[squid-users] FreeBSD pf route-to and linux tproxy
eliezer at ngtech.co.il
Mon Aug 24 23:32:48 UTC 2015
After remembering this thread:
I had some time to run tests here and there, I am testing now FreeBSD
traffic diverting with PF and seems to not understand something.
The topology is:
client(192.168.12.150/24) --> R1(FBSD-PF)-------->R2(VYOS+NAT)
R2 and R1 are at net 192.168.15.0/24 R1 -192.168.15.1, R2 - 192.168.15.254
Now I am watching something weird on both the PROXY and both R2.
I am trying to divert traffic using PF to the proxy using the "route-to"
Example PF rules:
int_if = "vtnet2"
ext_if = "vtnet0"
proxy_if = "vtnet1"
lan_net = "192.168.12.0/24"
proxy1 = "192.168.11.1"
pass in quick on $proxy_if
pass in quick on $int_if proto tcp from $lan_net to any port 80 rtable 1
pass in quick on $ext_if proto tcp from any port 80 to $lan_net rtable 1
pass in all
pass out all
In this scenario the tproxy is diverting the SYN packet and the squid do
not reply with a syn-ack.
When I am disabling the pf and using the FreeBSD machine as a router I
am getting a weird result: The tcp packet gets to the origin server
without being masqurading(snat) on the VYOS machine.
So two weird scenarios with FreeBSD.
If I replace the R1 with a drop in replacement with a VYOS or CENTOS
machine it all suddenly works magically, both TPROXY and TCP nat.
The only packets I see that are being snatted are ICMP but not tcp.
* The R1 FreeBSD is a clone of the VYOS so the networks are the same but
with different nic mac addresses.
I do not look for a resolution to the OS level since with LINUX boxes
all works magically fine.
But if someone have seen this I will be happy to hear about that I am
not lonely on that.
More information about the squid-users