[Solved] Redirecting all http/https traffic to Squid proxy
I want to transparently redirect all outgoing HTTP and HTTPS traffic from my Wifi Guest LAN to my Squid proxy located in the DMZ.
Traffic from 172.16.100.1-172.16.100.10 tcp/80 should go to 192.168.100.1 tcp/8080
Traffic from 172.16.100.1-172.16.100.10 tcp/443 should go to 192.168.100.1 tcp/8080
After some investigation I found a solution:
Interface: WAN2 (Wifi)
Default Gateway: 172.16.100.254
Client DHCP Range: 172.16.100.1-172.16.100.10
Default Gateway: 192.168.100.254
Squid Proxy: 192.168.100.1
Squid listens on 3 ports:
Port 3126 - transparently processes and intercepts HTTP traffic
Port 3127 - transparently processes and intercepts HTTPS traffic
Port 8080 - will be processing traffic from browsers explicitly configured to use Squid as proxy.
First I redirect outbound tcp/80 and tcp/443 to Squid by using policy based routing.
Note: unfortunately Fortigate is not able to do outbound port translation so I do that later on Squid.
Protocol: 6 (tcp)
Incoming interface: <Wifi LAN>
Source address/mask: <Wifi DHCP subnet>
Destination address: mask: 0.0.0.0/0.0.0.0
Source Ports: 1 - 65535
Destinatin Ports: 80 - 80
Outgoing interface: <interface where Squid proxy is connected>
Gateway address: <Squid proxy IP address>
(same again for port 443)
Now Squid sees all http/https traffic but on the wrong ports.
Redirecting arriving HTTP/HTTPS traffic on Squid to the right ports:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
Have fun :)
Thanks for the answer. Yes I know this KB article but I' m not sure if WCCP will do the job. My Squid proxy doesn' t do any caching (I disabled it). Squid just does some content filtering and mainly blocks/removes advertisement, trackers, etc. Additionally I don' t know if WCCP work with https - I configured Squid to act as MITM.
Reading this I have to say;
If your not doing any caching, than why do you need squid?
The fortigate and fortiguard webfilter and categorization is probably 1000x times better than what you can get via squid & accomplish ALL of the things your asking for.
This would also eliminated the overhead of WCCP ( encapsulating a second header is sometimes a cpu intense act )
And eliminate management and ownership of yet another device.
Just some things to think about
we habe a FGT-60C in our branch office and this box just does a S2S tunnel to our Checkpoint cluster in the main office. That means everything except normal web surfing (from the guest wifi) goes through the tunnel. The FGT-60C UTM subscriptions are already expired and we don' t renew it as we don' t need it.
As I said we have a Squid server with additional content filtering. Although we can work with URL categorization we don' t need it. What Squid does is almost the same you can do with Firefox browser plugins like Adblock Plus + Ghostery. Squid uses the same lists (Easylist) and removes all advertising and trackers and it removes and manipulates some headers (e.g. browser user agent, etc.). I don' t know if Fortinet webfilter/Fortiguard is able to do that.
Anyway, the Fortigates UTM features are nice toys but not what we need.
Comeing back to my original question:
Redirecting http/https traffic to Squid is of course what we need but take it as an example for the general problem behind:
Let assume we don' t talk about http and squid but some different protocol.
Let say we want to redirect certain traffic from an IP range or subnet to a specific IP address and a specific port.
e.g. traffic from 172.16.100.1-172.16.100.10 tcp/1234 should go to 192.168.100.1 tcp/5678
Now we' re not talking anymore about UTM, Squid, WCCP or whatever. We just need to forward specific traffic and do port translation.
I' m wondering if Fortigate is not able to do that?
Using the Central NAT table you can achieve what you are planning: full control over port translation, address translation and the source address range which this will apply to.
You may have a look into the FortiOS Handbook for FortiOS 5.0, pg. 555 ff.
I tried Central NAT but it is not possible to do destination port translation. Central NAT has the options:
Original Source Port
As outgoing http traffic has a random source port that can' t work. It would only be possible to do source PAT but not destination PAT.
There needs to be an additional option like " Original Destination Port" .
In the meanwhile I think Fortigate is really to stupid to do that :(
He' s trying to make something happen that' s not doable with Central-NAT
As far as I know, I don' t know of any firewall that can do what he asking and even iptables which is probably the most flexible thing on planet earth, can' t do this.
A 3 year subscription license on a FGT60C is pennies ( less than 267 usd on avg ) and will provide all that he need, and since he stated no caching of data, this would be simplest method to gain all that he requires.