I have a core 142 up&running but I have a problem with the blue interface.
devices do get an ip address and I do add them to the blue access list (devices on blue) still the devices cannot get to the internet.
I check the log and the problem is the iptable rule for TCP port. all the pckts are dropped because destination port is not 800 (transparent proxy).
I do have transparent proxy up&running (working perfeclty on green) and I do have it enabled for Blue.
Also the blue subnet is listed into the “allowed subnet” section of the WebProxy config.
yet … it seems that transparent proxy is NOT working on the blue interface.
from the BLUE subnet I can ping the web (ping 22.214.171.124, which is UDP on port 53) but I cannot open a HTTP page.
any hint to debug this issue? how come transparent proxy seems down on blue when I have the flag for it in the webproxy config??
Please copy a extract here.
ICMP (echo request) has nothing to do with UDP or Port 53.
right, if you do “ping www.yoursite.com” there will be a dns query (I did log it…)
that one works …
thanks for your reply
I was thinking about a firewall log extract :).
ok … sorry to ask: what log exaclty? clearly all the incoming TCP traffic is blocked because it is not going on port 800 (but I do have transparent proxy enabled for blue…)
protocols/firewall protocols -> you will find entries for blue0 with the client ip and port number so figure out what packages are dropped.
ah: these packet are not logged into the fw logs “as is”. I don’t see the dropped pks on port 800. but I knew there was an HTTP request (I have only one device on blue, correclty listed with his DHCP address) and so I started to monitor the iptables stats.
if I open a browser on my device (in blue) and hit “www.google.com” you will see that counter going up immediately … Once you close the browser … drop counter stops (as expected)
clearly the transparent proxy is part of the problem … HTTP traffic is not redirected on 800
to be more specific: I started to notice the problem because
- I attached one device in BLUE, only one, correclty enabled
- I couldn’t browse the web (but I could get a dns lookup correclty)
- did not have any “drop/blue0” in the fw log
hence the search on iptables…
Can ipfire itself resolve domain names and connect to websites in the internet?
I think so … I’ve been using this box for years (upgrading version each time). There is no specific firewall rule (quite a default install…). I can browse the web from green with no problems (in transparent mode).
any specific test/command I should do to better answer your question?
Terry, final confirmation:
I did log in on the box as root and added a custom rule to iptables:
iptables -I WIRELESSINPUT 1 -i blue0 -j ACCEPT
iptables -I WIRELESSFORWARD 1 -i blue0 -j ACCEPT
now browsing from wifi/blue is superfast!!
so … imho this is a smoking gun that transparent proxy on blue is broken.
I have all the checkmarks set for it … I have the blue subnet added into the config … service is up&running … works on green … does not work on blue. somehow packets are not redirected to port 800
so I tried to browse one of the “filtered” websites (meaning part of my blacklist) with these rules and indeed I got the blocked page. This means “URL Filter” works … which also means that Transparent Proxy is working on blue0.
so … looking at the iptables rule like this:
DROP tcp – anywhere anywhere tcp dpt:!mdbs_daemon /* DROP_Wirelessinput */
mdbs_daemon port is “800” but transparent proxy port is 3128, does it means that we need to add another rule in iptables for WIRELESSINPUT/WIRELESSFORWARD chains for this port??