Previously, I discussed how to configure a Squid proxy. The proxy is opaque that the web browsers have to be configured. I continue to explain how a proxy can be made transparent; when web browsers go to the Internet, the requests gets intercepted and be processed by the proxy. Like before, I use PF firewall and let it redirect the packets for me.
Step 1: Configure Network Gateway
In order to configure a a network router, it needs to have two network interfaces, virtual or physical. One of them connects to the external world (through another router, maybe). Another one connects to the intranet. In PF, it is recommended to set up macros to determine the external and internal interfaces. An example rule set will be as follows, where a Realtek was used as external and a Broadcom as internal.
extif="re0" intif="bge0" nat pass on $extif from $intif:network to any -> ($extif) pass in quick from $intif:network to any pass out quick
In order for a FreeBSD server act as a router, it has to have the gateway variable enabled in /etc/rc.conf:
Once these are configured, reload the firewall rules for a smoke test. Good luck.
Step 2: Configure Network Clients
Pick a computer and configure its network traffic through the router. Technically, we change the gateway.
Microsoft Windows: Control Panel > Network and Sharing Centre > Network Interfaces > Properties > TCP/IP Version 4 > Configure > Gateway
Mac OS X: System Preference > Network > Gateway
FreeBSD: Update variable “defaultrouter” in /etc/rc.conf, then reboot
Everything should behave similar, except the network goes through the router. Hopefully, the network link LEDs could give you some hints. (Sorry being lazy not telling the proper way…)
Step 3: Packet Redirection and Squid
In PF configuration, add this line right after the NAT rule, and then reload:
rdr pass on $intif proto tcp from any to any port 80 -> ($intif) port 3129
In Squid configuration, add this line right after the original http port statement:
http_port 3129 intercept
I may explain what ‘intercept’ mode means in the next article…
Step 4: Testing
Use the client configured in the step 2 to browse the web. Like last time, there should be some pages cached. But make sure you visit pages that are not encrypted (like https); otherwise the proxy will not take effect.
Step 5: To be Continued
In the part 3 of this series, I will explain how to to intercept HTTPS connections as well.