proxy \
       port 80 tag  HTTP_PROXY -> $proxy port $proxy_port
```

and later on:

```
pass on $int_if modulate state tagged HTTP_PROXY
```


----------



## welkson (Jun 21, 2010)

Hi DBI!

I changed the configuration and tested ... but only works with NAT active (showing the IP wrong),

# ON GATEWAY (192.168.0.254)


```
rdr on $int_if inet proto tcp from ! 192.168.0.250 to any port 80 tag HTTP_PROXY
 -> 192.168.0.250 port 8080

pass quick log on $int_if modulate state tagged HTTP_PROXY
```

Dont work!

Test with NAT:

```
nat on $int_if from ! 192.168.0.250 to any port { 80, 8080 } -> $int_if
```
Work! But ip wrong on access.log (ip from gateway)

Any other tips?

Regards,

Welkson Renny


----------



## aragon (Jun 21, 2010)

Been a while, but I think on the gateway you need to disable NAT on the internal interface, enable it on the external interface, and then use route-to to send www traffic to the proxy machine.  On the proxy machine you use rdr to send www traffic to port 8080.

Something like:


```
nat on $ext_if from $int_if:network to any -> $ext_if
pass all
pass in on $int_if from ! 192.168.0.250/32 to any port 80 route-to 192.168.0.250
```

And on the proxy:


```
rdr inet proto tcp from ! 192.168.0.250 to any port www -> 192.168.0.250 port 8080
```


----------



## dbi (Jun 22, 2010)

Hi, welkson

nat means "change the src ip address to this one"
rdr means "change the dst ip address to this one"
Obviously you can't preserve the original source address when using nat.
When you use rdr with clients and proxy connected to the same NIC you should force the GW not to send icmp redirects.
Please, try again the rules I wrote before with the following addition:

```
echo net.inet.ip.redirect=0 >> /etc/sysctl.conf
sed 's/#.*//g ; /^$/d' /etc/sysctl.conf | xargs -n1 sysctl
```


----------



## welkson (Jun 22, 2010)

Hello friends!


On *Gateway/Firewall (192.168.0.254)*:

```
# sysctl -a | grep ip.redirect
net.inet.ip.redirect: 0
```

pf.conf on gateway (192.168.0.254):

```
pass in quick on $int_if route-to ($int_if 192.168.0.250) proto tcp from ! 192.168.0.250 to any port 80
```




On *Proxy Server (192.168.0.250)*:

# sysctl -a | grep ip.redirect

```
net.inet.ip.redirect: 0
```

pf.conf (Proxy Server 192.168.0.250):


```
rdr inet proto tcp from ! 192.168.0.250 to any port www -> 192.168.0.250 port 8080
```


# tail -f /usr/local/squid/logs/access.log

```
192.168.0.200 - - [22/Jun/2010:07:10:29 -0300] "GET http://www.google-analytics.com/urchin.js HTTP/1.1" 200 7318 TCP_HIT:NONE
```


Thank you very much! it's now works!  

Regards,

Welkson Renny 
SysAdmin


----------

