EdgeRouter - Policy-based routing for transparent proxy

Overview


Readers will learn how to employ Policy-Based Routing to enable the use of a transparent proxy on their LAN (e.g. not on their EdgeMAX device).

Building off of the other Policy-Based Routing examples (e.g., Destination Port), users can define routing table decisions to deliver certain kinds of traffic through specific devices. In this example, we will define web traffic and make a decision to route it through our transparent proxy.

In the example network, we will focus on a single WAN connection on eth0 and a single LAN on eth1, with the transparent proxy occupying an IP on the LAN:

1. eth0 - Internet
2. eth1 - 192.168.1.0/24 - LAN
2a. Transparent Proxy - 192.168.1.42

Routing Tables


We've got default routing tables defined by our network configuration; nothing needs to happen to the defaults (whether static routes to the ISP, DHCP, or otherwise). But we do need to establish a new table and use our Transparent Proxy as the next hop for whatever traffic the proxy will handle.

We can pick a table number from 1-200 as long as it doesn't already exist:

set protocols static table 5 route 0.0.0.0/0 next-hop 192.168.1.42

We'll need a modify firewall and some port and address groups to better define our behavior.
Note: PROXY_CLIENTS must not include the proxy IP itself or there will be a routing loop
Note: PROXY_CLIENTS should not include the eth1 gateway IP or the broadcast address (.1 or .255)

firewall {
    group {
        address-group PROXY_CLIENTS {
            address 192.168.1.2-192.168.1.41
            address 192.168.1.43-192.168.1.254
        }
        port-group PROXY_PORTS {
            port 80
            port 8080
        }
    }
    modify TRANS_PROXY {
        rule 1 {
            action modify
            description "use table 5 to route for PROXY_PORTS"
            destination {
                group {
                    port-group PROXY_PORTS
                }
            }
            modify {
                table 5
            }
            protocol tcp
            source {
                group {
                    address-group PROXY_CLIENTS
                }
            }
        }
    }
}

We should then apply the firewall to the LAN interface:

set interfaces ethernet eth1 firewall in modify TRANS_PROXY

So at this point, the firewall will watch for traffic coming in on the LAN interface (eth1) destined for the PROXY_PORTS (HTTP and 8080). It will check the source; so long as it is from a client on the LAN other than the gateway, broadcast, or the proxy itself (see address-group PROXY_CLIENTS), then it will modify the routing table to table 5. This sets the next hop to the transparent proxy.

When the transparent proxy processes the traffic, it will look for it's next hop (the IP of eth1). But since the address-group excludes the transparent proxy IP, it will continue to follow the routing table and, e.g. exit eth0 for the Internet. But if you forget to exclude the IP of the transparent proxy from the PROXY_CLIENTS address-group, you will appear to "break" web traffic.

Powered by Zendesk