Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcwz
New Contributor

[Solved] Redirecting all http/https traffic to Squid proxy

Hi everybody, I want to transparently redirect all outgoing HTTP and HTTPS traffic from my Wifi Guest LAN to my Squid proxy located in the DMZ. Traffic from 172.16.100.1-172.16.100.10 tcp/80 should go to 192.168.100.1 tcp/8080 Traffic from 172.16.100.1-172.16.100.10 tcp/443 should go to 192.168.100.1 tcp/8080 After some investigation I found a solution: Current setup: Interface: WAN2 (Wifi) Subnet: 172.16.100.0/24 Default Gateway: 172.16.100.254 Client DHCP Range: 172.16.100.1-172.16.100.10 Interface: DMZ Subnet: 192.168.100.0/24 Default Gateway: 192.168.100.254 Squid Proxy: 192.168.100.1 Squid listens on 3 ports: Port 3126 - transparently processes and intercepts HTTP traffic Port 3127 - transparently processes and intercepts HTTPS traffic Port 8080 - will be processing traffic from browsers explicitly configured to use Squid as proxy. First I redirect outbound tcp/80 and tcp/443 to Squid by using policy based routing. Note: unfortunately Fortigate is not able to do outbound port translation so I do that later on Squid. Protocol: 6 (tcp) Incoming interface: <Wifi LAN> Source address/mask: <Wifi DHCP subnet> Destination address: mask: 0.0.0.0/0.0.0.0 Source Ports: 1 - 65535 Destinatin Ports: 80 - 80 Outgoing interface: <interface where Squid proxy is connected> Gateway address: <Squid proxy IP address> (same again for port 443) Now Squid sees all http/https traffic but on the wrong ports. Redirecting arriving HTTP/HTTPS traffic on Squid to the right ports: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 Have fun :)
12 REPLIES 12
billp
Contributor

Have you seen the KB article on squid proxies? I' ve linked to it below. I believe you need to set up WCCP. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30096

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

emnoc
Esteemed Contributor III

Agreed, WCCP is what you need for transparent proxy

PCNSE 

NSE 

StrongSwan  

mcwz
New Contributor

Hi Bill Thanks for the answer. Yes I know this KB article but I' m not sure if WCCP will do the job. My Squid proxy doesn' t do any caching (I disabled it). Squid just does some content filtering and mainly blocks/removes advertisement, trackers, etc. Additionally I don' t know if WCCP work with https - I configured Squid to act as MITM.
emnoc
Esteemed Contributor III

Reading this I have to say; If your not doing any caching, than why do you need squid? The fortigate and fortiguard webfilter and categorization is probably 1000x times better than what you can get via squid & accomplish ALL of the things your asking for. This would also eliminated the overhead of WCCP ( encapsulating a second header is sometimes a cpu intense act ) And eliminate management and ownership of yet another device. Just some things to think about

PCNSE 

NSE 

StrongSwan  

mcwz
New Contributor

Hi emnoc, we habe a FGT-60C in our branch office and this box just does a S2S tunnel to our Checkpoint cluster in the main office. That means everything except normal web surfing (from the guest wifi) goes through the tunnel. The FGT-60C UTM subscriptions are already expired and we don' t renew it as we don' t need it. As I said we have a Squid server with additional content filtering. Although we can work with URL categorization we don' t need it. What Squid does is almost the same you can do with Firefox browser plugins like Adblock Plus + Ghostery. Squid uses the same lists (Easylist) and removes all advertising and trackers and it removes and manipulates some headers (e.g. browser user agent, etc.). I don' t know if Fortinet webfilter/Fortiguard is able to do that. Anyway, the Fortigates UTM features are nice toys but not what we need. Comeing back to my original question: Redirecting http/https traffic to Squid is of course what we need but take it as an example for the general problem behind: Let assume we don' t talk about http and squid but some different protocol. Let say we want to redirect certain traffic from an IP range or subnet to a specific IP address and a specific port. e.g. traffic from 172.16.100.1-172.16.100.10 tcp/1234 should go to 192.168.100.1 tcp/5678 Now we' re not talking anymore about UTM, Squid, WCCP or whatever. We just need to forward specific traffic and do port translation. I' m wondering if Fortigate is not able to do that?
ede_pfau
Esteemed Contributor III

Using the Central NAT table you can achieve what you are planning: full control over port translation, address translation and the source address range which this will apply to. You may have a look into the FortiOS Handbook for FortiOS 5.0, pg. 555 ff.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
mcwz
New Contributor

Hi Ede, I tried Central NAT but it is not possible to do destination port translation. Central NAT has the options: Source Address Translated Address Original Source Port Translated Port As outgoing http traffic has a random source port that can' t work. It would only be possible to do source PAT but not destination PAT. There needs to be an additional option like " Original Destination Port" . In the meanwhile I think Fortigate is really to stupid to do that :(
Phill_Proud
New Contributor

I guess the time you have spent on this is worth far less than a couple of hundred dollars to renew the FortiGuard subscription?
emnoc
Esteemed Contributor III

exactly He' s trying to make something happen that' s not doable with Central-NAT As far as I know, I don' t know of any firewall that can do what he asking and even iptables which is probably the most flexible thing on planet earth, can' t do this. A 3 year subscription license on a FGT60C is pennies ( less than 267 usd on avg ) and will provide all that he need, and since he stated no caching of data, this would be simplest method to gain all that he requires.

PCNSE 

NSE 

StrongSwan