[ previous ] [ next ] [ threads ]
 From:  "Jeroen Visser" <monowall at forty dash two dot nl>
 To:  "Ryan Wagoner" <Ryan at wgnrs dot dynu dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Settings For Squid Transparent Proxy
 Date:  Mon, 13 Feb 2006 21:01:18 +0100
Last one on the Transparent Proxy stuph for me.....

I got the files from Ryan and basically what they do is almost completely but not
entirely (un)like what I did in the config. ;-)

The settings just work fine, you can actually do an outbound nat on the LAN
interface to your proxy server. No problem at all....

But here come the thing I feel COMPLETELY stupid about not seeing this sooner,
like in the first two seconds I looked at it. When putting the Proxy in your lan
network, where you're clients are, you effectively rule out that entire subnet of
using the proxy. Hence how:

1. The client "connects" to the web-page you want to see.

2. The firewall (m0n0) will translate the dest. IP to the proxy IP.

3. Your proxy IP will then want to return a packet, 
   stating that it's OK to connect to it.

Here comes the trick.

4. Your client does think that packet has to come from your DESTINATION. 
   Not the proxy. 

5. And since your proxy is inside the subnet your client is in, the 
   returning packet does NOT go through the m0n0wall and does NOT 
   get natted back to it's original IP.

6. Your clients sees this packet, originating from an other IP and discards is.

7. No Transparent proxy for you in the same subnet sir....

Again, I feel a real NITWIT not seeing this sooner.
Or did anyone ever post this before ? Then I will crawl back to kindergarten....

(This e-mail does not reflect my current state of mind, I CAN actually laugh about
it. Don't worry).

Jeroen Visser.
Sure, we know Unix, we've seen it in Jurassic Park...