transparent proxy for IPv6

[abraxxa]

Version: 17.7
GUI URL: https://fqdn/firewall_nat.php

The problem existed in 17.1 too, I've retried it now after upgrading to 17.7 and it still exists.
When IPv6 http and https traffic is redirected to Squid using a port forwarding NAT rule, IPv6 stops to work and the browser eventually falls back to IPv4 if the server is dual-stack, else it times out.

The NAT config is mentioned in issue #1242 so it seems I have configured it correctly.

[AdSchellevis]

can you include a screenshot of the exact rule you've created accompanied with a dump of the listening configuration of squid?

grep -E 'https_port|http_port' /usr/local/etc/squid/squid.conf

If squid isn't listening on localhost for ipv6 for some reason and all traffic is forwarded, it might trap the webgui there too (I'm not sure there is a antilockout rule for ipv6 in it).

[abraxxa]

I didn't know github makes adding images so easy, CTRL-V just works ;)

root@firewall:~ # grep -E 'https_port|http_port' /usr/local/etc/squid/squid.conf
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 10.0.0.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

[AdSchellevis]

yes, this works quite easy indeed.

I checked the anti-lockout code for the web gui, but this seems to catch IPv6 like it should https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc#L1699, so if anti-lockout is enabled I don't know why you can't reach you webui anymore.

If you want to check squid, I can give you some pointers to look at, the basic listening configuration looks good in this case.

1. if your lan network is restricted with rules, first try to allow all and see if this solves anything.
2. check if squid is actually running on your OPNsense,

on IPv6 / localhost:
telnet ::1 3128
on IPv4 / localhost:
telnet 127.0.0.1 3128

It should return something like:

root@OPNsense:~/# telnet ::1 3128
Trying ::1...
Connected to localhost.localdomain.
Escape character is '^]'.

3. tail your access log and see if there's anything happening when sending requests over the network to squid:

tail -f /var/log/squid/access.log

[abraxxa]

I didn't say that I don't reach the webui any more but that http and https over IPv6 stops working.
Squid listens on ::1 3128 and I can open a tcp connection using telnet to it.
The Squid access log doesn't show anything as soon as I enable the NAT rules.
The firewall rules allow the traffic else the IPv6 connectivity wouldn't work without the NAT rule too.

[AdSchellevis]

ok, my mistake, I thought the webgui over ipv6 stopped working too.

I don't have a similar setup at hand at the moment, maybe someone else can help you out.

[abraxxa]

What I further found out is that the Allow interface subnets checkbox only adds the IPv4 networks to the squid.conf acl localnet src setting. Adding my local IPv6 prefix in the Allowed subnets adds a acl subnets src line to squid.conf which seems to be identically configured further down in the config file but still doesn't make it work.
Is there nobody with a dual-stack setup using the transparent proxy feature?
Don't you have integration tests to ensure you don't break features like this?
Can you point me at FreeBSD/Squid troubleshooting guides as I'm only familiar with Linux.
Thanks!

[Nimloth]

I may be mistaken, but OPNsense uses NAT to achieve the transparent proxy feature?
In that case, I would expect it to not work with IPv6.
FAIK, TPROXY would be the way to go instead?
Compare: https://wiki.squid-cache.org/Features/Tproxy4#IPv6_Support

[fabianfrz]

TPROXY is a cool feature of Linux but we are on FreeBSD here

[Nimloth]

@fabianfrz. I know that, though, I probably was not clear enough. Apologies for that.
My point was that unless FreeBSD supports a TPROXY equivalent (OpenBSD, for instance, has divert sockets that squid can use for IPv6 proxying), or possibly NAT66, squid will not be able to perform as a transparent proxy for IPv6.

[fabianfrz]

@Nimloth divert looks like it is supported:
https://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf

[fichtner]

That is the OpenBSD page, FreeBSD is different:

https://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw

No mention of IPv6 there.

[Nimloth]

Indeed, if I read the FreeBSD wiki correctly:
https://wiki.freebsd.org/IPv6TODO#natd.2Fdivert.2Frdr.2Ffwd_IPv6_support
divert is still IPv4 only?

[AdSchellevis]

timeout

[abraxxa]

What does ‚timeout‘ mean?

[fichtner]

7338549#diff-6a3371457528722a734f3c51d9238c13R36

[abraxxa]

Thanks!
But there is nothing I can do if the core devs aren‘t willing to look into it.

[fichtner]

That also goes for Squid authors, FreeBSD authors and reporters alike. Remember, everybody spends their time willingly.

[borisneubert]

Just spent two hours finding out why transparent proxy on IPv6 does not work before I found this issue. Well, reason as stated by @Nimloth is either FreeBSD not capable of IPv6 NAT or Squid not implementing it. So I turned IPv6 transparent proxy off.