From owner-freebsd-net@FreeBSD.ORG Sat Apr 18 22:10:06 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94B5F106566B for ; Sat, 18 Apr 2009 22:10:06 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 28E538FC08 for ; Sat, 18 Apr 2009 22:10:05 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: (qmail 75049 invoked by uid 89); 18 Apr 2009 22:10:32 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 18 Apr 2009 22:10:31 -0000 Message-ID: <49EA4FBC.4040202@ibctech.ca> Date: Sat, 18 Apr 2009 18:10:04 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: FreeBSD Net X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Route traffic on a gateway through SSH tunnel X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Apr 2009 22:10:06 -0000 >From what I believe, I'm attempting to do something that has most likely been achieved before, but there is something that I'm missing. This is for my personal home setup. I've built a flash-based CPE, which connects to our DSL network with mpd5. I've enabled NAT, and am using IPFW as the packet filter. I have a Squid proxy/content filter at my office that I would like to route all 80/443 traffic from my home connection, through the proxy. The proxy and the termination point of my home connection are located in two different PoPs, within different ASs. My desire is to have this proxy-routing enabled within the network hardware, as to not need to set application layer details on the PC(s) at home. At this point, I have the FBSD (7.2) gateway device set up with an SSH tunnel. The local tunnel endpoint terminates on a LAN interface which utilizes 1918 space. It listens for traffic on 172.16.250.1:80, and forwards it to the proxyIP:8080. When I configure a workstation's Firefox to use 172.16.250.1:80 as a proxy, everything works as expected. Now, I need to figure out a way so that the same setup will work, but with no proxy configured within Firefox. At this time, I'm recompiling the kernel on the gateway device to include IPFIREWALL_FORWARD. I'm going to try a fwd rule to pass all traffic destined to *:80 to 172.16.250.1:80, in hopes that the traffic will be first redirected to itself, and therefore through the SSH tunnel to the proxy. My past experience with this however, is that FBSD will complain that the dst IP doesn't reside on the box. Does anyone have any suggestions or comments they can share regarding such a setup? Steve