Hi!
My situation:
I have an OpenBSD firewall/proxy (192.168.0.1), running IPF/IPNAT w/ Squid as transparent proxy. This machine is configured to be gateway to the network.
This works great, all the clients WWW-requests on the internal network are rerouted to the proxyport by this IPNAT-rule:
rdr fxp0 0.0.0.0/0 port 80 -> 192.168.0.1 port 3128
However, I would like to use another machine as a transparent proxy and have run into some problems... The new machine runs Solaris 8 i386 (192.168.0.2) and I have succesfully compiled and configured Squid. I use the same config I used with the "firewall-squid-version".
After changing the IPNAT-rule to:
rdr fxp0 0.0.0.0/0 port 80 -> 192.168.0.2 port 3128
It won't work... I can see a message: Website found, waiting for reply, but figure this is only because DNS-lookup of the website was succesfull. DNS-lookups are punched through the firewall and happen independently from the squid-proxy.
What I figure happened is this:
- A client wants to connect to the internet.
- Request travels to 192.168.0.1 port 80
- Request is redirected to squid on 192.168.0.2 port 3128
- Squid on 192.168.0.2 wants to connect to the internet.
- Squid on 192.168.0.2 connects to 192.168.0.1 port 80
- Squid-request is redirected to squid on 192.168.0.2 port 3128 instead of to internet (because of IPNAT-rule stated above)
- And it continues to loop...
How can I change my IPNAT-rules so that all clients are redirected to 192.168.0.2 port 3128 _AND_ 192.168.0.2 itself is allowed direct access to the internet?