transparent Proxy no NAT

[pmaechler]

Hi FreeBSD Users

I picked up the task to show some users a splash screen if the are browsing in the internet.

My idea ist, to create a transparent proxy with a captive portal. If a user makes a http request, he gets redirected to a page, where he has to press a button (so we can store the ip address). After that, the user can use the internet "normaly". After a certain time, the message will be shown again and the user has to press the button again. Only http should be affected, all other traffic is allowed without "login"

Is this possible? I would say yes

So far i have a board from pc engines with 3 gig interfaces. one "in" (re2) one "out" (re0) and one for management purposes (re1).
re0 and re2 are bridged. With this oconfiguration everything is working and the users can use http and everything else

squid 4 is installed with pf support

Internet -- Router -- (re0) TProxy (re2) -- CMTS -- SOHO Routers with NAT -- Client

# rc.conf
hostname="box"

cloned_interfaces="bridge0"
ifconfig_bridge0="addm re0 addm re2 up"
ifconfig_re0="up"
ifconfig_re2="up"

gateway_enable="YES"

sshd_enable="YES"

pf_enable="YES"
pflog_enable="YES"

squid_enable="YES"

dumpdev="AUTO"

# squid.conf
visible_hostname  box

http_port         80
http_port         3128 intercept
#http_port         3128 tproxy

# pf.conf
int_if="re2"
out_if="re0"

set skip on lo0

rdr pass on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128

pass log

My problem is, that the redirection is not working. As soon as I enable the rdr rule in pf.conf, I can't access http pages anymore, but dont see any traffic on the lo0 interface nor on any interface for port 3218

Since there is no NAT involved, do i need ip addresses on the in and out interfaces? I guess no, because the proxy should be transparent
If I need IP addresses on the proxy, is it ok to just have one on the out (re0) interface?

any help is appreciated

tia

 

[SirDice]

If a user makes a http request, he gets redirected to a page, where he has to press a button (so we can store the ip address). After that, the user can use the internet "normaly". After a certain time, the message will be shown again and the user has to press the button again. Only http should be affected, all other traffic is allowed without "login"

If a client connects to the proxy you already have the client's IP address, it's right there in the proxy's logs. There's no need to get it through a web page of sorts.

My idea ist, to create a transparent proxy with a captive portal.

Why does this have to be done "transparent"? There's no need for this either.

 

[pmaechler]

I did change the schema to clarify some pieces...

If a client connects to the proxy you already have the client's IP address, it's right there in the proxy's logs. There's no need to get it through a web page of sorts.

The idea behind this is, that i can save who saw the message/webpage. Behind the cmts we have multiple /24 networks and this solution is only for one maybe two /24. We will accomplish this with either PBR on the cmts or different vlans

Why does this have to be done "transparent"? There's no need for this either.

You're right, it can act as a router. Transparent would be nice because we wouldn't loose those sparse public ipv4 addresses. and furthermore between the CMTS and the router, there is only a /30 ipv4 network


I'm open for alternative ways to accomplish this

 

[SirDice]

The idea behind this is, that i can save who saw the message/webpage. Behind the cmts we have multiple /24 networks and this solution is only for one maybe two /24.

How about simply enabling authentication for those networks? Not only would that provide the IP address (which you already have because it's a proxy) you also get to know which user.

Note that a bridge(4) doesn't firewall unless you configure it to do so.

 Packet filtering can be used with any firewall package that hooks in via
     the pfil(9) framework.  When filtering is enabled,	bridged	packets	will
     pass through the filter inbound on	the originating	interface, on the
     bridge interface and outbound on the appropriate interfaces.  Either
     stage can be disabled.  The filtering behaviour can be controlled using
     sysctl(8):

See bridge(4).

 

[pmaechler]

How about simply enabling authentication for those networks? Not only would that provide the IP address (which you already have because it's a proxy) you also get to know which user.

Those users don't have a username and password. we could send them a letter with the credentials, but if those users would read the letters, I wouldn't have to setup such a system

net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil.member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 1

So packet filtering is enabled on the physical and the bridge interface. Therefor I would expect that I see those packets on any of those interfaces. Especially the ones which should be redirected.

 

[dany_001]

A transparent proxy is a server that sits between your computer and the Internet and redirects your requests and responses without modifying them.
Some sites do allow you to check if you are behind a proxy or not suck as How to Check for Transparent Proxy Interception - What Is My IP Address Location