pf transparent proxy squid nat

I have two boxes, one running an SSL site on apache behind pfsense. Nearly everyone can get to this site, except for client's at another location I have setup w/ NAT and with transparent proxy using pf. Clients at this location can get to non-SSL sites on the same server fine, and different(e.g. personal banks) SSL sites without a hitch.

My pf rules:

Code:
int_if="em0"
ext_if="fxp0"

set timeout { udp.first 300, udp.single 300, udp.multiple 900 }

rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
nat on fxp0 from 192.168.0.0/16 to any -> fxp0

pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state

tcpdump from pf NAT side:

Code:
gw-mn# tcpdump -i fxp0 port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
17:19:40.419640 IP my-hostname.56375 > server-hostname.com.https: S 165656225:165656225(0) win 65535 <mss 1460,nop,nop,sackOK>
17:19:43.350741 IP my-hostname.56375 > server-hostname.com.https: S 165656225:165656225(0) win 65535 <mss 1460,nop,nop,sackOK>
17:19:49.285246 IP my-hostname.56375 > server-hostname.com.https: S 165656225:165656225(0) win 65535 <mss 1460,nop,nop,sackOK>

tcpdump from apache ssl side:

Code:
skynet1# tcpdump host XXX.XXX.XXX.XXX and port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
17:06:02.292324 IP my-hostname.56375 > skynet1.server-hostname.com.https: S 165656225:165656225(0) win 65535 <mss 1460,nop,nop,sackOK>
17:06:02.292335 IP skynet1.server-hostname.com.https > my-hostname.56375: S 3217053284:3217053284(0) ack 165656226 win 65535 <mss 1460,sackOK,eol>
17:06:05.218724 IP my-hostname.56375 > skynet1.server-hostname.com.https: S 165656225:165656225(0) win 65535 <mss 1460,nop,nop,sackOK>
17:06:05.218731 IP skynet1.server-hostname.com.https > my-hostname.56375: S 3217053284:3217053284(0) ack 165656226 win 65535 <mss 1460,sackOK,eol>
17:06:08.218471 IP skynet1.server-hostname.com.https > my-hostname.56375: S 3217053284:3217053284(0) ack 165656226 win 65535 <mss 1460,sackOK,eol>
17:06:11.152355 IP my-hostname.56375 > skynet1.server-hostname.com.https: S 165656225:165656225(0) win 65535 <mss 1460,nop,nop,sackOK>
17:06:11.152364 IP skynet1.server-hostname.com.https > my-hostname.56375: S 3217053284:3217053284(0) ack 165656226 win 65535 <mss 1460,sackOK,eol>
17:06:14.151635 IP skynet1.server-hostname.com.https > my-hostname.56375: S 3217053284:3217053284(0) ack 165656226 win 65535 <mss 1460,sackOK,eol>
17:06:20.151800 IP skynet1.server-hostname.com.https > my-hostname.56375: S 3217053284:3217053284(0) ack 165656226 win 65535 <mss 1460,sackOK,eol>

tcpdump's are from same time period.

Does anyone have any insight?

Thanks
 
Back
Top