HI my name is Eliseo Acosta i'm mexican and my english is not good....but i have a problem.

this is my topology

ISP
|
|
2wire(modem ip:192.168.1.254)
|
|
DD-WRT(Router ip: 192.168.1.100 and ip:192.168.2.1)
|
|
firewall(freebsd,ipfw,ipnat,squid. ip:192.168.2.2 and ip 192.168.3.1)
|
|
Clients (192.168.3.0/24)

////////Script /etc/ipfw.rules//////////

$cmd 00090 allow all from any to any via $outside

////////etc/ipnat.rules///////

map em0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto

///////squid.conf/////////

http_port 3128 trasparent
acl mired 192.168.3.0/255.255.255.0
acl deny_site "/usr/local/etc/squid/deny_site"

http_access allow mired
http_access deny deny_site

////kernel/////

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT

my ipnat and ipfw works well....but the squid don't filter the sites....anf if i check y the access.log is emty......i need a help y don't hnow where the problem

There's a typo in http_port 3128 trasparent to begin with (transparent). And transparent proxying is normally done on localhost

http_port 127.0.0.1:3128 transparent

using a firewall rule to redirect traffic to port 80 to localhost:3128.

i need redirect in my ipfw or in my Ipnat?????

I put in my ipfw.rules this line
$cmd 00080 fwd 192.168.3.0,80 tcp from any to any 3128 but dosent works and put in my ipnat.rules this line
rdr em0 0/0 port 80 -> 127.0.0.1 port 3128
and dosent works......i don't now how....

I haven't used ipfw in a long time, but that rule looks ass-backwards. Something like this looks more logical:

$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80

I suggest you Google around for "squid transparent ipfw".

I try with this rules and dosen't works.....this rules block my www service.....

/sbin/ipfw add 1000 fwd 172.21.0.1,8080 tcp from any to any 80 via rl0

172.21.0.1 - your internal card ethernat
rl0 - your internal card ethernat

And i forgot

http_port 8080 transparent

I try with this rules and dosen't works.....this rules block my www service.....

So it redirects http traffic, just like you wanted -- but it's not being picked up by Squid. Is Squid actually running on 127.0.0.1:3128?

Abriel, you're adding confusion, not a solution.

If I'm not mistaken you should also specify outgoing address in squid.conf
tcp_outgoing_address 192.168.2.2
and you don't need to nat traffic going to 80 port

I disable the ipfw and ipnat and put tcp_outgoing_address 192.168.2.2 but i dont have results.....

i 've a question squid can work without ipnat and ipfw??????

No. You need something on your FreeBSD box to forward http requests to squid. So in IPFW you need a command like DutchDemon told
$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80
It will redirect all requests to Squid, then Squid passes packets via specified outgoing address. You can also specify interface to listen for Squid by adding interface address to config file. Then http_port parameter will look like this
http_port 192.168.3.1:3128
Then DutchDemon rule would be
$cmd 00080 fwd 192.168.3.1,3128 tcp from any to any 80
Give it a try

ADDED

If it doesn't work you should look your IPFW logs in /var/log/security to analyze how packets move in your system. Maybe specify some rules with in/out interfaces to avoid endless looping when incoming packets going to 80 port are forwarding to squid and outgoing packets from squid (they are still sent to 80) are forwarding to squid again. I'm very far from UNIX master level but configured Squid few days ago and these problems were the problems I've met

i 've a question squid can work without ipnat and ipfw??????

1. Why do you use ipant with ipfw? You can always switch to ipfw with natd.
2. Is your squid working? If you don't have http_port 192.168.3.1:3128 and only http_port 3128 it will be working on all your ips.

Check squid with telnet 192.168.3.1 3128 or
lynx/links/elinks http://192.168.3.1:3128

3. I will put my squid and first line of firewall config for you on http://zse.ath.cx/cheoac/

hi i tried with this rules but it dosen't works
http_port 192.168.3.1:3128 transparent
$cmd 00080 fwd 192.168.3.1,3128 tcp from any to any 80
freebsd# ipfw -a list
00080 9 432 fwd 192.168.3.1,3128 tcp from any to any dst-port 80
00090 23 1915 allow ip from any to any via em0
65535 2620 320111 allow ip from any to any

freebsd# ipfw list
00080 fwd 192.168.3.1,3128 tcp from any to any dst-port 80
00090 allow ip from any to any via em0
65535 allow ip from any to any
freebsd#


all the trafic http it's block but not with the squid.....

Again: is Squid actually running, and what's in the logfiles (usually /usr/local/squid/logs/[access.log|cache.log])?

anf if i put this command
telnet 192.168.3.1 3128
the machine refuse telnet.....
/usr/local/etc/rc.d/squid start
but dosen't work

/usr/local/etc/rc.d/squid rcvar

ok i identificate my first problem...the squid did't work but i fixed.....now in all my web sites apear " The request or reply is too large"

I try with reply_body_max_size 0 and dosen't works apper "The request or reply is too large"

There's also request_body_max_size

http://www.visolve.com/squid/squid30/contents.php

Did you run squid -k reconfigure after the changes were made?

no i did't...but i put this command and the problem is the same

By the way, reply_body_max_size and request_body_max_size are not set to anything in the default squid.conf, so there should be no reason to adjust them. Unless you're using some cut & paste off the 'net instead of making your own.

Use:
squid -k check

and please give us

squid -v

I put in my squid.conf request_body_max_size 0 but the problem is there......

now i desativate de reply_body_max_size and request_body_max_size like a dutch daemon say.....but appear in all my web sites "the request or reply is too large" and my squid -v
freebsd# squid -v
Squid Cache: Version 3.0.STABLE8
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm digest' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB squid_radius_auth YP' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-helpers=SMB' '--enable-storeio=ufs diskd null' '--enable-ipfw-transparent' '--enable-kqueue' '--enable-err-languages=Armenian Azerbaijani Bulgarian Catalan Czech Danish Dutch English Estonian Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Lithuanian Polish Portuguese Romanian Russian-1251 Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish Swedish Traditional_Chinese Turkish Ukrainian-1251 Ukrainian-koi8-u Ukrainian-utf8' '--enable-default-err-language=English' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.1' 'build_alias=i386-portbld-freebsd7.1' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'

One more thing, copy my squid.conf from http://zse.ath.cx/cheoac/ and try with it. Change only http_port 8080 transparent to your and dns_nameservers 83.238.114.6 #change to your isp DNS and acl siec src 172.21.0.0/255.255.0.0 #change to you internal ip

Put somewhere your squid.conf as a link.

my problem continue....my squid block it my web sites like www.youtube.com but a can't access to all the web sites the message continue.....

my problem continue....my squid block it my web sites like www.youtube.com but a can't access to all the web sites the message continue.....

I need your squid.conf, put it on rapidshare.com a paste a link here.

Check your IPFW logs and make sure your packets doesn't get in endless loop as I mentioned. These are the squid rules from my firewall
a="ipfw add"
l="log logamount 10000"
squid_ports=http

ipfw -f flush
$a check-state

$a allow all from any to any via lo0

# SQUID

$a fwd $squid $l all from $my_net to any $squid_ports in via $in_if
$a allow $l all from $out_if to any $squid_ports out via $out_if
$a allow $l all from any $squid_ports to $out_if in via $out_if
$a allow $l all from any $squid_ports to $my_net out via $in_if
$out_if is 192.168.2.2 in your case
$in_if is 192.168.3.1

i know what is my problem...my problem it's forwardinf loop

2009/05/26 08:56:33| WARNING: Forwarding loop detected for:
X-Forwarded-For: 192.168.3.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.

this is my cache.log

Do yourself a favour: run Squid on 127.0.0.1. There's a reason why transparent proxying usually takes place on localhost.

this is my ipfw.rules
#!/bin/sh

ipfw -q flush

outside="em0"
inside="rl0"
cmd="ipfw -q add"

$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80
$cmd 00090 allow all from any to any via $outside

this is my http_port
http_port 3128 transparent

Deja Voodoo ..

Use http_port 127.0.0.1:3128 transparent

now my http_port
http_port 127.0.0.1:3128 transparent and the problem persist.....

i think tha my problem is my ipfw.rules because exist a loop.....

Try adding to that rule:

in recv $nic

Replace $nic with the network card you're redirecting the port 80 traffic on. I'm assuming you have a default gateway correctly set up, so that Squid knows where to go for internet connectivity?

my default gateway it's correct and all my route's correct...but i don't know where paste tuis rules in recv $nic because my ipfw dosen't understand this rule....

i know waht is my problem....this is a solution
$cmd 00080 fwd 127.0.0.1,3128 tcp from not me to any 80

I meant:

$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80 in recv $int_nic

Which is probably the same.

thanks for all you infomation and you patience....

Does that mean it works?

yes it's works.....

Good. Set to [solved].