[ previous ] [ next ] [ threads ]
 From:  "Ryan Wagoner" <Ryan at wgnrs dot dynu dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Settings For Squid Transparent Proxy
 Date:  Tue, 7 Feb 2006 13:41:28 -0500
Well I haven't gotten it to work but I did get Edwards modified NAT pages to work on 1.21. Heres
what I found out.If anybody wants the modified files let me know.

changes between 1.2b9 and 1.21

-copyright date
-section /* allow access to DHCP server on optional interfaces */
-maybe mistake in edwards version 
 -orig "{$config['diag']['ipv6nat']['ipaddr']} port 0 ipv6\n"
 -chages "{$config['diag']['ipv6nat']['ipaddr']} port 0 `ipv6\n"
 -notice the ' before ipv6, anybody have insight on this

Used edwards file, changed copyright date, added the 1.21 change for dhcp optional interface, and
got rid of the ' on the ipv6 change.

-copyright date
-change filter_rules_generate(); to filter_configure();
-not sure why edward included this function call there not referenced in the changed files

Used 1.21 version and made the filter_configure(); change.

rest of files
-copyright date

Used edwards versions, changed the copyright dates.


I used Edwards directions below to upload the files to m0n0wall.

1. download the files
2. open http://your-m0n0-addr/exec.php in your browser and upload the
those files
3. execute the following commands in exec.php
 umount /cf
 mount -rw /cf
 mkdir /cf/patch /cf/patch/etc /cf/patch/etc/inc
 mkdir /cf/patch/usr /cf/patch/usr/local /cf/patch/usr/local/www
 cp /tmp/*php /cf/patch/usr/local/www
 cp /tmp/*inc /cf/patch/etc/inc
 cp /tmp/rc* /cf/patch/etc
 umount /cf
 mount /cf
4. download your current configuration
5. add the following option in the <system></system> section
 <earlyshellcmd>echo Patcing files</earlyshellcmd>
 <earlyshellcmd>cp -R /cf/patch/* /</earlyshellcmd>
6. reboot m0n0


From here I added rules for squid server

1. enable the advanced outbound nat
2. add a default outbound nat rule for all lan users
 Interface:   WAN
 Source:    A.B.C.0/24
 Destination.Type: any

3.      inbound rules 1:
                Interface:                     LAN
               Source:                        not
                External address:               Any Address
                Protocol:                       TCP
                External port range.from:       80
                NAT IP:               
                Local port:               3128
 outbound rules 1:
  Interface:   LAN
  Policy NAT.Enable:  yes
  Policy NAT.Protocol:  TCP
  Policy NAT.from:  3128

note, if those servers are in a dmz area connected to an option
interface, then the outbound rules are not needed and advanced
outbound nat can be disabled. the "NAT IP" filed in the inbound rules
should be changed of course to match that scenario. i prefer the dmz
setup 'cause it has a few advantages, like the ability to tracking the
source address of each connection, etc.


From: Neil A. Hillard [mailto:m0n0 at dana dot org dot uk]
Sent: Tue 2/7/2006 1:34 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Settings For Squid Transparent Proxy


In message
<FDD796C9E501FE449BB1E8CCCD5FB2629727 at win2ksrvr dot Wagoner dot local>, Ryan
Wagoner <Ryan at wgnrs dot dynu dot com> writes
>I'm at the point where I need somebody with good freebsd / m0n0wall
>expirence to help me out. The rule from below isn't redirecting traffic
>to the squid server correctly. I'm not sure whats wrong with it. I set
>the gateway on my machine to point to the squid server and used iptables
>to route port 80 to 3128 and squid works transparently as it should.
>Setting it back to the m0n0wall gateway with the routing rule and
>nothing happens. I have to set my browser proxy to the squid server in
>order to connect to the m0n0wall gui. Seems to me m0n0wall is dropping
>the packets but I can't tell where. I even went as far to setup a
>firewall rule on the LAN page that allows from soure * to all
>destinations thinking that might work, nope nothing. Anybody know whats
>going on here??

I don't think you'll actually get it to work!  The reason being is that
squid needs to know the original destination, if you just redirect the
packets to the machine running squid then it'll be lost and squid will

This is where something like WCCP comes in as it passes that to squid.

A transparent proxy is ugly and prone to errors, anyway.  My
recommendation would be to redirect all request for port 80 (except
those from the machine running squid) to a page on one of your servers
that instructs the user how to configure their browser to use the proxy.

If you do get it to work then well done and please post here!



Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch