Hi Guys,

I have researching and investigating on doing squid transparent proxying with the use of pf in bridge mode. But I could not still find a way to make it work.
I have read heaps of stuff across the net but nothing seems to work to me.

I want all my clients on the internal network to be redirected to squid on localhost (127.0.0.1 3128) whenever they do http request. The firewall is in bridge mode.

Looking at the tcpdump on pflog0, the rdr rule is being hit but the rule with route-to is not.

Here is are the lines:
1231295472.541029 rule 0/(match) rdr in on em0: freebsd-testmach.auckland.ac.nz.56875 > localhost.auckland.ac.nz.3128: [|tcp] (DF)
1231295472.541048 rule 3/(match) pass out on em1: freebsd-testmach.auckland.ac.nz.56875 > localhost.auckland.ac.nz.3128: [|tcp] (DF)

The first line matches the rdr rule on em0 but the second line tells that is has passed out on the external interface(em1) which is wrong.

Can you please help me out with this dilemma.

Below is my setup/configuration. I am running squid squid-3.0.STABLE11 and have configured squid with this options ./configure --prefix=/var/squid --with-pthreads --enable-pf-transparent

bridge0 = em0 + em1
# cat /etc/bridgename.bridge0 down
add em0
add em1
addspan em0
addspan em1
-learn em1
-learn em0
discover em0
discover em1
autoptp em0
autoptp em1
maxaddr 400
fwddelay 6
-link0
-link1
up

# cat /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

# cat /etc/pf.conf

ext_if="em1"
int_if="em0"
set loginterface $ext_if
scrub in

rdr pass log on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
pass in quick log on $int_if route-to 127.0.0.1 proto tcp from any to 127.0.0.1 port 3128

pass in log all
pass out log on $int_if all
pass out log on $ext_if all

Thanks in advance. Your help is mostly appreciated.

Best Regards,

Mark Pagulayan
University of Auckland