[squid-users] FreeBSD pf route-to and linux tproxy

Eliezer Croitoru eliezer at ngtech.co.il
Thu Aug 27 00:05:47 UTC 2015 

After a research I have found out that there is something wrong with the 
virtio driver of FreeBSD.
Then I wrote a basic wiki example on how to Policy routing traffic flows 
throw a FreeBSD box to a squid box in DMZ:
http://wiki.squid-cache.org/ConfigExamples/Intercept/PfPolicyRoute

So in a case someone reads it, e1000 virtual adapters works fine on 
FreeBSD while the virtio(for kvm) do some weird things to routed traffic.
I do not know yet what is the issue and this is a FreeBSD related issue 
rather then squid.

Now squid works fine with VYOS+other linux+FreeBSD

Eliezer

On 25/08/2015 02:32, Eliezer Croitoru wrote:
> After remembering this thread:
> http://www.squid-cache.org/mail-archive/squid-users/201102/0236.html
>
> I had some time to run tests here and there, I am testing now FreeBSD
> traffic diverting with PF and seems to not understand something.
> The topology is:
> client(192.168.12.150/24) --> R1(FBSD-PF)-------->R2(VYOS+NAT)
>                (192.168.11.254/24)
>                      |
>                  |
>                         PROXY(192.168.11.1/24)
>
> R2 and R1 are at net 192.168.15.0/24 R1 -192.168.15.1, R2 - 192.168.15.254
>
> Now I am watching something weird on both the PROXY and both R2.
> I am trying to divert traffic using PF to the proxy using the "route-to"
> method.
> Example PF rules:
> ##START pf.conf
> int_if = "vtnet2"
> ext_if = "vtnet0"
> proxy_if = "vtnet1"
> lan_net = "192.168.12.0/24"
> proxy1 = "192.168.11.1"
>
> pass in quick on $proxy_if
> pass in quick on $int_if proto tcp from $lan_net to any port 80 rtable 1
> pass in quick on $ext_if proto tcp from any port 80 to $lan_net rtable 1
>
> pass in all
> pass out all
> ##END pf.conf
>
> In this scenario the tproxy is diverting the SYN packet and the squid do
> not reply with a syn-ack.
> When I am disabling the pf and using the FreeBSD machine as a router I
> am getting a weird result: The tcp packet gets to the origin server
> without being masqurading(snat) on the VYOS machine.
>
> So two weird scenarios with FreeBSD.
> If I replace the R1 with a drop in replacement with a VYOS or CENTOS
> machine it all suddenly works magically, both TPROXY and TCP nat.
> The only packets I see that are being snatted are ICMP but not tcp.
>
> * The R1 FreeBSD is a clone of the VYOS so the networks are the same but
> with different nic mac addresses.
>
> I do not look for a resolution to the OS level since with LINUX boxes
> all works magically fine.
> But if someone have seen this I will be happy to hear about that I am
> not lonely on that.
>
> Eliezer
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list