OPNsense – Transparent Caching Filtering Proxy with Virus Scanning – Step 6 Transparent Proxy

Posted on Posted in HowTo
Introduction: Basic Overview
Step 1 – Prerequisites
Step 2 – Install ClamAV
Step 3 – Configure OPNsense
Step 4 – Add Antivirus Scanning
Step 5 – Add Category Filtering
Step 6 – Make it Transparent
Step 7 – Add HTTPS Filtering
Step 8 – Optional – SSL Scanning
Step 9 – Optional – Deploy CA GPO
Step 10 – Final steps

This is a pretty long guide, even before I added images, so it is broken it into sections. I hope it is easy to follow; if you find any errors, please Contact us!

Step 6 – If the Standard Proxy, Filtering, and Antivirus scanning are working, it’s time to make a Transparent Proxy

Note, do NOT proceed with this step if the Standard Proxy is not working. This guide may help too.

  1. In OPNsense, go to Services->Web Proxy->Administration, click the down arrow on Forward Proxy, and click General Forward Settings.
  2. Check Enable Transparent HTTP proxy.
  3. Click Apply.
  4. Go to Firewall->NAT->Port Forward.
  5. Click the + to create a new NAT rule. Interface is the one with the Interface Subnet to Proxy. Protocol: TCP. Source: Interface net. Dst Port: 80. Dst: Any. Redirect IP: 127.0.0.1. Redirect Port: 3128. Description: Redirect HTTP to Proxy. Filter Rule Association: None.
    Note: I say Interface net for source because I assume you want to filter the entire subnet for the interface the proxy is on. You can of course change this, but if you do, don’t forget to also change the Allowed subnets in the Proxy settings.
  6. Save and apply NAT rule.
  7. Go to Firewall->Rules->the Interface tab for the Subnet being proxied.
  8. Add a new rule for Source the Subnet to be proxied, Dst IP: 127.0.0.1, Dst Port: 3128, and enable logging. Description: NAT Proxy Allow HTTP. Set this rule above the firewall rule you created earlier for the Standard Proxy.
    Note: You may ask why we manually created this rule when NAT can auto-create this rule. It’s because NAT auto-created rules have no option to enable logging, which can greatly help you if you have issues. Also note, the image example is for both ports 3128 and 3129, as I went ahead and setup the Firewall Rule for both HTTP and HTTPS. You can do this if you like.
  9. Apply firewall settings.
  10. Test with a PC in the proxied subnet, and make sure IE is set with No proxy settings to see if it can access NON HTTPS sites. Do NOT try for HTTPS sites. HTTP sites would be cnn.com or pbs.org. Sites like google and yahoo redirect to https. Also check the logs at Web Proxy -> Log File -> Access to verify you see hits for these sites.
  11. NOTE: I had an issue with Transparent proxy. It was due to the placement of the NAT Firewall Rule. I also disabled the Anti-lockout rule as it seemed to interfere.

 

This Completes Step 6

Tagged with: , ,