[squid-users] FreeBSD pf route-to and linux tproxy

Mon Aug 24 23:32:48 UTC 2015

After remembering this thread: 
http://www.squid-cache.org/mail-archive/squid-users/201102/0236.html

I had some time to run tests here and there, I am testing now FreeBSD 
traffic diverting with PF and seems to not understand something.
The topology is:
client(192.168.12.150/24) --> R1(FBSD-PF)-------->R2(VYOS+NAT)
		      (192.168.11.254/24)
         			|
				|
                        PROXY(192.168.11.1/24)

R2 and R1 are at net 192.168.15.0/24 R1 -192.168.15.1, R2 - 192.168.15.254

Now I am watching something weird on both the PROXY and both R2.
I am trying to divert traffic using PF to the proxy using the "route-to" 
method.
Example PF rules:
##START pf.conf
int_if = "vtnet2"
ext_if = "vtnet0"
proxy_if = "vtnet1"
lan_net = "192.168.12.0/24"
proxy1 = "192.168.11.1"

pass in quick on $proxy_if
pass in quick on $int_if proto tcp from $lan_net to any port 80 rtable 1
pass in quick on $ext_if proto tcp from any port 80 to $lan_net rtable 1

pass in all
pass out all
##END pf.conf

In this scenario the tproxy is diverting the SYN packet and the squid do 
not reply with a syn-ack.
When I am disabling the pf and using the FreeBSD machine as a router I 
am getting a weird result: The tcp packet gets to the origin server 
without being masqurading(snat) on the VYOS machine.

So two weird scenarios with FreeBSD.
If I replace the R1 with a drop in replacement with a VYOS or CENTOS 
machine it all suddenly works magically, both TPROXY and TCP nat.
The only packets I see that are being snatted are ICMP but not tcp.

* The R1 FreeBSD is a clone of the VYOS so the networks are the same but 
with different nic mac addresses.

I do not look for a resolution to the OS level since with LINUX boxes 
all works magically fine.
But if someone have seen this I will be happy to hear about that I am 
not lonely on that.

Eliezer