Tuesday, August 8, 2017

Performing a Transparent Proxy by running PFSense Firewall + Cisco Route-Maps.

Also known as an intercepting proxy, inline proxy, or forced proxy, a transparent proxy intercepts normal communications at the network layer without requiring any special client configuration. (Wiki)

There are several options to perform a transparent proxy, being Squid one of the most popular software to implement it. The easiest way to implement a transparent proxy is setting it up as a default gateway. Nevertheless, it is not possible to implement it in a whole scenario. So, The Web Cache Communication Protocol (WCCP) was developed by Cisco Systems and adopted by other vendors. WCCP is one of the best choice to do a transparent proxy, however, it increases the complexity setup at the server side. Therefore, to simplify its implementation, I decided to do it in a different manner by running Route-Maps.

Let’s check the following configuration in order to accomplish this job.

Lab resources:
GNS3 (2.0.3) and VMWare WorkStation (12.5.7) as the framework.
Router image. (vios-adventerprisek9-m)
MLS Switch image. (vios_l2-adventerprisek9-m)
PFSense (community 2.3.4)
PC client. (Linux box 3.16.6-tinycore)

The focus of this configuration is the interactivity between PFSense and the MLS Switch.

PFSense was started from a fresh installation. Only one NIC was add, therefore the VLAN sub-interfaces had to be configured. VLAN10 has a subnet 172.16.0.0/27, while VLAN20 has a subnet 172.16.1.0/31. The default route was placed at the VLAN 20, so packets coming from VLAN10 are forwarded through VLAN20. In addition, NAT was completely disabled. Then, Squid and iftop packages were installed. Once Squid was installed and started, some basic changes were necessary to enable the transparent proxy feature.

The next step was configuring the MLS Switch (or router). IP Policy was enabled on the SVI 10, so that the packets that meet the IP policy be forwarded to PFSense, otherwise packets have to continue the established path by the routing table. Below, the router and MLS's configurations to get a better standpoint of the exposed so far

Results:
As the screenshots show, once the IP Policy is up, every packet addressed to a L4 port defined on the extended ACL, will be forwarded to the PFSense box in order to be allowed or denied, according the Squid policy already defined. For example, the first screenshot shows that the browser got access to Google. Take a look the certificate is not the Google valid certificate, instead it is a self-signed certicate, but the access was permitted. Then, the next screenshot shows that even when Facebook is carried over SSL, the access was denied.

Then, the boxes show current status of the IP Policy and each one of its elements.

Troubleshooting:
Adding a new statement that include ICMP protocol on the top of the Route-Map ACL, and launching a traceroute from the client host, can gives a step by step of how the packets are been carried. Also, iftop be launched in the PFSense box to displays the packets incoming and outgoing on each VLAN subinterface.

Conclusion:
As we can see, it is an option when a transparent-proxy needs to be run. It does not need any configuration at the client side. Also if the transparent-proxy stops, the clients still reach their destination, and the most important is, HTTP/HTTPS policies can be applied.