# Bridge FreeBSD, PF and transparent squid



## ozanus (Jan 25, 2010)

Hello,
I want running squid transparent on bridge freebsd system.
My network schema, squid and pf configuration;

http://www.cehturkiye.com/bridge_pf_and_transparent_squid-_eng.jpg

its passing through bridged mode Pf, while Squid logs that TCP_Denied but  doesnt blocks the web site.
or
Using Chrome > Proxy settings for squid > 192.168.5.11 80 
squid logs Tcp_Denied and blocks the web site !  Why ?

I'm try pf rule and listening squid other interface (vr0,fxp0,bridge0) but results did not change :\

How i can solve my problem ?
are you suggest any document ?
Thanks you for relation


----------



## DutchDaemon (Jan 25, 2010)

The whole point about a *transparent* proxy is that you *don't* point your web browser to it .. It doesn't even need to be on an IP address, just run it on localhost and redirect http traffic to it on the LAN interface (with a route-to statement, or it won't work on a bridge). 

There are dozens of Transparent Squid + PF manuals, with or without bridges. Just Google.

Just some simple pointers (_I am not going to configure your machine for you!_)

squid.conf


```
http_port 127.0.0.1:3128 transparent
[..]
acl our_networks src 10.10.0.0/255.255.255.0 (whatever your $lan is)
```

pf.conf


```
rdr on $int_if inet proto tcp from $lan to any port { 80 443 } -> 127.0.0.1 port 3128
pass in quick on $int_if [B]route-to lo0[/B] inet proto tcp from $lan to 127.0.0.1 port 3128 keep state
```

So long as you allow outbound traffic and have a default gateway, this will work. Don't use a proxy setting in your web browser, or you might as well just use the much less complicated non-transparent setup.

Good luck.


----------



## ozanus (Jan 25, 2010)

Hello Dear DutchDaemon,
I now new configuration pf and squid. Now wonderful running 

My network schema;
Client(5.137) -- pf&squid(5.12)-- modem(5.254)-- internet












I'm now write a document and share forum.
Thansk for advance.


----------



## boyd.yang.god (Dec 5, 2016)

How to enable the server sees the client ip address, not the proxy ip address?
I use SO_BINDANY for the sockets. But the socket cannot receive SYN ACK after it connects to the remote server.
It seems the pf rule "divert-to" and "divert-reply" do not work as it said.




DutchDaemon said:


> The whole point about a *transparent* proxy is that you *don't* point your web browser to it .. It doesn't even need to be on an IP address, just run it on localhost and redirect http traffic to it on the LAN interface (with a route-to statement, or it won't work on a bridge).
> 
> There are dozens of Transparent Squid + PF manuals, with or without bridges. Just Google.
> 
> ...


----------

