VMware Cloud Community
Experience
Contributor
Contributor

ESXi 5 with pfSense transparent proxy

My environment we have the following;

1) ESXi using a 1 NIC

2) 2 VMs ERP and Proxy


The office and need to block some web pages, but it is possible using this environment?


I made the configuration of pfSense, worked manually configuring Internet Explorer and Chrome, but as transparent does not work. What might be happening?

Reply
0 Kudos
9 Replies
cykVM
Expert
Expert

Check your network configuration, a transparent proxy needs to be kind of man-in-the-middle and routing through all traffic from the internal LAN to the gateway and vice versa.

Especially take a look at your router/firewall config for port 80 (HTTP) traffic. Some basic information is found here: CONFIGURE & INSTALL: Transparent Proxy with Squid 3.3.2 on Ubuntu 12.10 + Shorewall + Mikrot...

Reply
0 Kudos
JarryG
Expert
Expert

It is possible, but you must be carefull with configuration. As cykVM wrote, pfSense must be effectively "in the middle" beetween your VMs and WAN.

So for example, create two vSwitches: vSwitch1 for all VMs including the one with pfSense (but no physical NIC attached), and vSwitch2 for just pfSense-VM with physical NIC attached to it (and probably ESXi-management, because as you wrote, you have only one NIC). So your pfSense-VM will have two virtual NICs: one attached to vSwitch1 (common with all other VMs), and one attached to vSwitch2 (and physical NIC).

Then you have to do two more things: configure all your VMs to use pfSense as defalt route (use IP of its vNIC attached to vSwitch1) and configure pfSense-VM as router/firewall/proxy/webfilter. If you want to run it in transparent mode (www), it has to listen on port 80. Then no other configuration on VMs is necessary...

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! 😉
Reply
0 Kudos
cykVM
Expert
Expert

If physical PCs are also involved it might not work without a 2nd physical NIC on you ESXi.

Reply
0 Kudos
vmwareIsAwesome
Contributor
Contributor

Well you could use a regular proxy, force all clients to use that proxy, and block the sites on the proxy.

If you want a transparent proxy, as others have said, the proxy needs to be a man in the middle, between the clients and the webpage (usually WAN). Essentially, pfSense will make a rule in packet filter, sending all traffic received on a port (or from certain IPs), with dst. port 80, to localhost, where the proxy will listen for the web request (you can block the request here, sending back a response to the client, saying this site is not permitted, or just block it silently). The proxy will request the requested page (usually through another interface), when a response is received, you can check the page for restricted content (images, strings of text, code or something else), if its permitted, its sent to the client.

For this functionality you have to make sure the clients will send their quests to or through pfSense. Most likely you have to add another NIC (or do it with VLANs) and make pfSense the clients gateway. Alternatively i guess you could do it with 1 NIC, make a rule in your current client gateway router, sending all traffic with dst port 80 from the clients (and only the clients) to pfSense, pfSense will then send the request for the page back trough the receiving interface (to its gateway, most likely the same router), and out to the web server.

Reply
0 Kudos
Experience
Contributor
Contributor

and why it works if I configure browsers manually?

Reply
0 Kudos
JarryG
Expert
Expert

Because in that case it is not TRANSPARENT proxy.

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! 😉
Reply
0 Kudos
Experience
Contributor
Contributor

got it. I will try to set up as explained.

Reply
0 Kudos
Experience
Contributor
Contributor

JarryG,

See if correct? If not, could you tell me step by step?

Even configured, did not work the transparent proxy.

Capture.JPG

Reply
0 Kudos
cykVM
Expert
Expert

As said above, if physical PCs connected to your physical Switch are involved the easiest way would be to add a 2nd physical NIC to your ESXi.

And seriously, a step-by-step guide covering all possible configurations would be a LONG writing.

As we see in your screenshot there is just 2 VMs running on ESXi, so rest of devices is physical ones which right now bypass the proxy completely.

Basically you have to implement something like this

------     -------------      ---

|Router|---|transp. Proxy|--- |LAN|

------     -------------      ---


I would not test this on a production system, because if you separate the ERP system for example (accidentally) you will have other trouble than caring for websiite-blocking.


So put up a lab system and test configurations on there and as soon as it's working on the lab you can put it up in production. Testing this on production might lock out users from either internet or the ERP system if it's not configured correctly.


And maybe another suggetion: If you are running Windows clients on a domain you may also use GPOs to push through the (for now non-transparent) proxy-settings by that until you have the transparent proxy up and running.


Some further reading which might be of use: Quick HOWTO : Ch32 : Controlling Web Access with Squid - Linux Home Networking  and http://www.linuxquestions.org/questions/linux-server-73/setup-transparent-proxy-701710/








Reply
0 Kudos