That's what it was.  The Roku netflix client wasn't using the domain name, but IP addresses for the Netflix servers.  I guess I should have realized that in the log.  Even though I had the option "Do not allow IP-Addresses in URL" unchecked, I was looked at the squidguard config at /usr/local/etc/SquidGuard/SquidGuard.conf and saw that it had !in-addr which was blocking anything that had an IP address in the URL.  Seems to be working fine now after I removed that.

I'm now on pfSense: 2.4.2-RELEASE-p1 FreeBSD 11.1-RELEASE-p6 Using a Mac mini and MacBook Pro both using Firefox to test the EICAR HTTP files, I completed the 4 steps, twice, and I can still download the HTTP files.  I haven't configured for HTTPS yet. Another interesting factoid…Using Debian 9 Stretch Linux with Firefox installed, I couldn't download the HTTP files but I still didn't receive the red colored virus message.

No idea.  I don't use transparent mode or SSL-intercept.  Just WPAD to get the URL for filtering and that's all.

SQRobin, I'm in the same camp. Did you end up fixing this? I have 16 Cores, 32GB RAM.  60GB Cache (DiskD - Previously AUFS with zero change), 64MB Cache Memory Size, 256K Max object, Heap GDSF. RAM and SWAP often go haywire after about 10 hours.  I upped the SSL Daemon Children to 64 recently to assist. Any other tips? HTTP/1.1 200 OK Server: squid Mime-Version: 1.0 Date: Wed, 07 Feb 2018 15:30:42 GMT Content-Type: text/plain;charset=utf-8 Expires: Wed, 07 Feb 2018 15:30:42 GMT Last-Modified: Wed, 07 Feb 2018 15:30:42 GMT X-Cache: MISS from localhost X-Cache-Lookup: MISS from localhost:3128 Via: 1.1 localhost (squid) Connection: close Squid Object Cache: Version 3.5.27 Build Info: Service Name: squid Start Time: Wed, 07 Feb 2018 01:26:06 GMT Current Time: Wed, 07 Feb 2018 15:30:42 GMT Connection information for squid: Number of clients accessing cache: 864 Number of HTTP requests received: 289166 Number of ICP messages received: 0 Number of ICP messages sent: 0 Number of queued ICP replies: 0 Number of HTCP messages received: 0 Number of HTCP messages sent: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 342.4 Average ICP messages per minute since start: 0.0 Select loop called: 18051093 times, 2.807 ms avg Cache information for squid: Hits as % of all requests: 5min: 2.6%, 60min: 3.0% Hits as % of bytes sent: 5min: 1.1%, 60min: 1.3% Memory hits as % of hit requests: 5min: 51.2%, 60min: 56.1% Disk hits as % of hit requests: 5min: 17.8%, 60min: 23.9% Storage Swap size: 47263468 KB Storage Swap capacity: 76.9% used, 23.1% free Storage Mem size: 64732 KB Storage Mem capacity: 98.8% used,  1.2% free Mean Object Size: 125.91 KB Requests given to unlinkd: 0 Median Service Times (seconds)  5 min    60 min: HTTP Requests (All):  0.05046  0.02742 Cache Misses:          0.08265  0.07825 Cache Hits:            0.00286  0.00091 Near Hits:            0.05633  0.08729 Not-Modified Replies:  0.00179  0.00091 DNS Lookups:          0.01046  0.01331 ICP Queries:          0.00000  0.00000 Resource usage for squid: UP Time: 50675.981 seconds CPU Time: 2292.172 seconds CPU Usage: 4.52% CPU Usage, 5 minute avg: 29.42% CPU Usage, 60 minute avg: 29.02% Maximum Resident Size: 29684640 KB Page faults with physical i/o: 183 Memory accounted for: Total accounted:      219900 KB memPoolAlloc calls:  33590776 memPoolFree calls:  34080247 File descriptor usage for squid: Maximum number of file descriptors:  939474 Largest file desc currently in use:  9246 Number of file desc currently in use: 9012 Files queued for open:                  0 Available number of file descriptors: 930462 Reserved number of file descriptors:  100 Store Disk files open:                  0 Internal Data Structures: 382429 StoreEntries 11534 StoreEntries with MemObjects   4520 Hot Object Cache Items 375364 on-disk objects

Maybe I will turn off the logs then and just reactivate them one day if I have issues :) Bad idea.  When you really need them, they won't be there.  Just set them to rotate and ignore them.

I had be able to install squid but updating to 2.3.2 to 2.3.4. Enable just security/errata on 2.3.4 and done. 2.3.2 looks death. Thanks.

Is going to be difficult to show u all the steps, but I will advice u to search on www.youtube.com to start your training. Once u have more detail info of your issue, return here and show us the problem with more details  :) example: https://www.youtube.com/watch?v=W2gy1bLHm5o

My PFBox setup is squid + squidguard wpad i will give it a try. or maybe putting an IP Address in Proxy Server-> Access Control -> ACLs will do the trick?

What news are you expecting?  WPAD requires an HTTP server, not HTTPS. https://technet.microsoft.com/en-us/library/cc995261.aspx?f=255&MSPPError=-2147217396 Implementing DNS or DHCP Consider the following criteria when deciding whether to use a DHCP WPAD entry, a DNS entry, or both: WPAD entries in DNS can only be used by client computers that belong to a domain, and clients must be configured to resolve DNS names. When implementing WPAD with a DNS server, entries must be configured for every domain containing clients enabled for automatic discovery. A valid DHCP server must be installed. When using DNS to publish WPAD, automatic discovery must be configured to use port 80. Alternatively, the outgoing Web requests must be configured to listen on port 80. WPAD in DHCP is limited to specific user groups on some client computer operating systems. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions." Generally, using DHCP servers with automatic detection works best for local area network (LAN)-based clients, while DNS servers enable automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility. If you configure both DHCP and DNS, clients will attempt to query DHCP for automatic discovery information first and then query DNS.

When you make any changes to squidguard, you need to remember to go back to the General settings page and click the Apply button or nothing you did will take effect.

Clear cache. Proxy Server: Cache ManagementLocal Cache

Hi, this does not work when the explicit proxy is configured. example, I configure the squid + sslbump on a vlan (ex: vlan10), i configure snort on the vlan10 with all appID = Result nothing is detected without the proxy everything is detected by appID. Thanks Best regards, fred

Personally, I find pfBlocker too heavy of a package for me to want to deal with just to block ads.  I use Pi-hole myself on a cheap little Pi.  Works like a charm.

Thanks In advance brother

I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first. Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest. Stunnel rule Listen on 192.168.1.1  (internal IP of pfSense firewall LAN) Listen on port 3456 Redirect to 192.168.1.15  (Camera software box) Redirects on port 81 NAT rule Interface  WAN Protocol  TCP Dest Address  WAN Address Dest Ports  3456 NAT IP  192.168.1.1 NAT Ports  3456 NAT created FW rule Protocol  IPv4 TCP Source  * Destination  192.168.1.1 Port  3456

Absolutely sure.  We don't use policies or any other sorts of enforcements.  We tried to build our network around KISS. I took a look at the trace I saved: The process querying for the WPAD data got no name (is called "unavailable"), but the "GET /wpad.dat" packet says:  "User-Agent: WinHttp-Autoproxy-Service/5.1".  So I believe it is a std Windows process. If you never set up proxy settings to be automatic, it does not query for wpad.dat (at least not within the first 2-3 hours after initial Win10 install - I did not wait any longer).  It starts doing this after the first time you set up the proxy settings to be automatic.  Windows initially gets the wpad.dat and then the proxy answers "304 Not Modified" for the following queries.  And after each of these following queries for wpad.dat, "manual settings" are unchecked, "automatic settings" are unchecked, but wpad.dat settings are active again.  And any data entered into the manual fields are cleared. It may take 10 minutes or it may take 60 minutes for the following "GET /wpad.dat" to be sent.  For me it looked like "out of a sudden someone asks for wpad.dat and resets my settings".  At first I thought it would be time to do something else because I can't concentrate anymore… The clean install of Windows 10 does not even have any AV software, which often does some sort of proxy stuff. Maybe it has to do with a specific Windows version after lots of OS updates that come in after install.  I have no clue... I just wanted to let others know, because this drove me crazy.  Maybe it's gone again with next Windows updates.

Great to hear I'm not the only one with that issue. We have over 15 sites with PFSense with that issue. For the moment I'm using a cron job to delete the log file every night as it grows so fast and already caused lack of disk space on some sites. It would be great if the developers could describe how the squid config really works in terms of squid.conf and squid.inc etc. So far no reply from them. Thanks, Rafe