here is the topology I think should work.
your local network is on lan interface and has lan_ip as default gw.
your proxy is on dmz and has dmz_ip as gw
My proxy is on dmz but it is configure in transparent mode so it has my isp gw
as default gw.
first rule to create is:
lan/lannet sat http wan1/all-nets dest :IP of squid on dmz
lan/lannet allow http dmz/dmznet
if the squid is also dns proxy then create a service object that include all squid services to redirect.
dmz/dmznet nat all_services wan1/all_nets
DNS server is in lannet.
This solution has an error. Theoretical example:
1.Host from lannet sends a packet to google.com
10.0.0.11:1099 => 184.108.40.206:80
2. According to 1 and 2 rule the traffic would be redirected to dmz server
3. After squid complete request for google.com it sends data back to host
192.168.0.5:3128 => 10.0.0.11:1099
Because host expects on port 1099 traffic from 220.127.116.11 he ignores traffic coming from
We can use nat instead of allow rule, but then we lose ACL posibilities on squid (we will always
see dfl-800 lannet ip as source address.
I turn on logging on dfl-800 for my Sat and Allow rules with alert category and this is what I get:
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2011-01-03 12:18:39 Alert CONN 600001 wwwallow TCP lan wan1 10.0.0.11 18.104.22.168 4233
So traffic is allowed and SAT rule (which name is "transparentProxy") is applied, but after that,
there is no traffic between dfl-800<->proxy in dmz.
My dmz server ip is not 22.214.171.124 as I written before but it has public IP address from WAN1 subnet,
and I have a switch route for group(wan1,dmz) in main routing table, so dmz is not behind NAT.
Is this a reason why I dont get any requests on proxy server ?
(DLF-800 firmware is 2.27.02.11-14417).
thanks in advance,