Hello,

we have the same probleme –>

If squid is not transparent it works fine, as soon as i try to use squid in transparent mode, it strips out http.

…after i´m upgrade the pfSense to 2.3.3 and update the package Squid package to 0.4.36_2.

Same system and pkg versions like olivierofava.

@doktornotor
Sorry, but behind the link there is nothing.

Do NOT multipost. https://forum.pfsense.org/index.php?topic=127998.0

I remember that we have the problem in the past.

I think it was this problem: https://redmine.pfsense.org/issues/5869
Feels like the same…

Best Regards
Jesse

chidgear Thanks

Your Logic worked for me using SSL with transparent mode and skype working Fine.
including group conversation + File send / receive

All what we need to do, as Microsoft added some IP's in its AS Number Network IP series.
use this to find it.
whois -h whois.radb.net '!gAS198015'

Link is here , you get the Info.
http://bgp.he.net/AS198015#_asinfo

Cheers !!!!
;) :) :) :) :) 8)

@chidgear:

Okay, I respond partially to myself (this isn't over yet), but if someone gets it useful, here are some progress I did.

Looking on other forums and internet articles, I found a buddy having a similar trouble, caused by his skype version. Once discarded that their windows and IE version where the problem, one user said:

What do you see now when you open this link in your Internet Explorer?

https://apps.skypeassets.com/static/skype.client.l​​​​​​​​​ogin/3.0/3.30/release/login.html

This gave me an idea… I tried it on a restricted machine and Voila! it showed the IP's I needed in the squid error screen saying that there was a handshake error. I putted the IP's on the bypass and skype worked again. I can log in and out anytime, and send messages without the message saying that cannot be delivered.
(It could change on time, but until today, these where the IP addresses:

23.73.247.53 23.2.99.20 23.11.250.157

all of them provided (in some or another way) from apps.skypeassets.com

I added these ips, and the FQDN apps.skypeassets.com to the bypass and the login issue was over. Now, there is another issue.
The files cannot be sent, and I cant see all my contacts in realtime. I guess this is a matter of the skype cloud, so I'll keep digging. If someone wants to help, or has some information about the skype cloud IPs, I'll be gratefull.

0_0)b Good luck!

references: Sorry, we couldn't connect to skype. please check …

I dont know that how I attach squid log

Check with firebug or embeded site debug available on current browsers. Check network status to see it the authentication are poping up for each image. Or if show site erros on JavaScript

Does it look like what you need?

[Internet] [real IP address] [Proxy 1] – 192.168.4.70  [192.168.4.0/24]  192.168.4.80  –--- [Proxy 2] –--- 10.30.30.1    -----  LAN users
                                                  --  192.168.5.70  [192.168.5.0/24]  192.168.5.80  –--                ----- 10.30.30.2    ---------

When you give IP to users, will it be proxy IP or gateway IP?
Or it does not matter?
Why do you need to mask proxy, exactly? Could you explain in detail, preferably live example?
Are you good at networking or newbie ?

if it helps for web filtering

https://forum.pfsense.org/index.php?topic=112335.0

You'd have to set that in your squid settings somehow. All the firewall sees is the client talking to the proxy on the proxy port. Beyond that it's the proxy handling whatever the client wants.

Its a project for work so I do need the https filtering but as its BYOD I can't push certs. Splice all works, its just that there is no url database that comes close to what Fortigate offers. I didn't expect it would work as well, the databases being provided for free after all.

So I do want https filtering I just don't want to push certs but all sichent posts assume I'm ok with certs ;)

In short: Splicing blocks https but the lack of a solid (paid) database means pfsense won't be an alternative to our Fortigates.

https://forum.pfsense.org/index.php?topic=124402.msg688335#msg688335

Hi

a big thanks
The problem was i don't define a name for the acl action  :-[ :-[ :-[

thank you for your help.

Lolo

Sorry, I was absent and haven't access to forum

I find source of problem. It's appear when in field "Remote syslog host" I fill "/var/run/log", recommended for local logging. And after I clear this field - no problem with log files. But I not see any messages from Haproxy in local log.//

i have apply the modification,

i will see today  if there are any changes (i have meet the problem not with the portail 365 but the outlook 201x)

an other question when we use splice whitelist bump otherwise, (squidguard will not work ??), so we should enter the domains that we will allow in acls whitelist ?? just that ?? the target categories of squidguard also no ??

Thanks

Create Aliases Called add WindowsUpdate and the following list for the networking group
157.54.0.0/15
157.56.0.0/14
157.60.0.0/16
65.52.0.0/14
70.37.0.0/17
70.37.128.0/18
207.46.0.0/16
131.107.0.0/16
66.119.144.0/20
23.96.0.0/13
204.79.195.0/24
204.79.196.0/23
208.76.44.0/22
208.68.136.0/21
216.220.208.0/20
209.240.192.0/19
204.14.180.0/22
206.191.224.0/19
192.92.90.0/24
208.84.0.0/21
104.40.0.0/13
192.197.157.0/24
204.231.192.0/24
104.208.0.0/13
129.75.0.0/16
204.79.179.0/24
64.4.0.0/18
167.220.0.0/17
167.220.128.0/18
167.220.192.0/19
192.92.214.0/24
207.68.128.0/18
13.64.0.0/11
13.96.0.0/13
13.104.0.0/14
146.147.0.0/16
52.145.0.0/16
52.146.0.0/15
52.148.0.0/14
52.152.0.0/13
52.160.0.0/11
52.224.0.0/11
52.96.0.0/12
52.112.0.0/14
52.120.0.0/14
52.125.0.0/16
52.126.0.0/15
52.130.0.0/15
52.132.0.0/14
52.136.0.0/13
138.196.0.0/16
150.171.0.0/16
40.74.0.0/15
40.76.0.0/14
40.80.0.0/12
40.96.0.0/12
40.112.0.0/13
40.120.0.0/14
40.124.0.0/16
40.125.0.0/17
40.64.0.0/13
40.126.128.0/17
40.127.0.0/16
40.126.0.0/18
204.13.120.0/21
204.152.18.0/23
Then you go to Services –-> Squid Proxy Server ----> Bypass Proxy for These Destination IPs
Enter the created aliase called WindowsUpdate
And this way it fixes all the updates for Windows with Transparent Proxy

@ozbob:

After updating to pfsense 2.3.3 lost squid ntlm integration I installed with a samba script

Shit like installing Samba on the firewall is NOT supported.

::) ::) ::)

What kind of states are there? On wan or lan side? Having a acl or not should have no effect to the number of states.. Are you using transparent-Client-Ip on the backend?

To get rid of states you could possibly make some stateless floating rules, then pfsense wont track states anymore. Make sure to allow both ways and all types of flags..

False positives need to be reported to signatures maintainer, not here

When I try to request a certificate, I get an error.
The manual call of the URL supplies a service unavailable.

http://aaa.bbb.com/.well-known/acme-challenge/key [123.123.123.123]: 503

I think the ACME-Backend works not as expected.
How can I configure the firewall/HAProxy to listen on port 8080 for serving the files ACME wants to see?