1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    3.7k
    Topics
    20.6k
    Posts

    M

    This is my first post. I am unable to get http access working with a squid proxy. I've googled around, tried a few guides, and no luck.

    setup description:

    WAN -> Proxmox -> pfSense/squid(VM) -> | vm: server 1 | vm: server 2|

    intent:
    2 servers/VM on one IP address
    server 1 would match to xyz.com and handle regular web traffic
    server 2 would match to sub1.xyz.com and handle some other stuff.

    It's most likely some misconfiguration somewhere, but I'm just not sure where. Right now, I'm just focused on getting server 1 accessible.

    server 1:
    Alma Linux 9
    apache has mod_proxy

    site conf file
    server1 apache conf.JPG

    /etc/hosts file
    server1 hosts.JPG

    one guide said to create a conf file with the following.
    server1 reverse_proxy conf.JPG

    pfSense:
    squid installed
    squidGuard installed/disabled for now

    squid conf

    # This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.1.1:3128 icp_port 0 digest_generation off dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname voip-ly.com cache_mgr admin@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 0 debug_options rotate=0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.1.0/24 forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 100 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache deny all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings http_port 69.16.214.157:80 accel defaultsite=voip-ly.com vhost #alma9 server cache_peer 192.168.1.15 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_www #debian12.pbx cache_peer 192.168.1.16 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_pbx acl rvm_public url_regex -i voip-ly.com acl rvm_pbx url_regex -i voip-ly.com cache_peer_access rvp_www allow rvm_public cache_peer_access rvp_pbx allow rvm_pbx cache_peer_access rvp_www deny !rvm_public cache_peer_access rvp_pbx deny !rvm_pbx never_direct allow rvm_public never_direct allow rvm_pbx http_access allow rvm_public http_access allow rvm_pbx deny_info TCP_RESET allsrc # Custom options before auth # Set YouTube safesearch restriction acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com request_header_access YouTube-Restrict deny all request_header_add YouTube-Restrict none youtubedst # Setup allowed ACLs # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2.2k
    Topics
    15.6k
    Posts

    D

    I was looking for this info @bmeeks,

    Now I am sure that it is only an internal connection and that not everything is disabled.
    Thank you very much!

    Have a nice day and thanks for your work.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    553
    Topics
    2.7k
    Posts

    A

    @CZvacko said in Telegraf service stops when the physical interface is reconnected or reconfigured:

    In the last version 2.7.2 I noticed several times that the Telegraf service stopped working, now I found that it happens when reconnecting the physical interface. Probably also when adjusting interface parameters such as MTU. Is this considered a bug or how to prevent it ? (I have to remember to check it after such actions)

    This might be a bug. Check Telegraf logs for details, and configure it to restart automatically by editing its service file:

    Restart=always
    Restart with sudo systemctl daemon-reload && sudo systemctl restart telegraf. Update to the latest version and report the issue on Telegraf's GitHub if it persists.

  • Discussions about the pfBlockerNG package

    2.5k
    Topics
    19.1k
    Posts

    tinfoilmattT

    @Yoe777 To check if the IP address that ftp.ut-capitole.fr resolves to, 193.49.48.249, is listed anywhere:

    grep "193.49.48.249" /var/db/pfblockerng/DNSBLIP_v4.txt /var/db/pfblockerng/deny/*.txt /var/db/pfblockerng/original/*.orig /var/unbound/pfb_py_ss.txt

    If no output is returned, that means the IP is not potentially being filtered anywhere by pfBlockerNG. (The "No such file or directory" output should be ignored.)

    I've also noticed just now that the domain heimdall.ut-capitole.fr is a CNAME of ftp.ut-capitole.fr. You should ensure that heimdall.ut-capitole.fr is also either not listed and/or whitelisted.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    86
    Topics
    2.3k
    Posts

    dennypageD

    @netboy Glad you got it sorted.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    477
    Topics
    2.7k
    Posts

    S

    certbot generate a cert.pem and a fullchain.pem, but in pfSense/ACME I can only download the cert.pem in certificates.

    Is there any way to generate and download also the fullchain.pem in pfSense/ACME?
    Maybe I miss a setting?

  • Discussions about the FRR Dynamic Routing package on pfSense

    279
    Topics
    1.1k
    Posts

    M

    Found the issue. RPKI is not supported although its an option available.
    Dont know why this is a problem in 24.11
    I did have RPKI enabled prior.

    Spoiler

    /usr/sbin/service frr restart bgpd
    bgpd not running? (check /var/run/frr/bgpd.pid).
    Starting bgpd.
    frr_init: loader error: dlopen(/usr/local/lib/frr/modules/bgpd_rpki.so): /usr/local/lib/libssh.so.4: version LIBSSH_4_5_0 required by /usr/local/lib/librtr.so.0 not defined
    frr_init: loader error: dlopen(/usr/local/lib/frr/modules/rpki.so): Cannot open "/usr/local/lib/frr/modules/rpki.so"
    frr_init: loader error: dlopen(rpki): Shared object "rpki" not found, required by "bgpd"
    /usr/local/etc/rc.d/frr: WARNING: failed to start bgpd
    [36398|mgmtd] sending configuration
    [36518|zebra] sending configuration
    [39070|watchfrr] sending configuration
    [39648|bfdd] sending configuration
    Waiting for children to finish applying config...
    [39585|staticd] sending configuration
    [36398|mgmtd] done
    [39070|watchfrr] done
    [39585|staticd] done
    [36518|zebra] done
    [39648|bfdd] done

  • Discussions about the Tailscale package

    75
    Topics
    418
    Posts

    D

    Hi!
    Is anyone having connection issue on tailscale on pfsense,
    i've using tailscale now for 3months but this couple of days my pfsense machine keeps disconnecting, i've already generated new key but its still no luck.
    tailscale.jpg

  • Discussions about WireGuard

    628
    Topics
    3.3k
    Posts

    AndyRHA

    @michmoor Thanks but we have trashed it and will do OpenVPN even though it is slower, but more reliable and easier to troubleshoot.

Log in to post
Load new posts