On Wed, Jul 11, 2007 at 05:33:18PM +0200, Urban Boquist wrote:
> First attempt to just redirect on GW like before:
> 
>   rdr fxp1 0/0 port 80 -> 192.168.1.5 port 3128 tcp
> 
> seems to work somewhat initially, I see a SYN being redirected at GW
> to 192.168.1.5, and a SYN-ACK sent back to the original client, but
> then it responds with a RST. I assume it gets confused because the
> reply comes from a different ip?

That's correct. The SYN-ACK is send to the client directly and
therefore not corrected via NAT by the gateway.

> So do I need to rewrite source address too at the GW?

Yes, but I'm not sure whether IPFilter supports with your current
network setup.

> And then it seems that I need some exception for the Squid machine
> itself, to avoid its port 80 requests being redirected to itself?

That's another problem.

> Any hint would be appreciated, I can find millions of pages with
> Google that explains how to do this when Squid is running on
> 127.0.0.1, but none that explains when it is not... :-(

The best idea I can think of is to put another network card in the
gateway which is uses to talk to the proxy server.

Internet <--fxp0---> gateway <--fxp1--> clients
			^
			|
			fxp2
			|
			v
			proxy

This would make sure that all packets from the proxy to a client have
to go through NAT on the gateway. And the proxy server wouldn't be
affected by the redirect rule on "fxp1" anymore.

	Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/