Transparent Proxy + squid 3 + pf dont working

My /etc/resolv.conf is:
Code:
domain	store
nameserver	10.1.1.1
nameserver	192.168.1.1
nameserver	201.10.120.3
nameserver	201.10.1.2

And the tcpdump -i bge1 proto ICMP
show the same message:

Code:
192.168.1.1 > 192.168.1.2: ICMP 192.168.1.1 udp port domain unreachable, length 36

Sometimes proxy works and sometimes no.
It works for some time and then simply stops working.
 
Move these to the top of the list of nameservers

Code:
nameserver	201.10.120.3
nameserver	201.10.1.2

My guess is that there's no nameserver on 10.1.1.1 and 192.168.1.1, so DNS lookups time out or the browser times out. I don't know if the 201.x addresses do run nameservers.
 
And if even that fails, use:

Code:
# OpenDNS nameservers
nameserver 208.67.222.222
nameserver 208.67.220.220
# Google Public DNS nameservers
nameserver 8.8.8.8
nameserver 8.8.4.4
 
Man, made no difference to any change in /etc/resolv.conf, the proxy starts working, but just stops for no reason.
I tried again without the ip 10.1.1.1 and 192.168.1.1. And it worked.
 
Still not working. May be the version of squid? Something in my "please?
My resolv.conf looks like this:

Code:
domain	store
#nameserver	201.10.120.3
#nameserver	201.10.1.2
#nameserver 	10.1.1.1
#nameserver	192.168.1.1
# OpenDNS nameservers
nameserver 208.67.222.222
nameserver 208.67.220.220
# Google public DNS nameservers
nameserver 	8.8.8.8
nameserver 	8.8.4.4
 
"Not working" and "the proxy stops" are not data I can work with. I'm out of suggestions.
 
Ok.. Sorry..
The tcpdump -i bge1 proto ICMP still show me the same message:
Code:
192.168.1.1 > 192.168.1.2: ICMP 192.168.1.1 udp port domain unreachable, length 36

I'm put your dns suggestions in /etc/resolv.conf and the error still there.

It's strange because the internet in my internal network work for a while, but stops after a little time.
The cache.log shows that the squid is still functioning well and the process is still there.
I restart the proxy and the internet back up and running for some time again.
 
What gives [cmd=]grep -iE "(dns|nameserver)" /usr/local/squid/logs/cache.log | tail -20[/cmd]?

Do DNS lookups from the command-line work (e.g. [cmd=]dig A http://www.google.com +short[/cmd])?
 
With new dns, i put in /etc/resolv.conf.
Now the message tcpdump -i bge1 is other:

Code:
15:50:28.100131 IP 192.168.1.2.39633 > 192.168.1.1.domain: 29461+ A? mail.google.com. (33)
15:50:28.100150 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.1.1 udp port domain unreachable, length 36

It seems the my internal network is almost navigating.

And i do not set dns_nameservers in squid.conf.
Should I?
 
1. answer the questions I asked
2. tell 192.168.1.2 not to use 192.168.1.1 as a nameserver, because 192.168.1.1 isn't a nameserver
 
Ok. Sorry again.

The return of grep command was:

Code:
2010/02/03 11:13:09| DNS Socket created at 0.0.0.0, port 60022, FD 7
2010/02/03 11:13:09| Adding nameserver 192.168.1.1 from squid.conf
2010/02/03 11:13:09| Adding nameserver 201.10.120.3 from squid.conf
2010/02/03 11:13:09| Adding nameserver 201.10.1.2 from squid.conf
2010/02/03 15:45:42| DNS Socket created at 0.0.0.0, port 61990, FD 7
2010/02/03 15:45:42| Adding nameserver 192.168.1.1 from squid.conf
2010/02/03 15:45:42| Adding nameserver 201.10.120.3 from squid.conf
2010/02/03 15:45:42| Adding nameserver 201.10.1.2 from squid.conf
2010/02/03 15:58:34| DNS Socket created at 0.0.0.0, port 56671, FD 7
2010/02/03 15:58:34| Warning: Could not find any nameservers. Trying to use localhost
2010/02/03 15:58:34| or use the 'dns_nameservers' option in squid.conf.
2010/02/03 16:49:59| DNS Socket created at 0.0.0.0, port 44080, FD 7
2010/02/03 16:49:59| Adding nameserver 208.67.217.231 from squid.conf
2010/02/03 16:49:59| Adding nameserver 208.67.217.231 from squid.conf
2010/02/03 17:00:36| DNS Socket created at 0.0.0.0, port 34975, FD 7
2010/02/03 17:00:36| Adding nameserver 208.67.222.222 from squid.conf
2010/02/03 17:00:36| Adding nameserver 208.67.220.220 from squid.conf
2010/02/03 17:07:50| DNS Socket created at 0.0.0.0, port 39851, FD 7
2010/02/03 17:07:50| Adding nameserver 208.67.222.222 from squid.conf
2010/02/03 17:07:50| Adding nameserver 208.67.220.220 from squid.conf

And dig command returned:

Code:
google.navigation.opendns.com.
208.67.217.230
208.67.217.231
 
Ok, so the proxy server itself has DNS resolving now. Do you use the same /etc/resolv.conf on 192.168.1.2 (if not: do so and try the same dig command there).
 
Man,
In 192.168.1.2 the dig command worked , but the internet don't.
The return of dig command was the same the return of dig command in the proxy and was fast.

Now in the proxy , the command tcpdump -i bge1 show me other messages. Take a look:

Code:
15:39:48.860688 IP 192.168.1.2.43879 > resolver1.opendns.com.domain: 48017+ A? contacts.msn.com. (34)
15:39:49.132782 IP resolver1.opendns.com.domain > 192.168.1.2.43879: 48017 2/0/0 CNAME[|domain]
15:39:49.134355 IP 192.168.1.2.59997 > resolver1.opendns.com.domain: 51996+ A? contacts.msn.com. (34)
15:39:49.402552 IP resolver1.opendns.com.domain > 192.168.1.2.59997: 51996 2/0/0 CNAME[|domain]
15:39:49.403500 IP 192.168.1.2.60819 > 207.46.113.73.http: Flags [S], seq 4237939559, win 5840, options [mss 1460,sackOK,TS val 933930 ecr 0,nop,wscale 6], length 0
15:39:49.403512 IP 207.46.113.73.http > 192.168.1.2.60819: Flags [R.], seq 0, ack 4237939560, win 0, length 0
15:39:49.403658 IP 192.168.1.2.60820 > 207.46.113.73.http: Flags [S], seq 4249256224, win 5840, options [mss 1460,sackOK,TS val 933930 ecr 0,nop,wscale 6], length 0
15:39:49.403665 IP 207.46.113.73.http > 192.168.1.2.60820: Flags [R.], seq 0, ack 4249256225, win 0, length 0
15:39:49.404457 IP 192.168.1.2.39211 > resolver1.opendns.com.domain: 36660+ A? contacts.msn.com. (34)
15:39:49.689655 IP resolver1.opendns.com.domain > 192.168.1.2.39211: 36660 2/0/0 CNAME[|domain]
15:39:49.691071 IP 192.168.1.2.44761 > resolver1.opendns.com.domain: 32540+ A? contacts.msn.com. (34)
15:39:49.957083 IP resolver1.opendns.com.domain > 192.168.1.2.44761: 32540 2/0/0 CNAME[|domain]
15:39:49.958031 IP 192.168.1.2.60821 > 207.46.113.73.http: Flags [S], seq 4247409843, win 5840, options [mss 1460,sackOK,TS val 934068 ecr 0,nop,wscale 6], length 0
15:39:49.958041 IP 207.46.113.73.http > 192.168.1.2.60821: Flags [R.], seq 0, ack 4247409844, win 0, length 0
15:39:49.958189 IP 192.168.1.2.60822 > 207.46.113.73.http: Flags [S], seq 4250546533, win 5840, options [mss 1460,sackOK,TS val 934068 ecr 0,nop,wscale 6], length 0
15:39:49.958195 IP 207.46.113.73.http > 192.168.1.2.60822: Flags [R.], seq 0, ack 4250546534, win 0, length 0
15:39:49.958987 IP 192.168.1.2.33218 > resolver1.opendns.com.domain: 46897+ A? contacts.msn.com. (34)
15:39:51.762404 IP by2msg4010808.phx.gbl.1863 > 192.168.1.2.51831: Flags [.], ack 403359621, win 64373, length 1
15:39:51.762728 IP 192.168.1.2.51831 > by2msg4010808.phx.gbl.1863: Flags [.], ack 1, win 334, options [nop,nop,TS val 934520 ecr 10332149,nop,nop,sack 1 {0:1}], length 0
 
So what's Squid's access log telling you? All I can see is that all http requests get a Reset (connection refused), and that's either down to the firewall or Squid. You shouldn't see this on the bge0 interface, because this traffic probably doesn't make it out to the Internet. DNS and MSN work fine, I see.

BTW, can you change your NAT rule to

Code:
nat on $EXTIF from $INTIF to any -> $EXTIF

just to test?
 
The access.log of squid is empty . It's clean, without changes since yesterday when he worked a little time.

I edit my pf.conf like you asked . Now the dig command on 192.168.2.1 don't works.

But is strange , 'cause when i try enter in anyone site , it seems gonna work.
The log of tcpdump -i is not so bad :

Code:
16:16:38.647079 IP 192.168.1.2.37280 > google.navigation.opendns.com.domain: 37169+ A? www.google.com. (32)
16:16:39.966877 IP 192.168.1.2.53761 > google.navigation.opendns.com.domain: 34076+ A? fs-1.one.ubuntu.com. (37)
16:16:43.652325 IP 192.168.1.2.37280 > google.navigation.opendns.com.domain: 37169+ A? www.google.com. (32)
16:16:44.971967 IP 192.168.1.2.44724 > google.navigation.opendns.com.domain: 20937+ A? fs-1.one.ubuntu.com. (37)
16:16:48.657570 IP 192.168.1.2.55113 > google.navigation.opendns.com.domain: 6410+ A? www.google.com. (32)
16:16:49.976900 IP 192.168.1.2.44724 > google.navigation.opendns.com.domain: 20937+ A? fs-1.one.ubuntu.com. (37)
16:16:53.655015 ARP, Request who-has 192.168.1.1 tell 192.168.1.2, length 46
16:16:53.655019 ARP, Reply 192.168.1.1 is-at 00:10:18:55:1a:e5 (oui Unknown), length 28
16:16:53.662674 IP 192.168.1.2.55113 > google.navigation.opendns.com.domain: 6410+ A? www.google.com. (32)
 
Is the proxy still running and listening on localhost? Does [cmd=]$ sockstat -l4p 3128[/cmd] show this?

Code:
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
squid    squid      41458 15 tcp4   127.0.0.1:3128        *:*

If that is the case, try this on the proxy server:

[cmd=]$ squidclient -h 127.0.0.1 -p 3128 http://www.freebsd.org/[/cmd].

That should give you a web page (a screen full of html code, that is). Something like this:

Code:
$ squidclient -h 127.0.0.1 -p 3128 http://www.freebsd.org/
HTTP/1.0 200 OK
Content-Type: text/html
Accept-Ranges: bytes
ETag: "1705913565"
Last-Modified: Tue, 02 Feb 2010 13:45:19 GMT
Content-Length: 20987
Date: Thu, 04 Feb 2010 14:03:18 GMT
Server: httpd/1.4.x LaHonda
Age: 31087
X-Cache: HIT from <your_server>
Via: 1.0 <your_server> (squid/version)
Proxy-Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
(etc.)
.

If that works, first try accessing the Internet (http) from your LAN. In /etc/pf.conf set:

Code:
set skip on lo0
set skip on $INTIF
set skip on $EXTIF

That should give you full access to the Internet with a browser. If all of the above works, start experimenting with that redirection rule, because that could be the remaining reason why this doesn't work now (don't forget to remove the skip lines on your internal/external interfaces again).

If something else mentioned above doesn't work, fix that first.
 
Man, good news.
The proxy is working.
The sockstat command worked perfectly and squidclient command returned the html normally.

I changed my pf.conf and worked.
Now I'm adapting rules in my pf.conf.
I gonna make more tests.
Just one more thing:

Do you have some blacklist for squid?

Thank so much , man.
See ya!
 
Back
Top