To have a transparent web proxy in a different server from your gateway/firewall, besides the port 80 redirect rule to your proxy server, you will also need a NAT rule.

On your network gateway/firewall:

  1. Set the following sysctl:
sysctl net.inet.ip.redirect=0
  1. Add the following rule in your PF config:
pass in quick on $int_if route-to ($int_if $IP_Proxy) proto tcp from ! $IP_Proxy to any port www

On your proxy server:

  1. Set the following sysctl:
sysctl net.inet.ip.redirect=0
  1. Add a PF rule to redirect port 80 traffic to port 3128:
rdr inet proto tcp from ! $IP_Proxy to any port www -> $IP_Proxy port 3128