Blue access no internet: transparent proxy not working


I have a core 142 up&running but I have a problem with the blue interface.

devices do get an ip address and I do add them to the blue access list (devices on blue) still the devices cannot get to the internet.

I check the log and the problem is the iptable rule for TCP port. all the pckts are dropped because destination port is not 800 (transparent proxy).

I do have transparent proxy up&running (working perfeclty on green) and I do have it enabled for Blue.
Also the blue subnet is listed into the “allowed subnet” section of the WebProxy config.

yet … it seems that transparent proxy is NOT working on the blue interface.

from the BLUE subnet I can ping the web (ping, which is UDP on port 53) but I cannot open a HTTP page.

any hint to debug this issue? how come transparent proxy seems down on blue when I have the flag for it in the webproxy config??


Please copy a extract here.

ICMP (echo request) has nothing to do with UDP or Port 53.

right, if you do “ping” there will be a dns query (I did log it…)
that one works …

thanks for your reply

I was thinking about a firewall log extract :).

ok … sorry to ask: what log exaclty? clearly all the incoming TCP traffic is blocked because it is not going on port 800 (but I do have transparent proxy enabled for blue…)

protocols/firewall protocols -> you will find entries for blue0 with the client ip and port number so figure out what packages are dropped.

ah: these packet are not logged into the fw logs “as is”. I don’t see the dropped pks on port 800. but I knew there was an HTTP request (I have only one device on blue, correclty listed with his DHCP address) and so I started to monitor the iptables stats.

if I open a browser on my device (in blue) and hit “” you will see that counter going up immediately … Once you close the browser … drop counter stops (as expected)

clearly the transparent proxy is part of the problem … HTTP traffic is not redirected on 800

to be more specific: I started to notice the problem because

  1. I attached one device in BLUE, only one, correclty enabled
  2. I couldn’t browse the web (but I could get a dns lookup correclty)
  3. did not have any “drop/blue0” in the fw log

hence the search on iptables…

Can ipfire itself resolve domain names and connect to websites in the internet?

I think so … I’ve been using this box for years (upgrading version each time). There is no specific firewall rule (quite a default install…). I can browse the web from green with no problems (in transparent mode).

any specific test/command I should do to better answer your question?

Terry, final confirmation:

I did log in on the box as root and added a custom rule to iptables:

iptables -I WIRELESSINPUT 1 -i blue0 -j ACCEPT
iptables -I WIRELESSFORWARD 1 -i blue0 -j ACCEPT

now browsing from wifi/blue is superfast!!

so … imho this is a smoking gun that transparent proxy on blue is broken.
I have all the checkmarks set for it … I have the blue subnet added into the config … service is up&running … works on green … does not work on blue. somehow packets are not redirected to port 800

so I tried to browse one of the “filtered” websites (meaning part of my blacklist) with these rules and indeed I got the blocked page. This means “URL Filter” works … which also means that Transparent Proxy is working on blue0.

so … looking at the iptables rule like this:
DROP tcp – anywhere anywhere tcp dpt:!mdbs_daemon /* DROP_Wirelessinput */

mdbs_daemon port is “800” but transparent proxy port is 3128, does it means that we need to add another rule in iptables for WIRELESSINPUT/WIRELESSFORWARD chains for this port??