* John Tate <[email protected]> [2013-05-03 17:23]:
> I have a squid proxy listening in transparent mode on another faster
> system, but I can't seem to get packets there with pf. I tried simply
> modifying the other divert-to rule to use the IP address of that system. It
> doesn't seem to work, packets don't reach that system.
>
> #pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
> port 3128
> pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10
> port 3128
>
> How should I be doing this? I couldn't find anything on Google.
Some time ago I did a similar setup with multiple proxies on seperate machines.
The OpenBSD machine had three interfaces:
- em1: client network
- em2: proxies
- em0: outbound
The inbound redirection rules looked somehow like this:
proxy1="10.0.0.5 fd00::5"
proxy2="10.0.0.6 fd00::6"
table <proxies> { $proxy1 $proxy2 }
pass in quick on em1 proto tcp from any to any port 80 \
route-to { (em2 <proxies>) } round-robin
This should work for both IPv4 and IPv6.
To make this a bit more interesting, I made the proxy do non-local bind to the
client IP for the outbound connection. To get return traffic back to the
correct proxy, you can use a bridge on em2 to tag connection by MAC address:
/etc/hostname.bridge0:
up
add em2
rule pass in on em2 src 00:12:34:56:78:01 tag proxy1
rule pass in on em2 src 00:12:34:56:78:02 tag proxy2
With that in place you can route return traffic to the correct proxy although
the proxy's outbound connection uses the source IP of the original client. If I
remember correctly the use of tables here makes it possible to write one rule
per proxy that works for both IPv4 and IPv6:
table <proxy1> { $proxy1 }
table <proxy2> { $proxy2 }
pass in quick on em2 proto tcp from !<proxy1> \
tagged "proxy1" reply-to (em2 <proxy1>)
pass in quick on em2 proto tcp from !<proxy2> \
tagged "proxy2" reply-to (em2 <proxy2>)
I hope this still works.
Cheers,
Ralf
