Yeah now that you have squidguard you need to edit the common acl catergories or create groups if you want certain people to have access and other dont if not just have common ACL enabled to block tracker, ads etc. click save then click enable then appy

ummm for the cache downloads i have not had any luck so far only caching a few sites :(

Turns out adding a rule to allow all hosts in VLAN100 -> 127.0.0.1:3128 made it all work. Still a bit confused on why it was needed.

No, unfortunately not,
i searched everywhere and tested everything what comes to my mind, but i didn't get a solution until now.

regards
gruner

I thought that having the Transparent Proxy option unchecked put me in explicit mode?

That is correct.

How do I block off ports 80/443 from the LAN?

By adding a block rule above the Allow All rule.

old topic but curious how about Cache Dynamic Content?

I noticed that too.

I installed Cron and edited the daily schedule for Squid, removing the rotate command.

Before:

/usr/pbi/squid-amd64/sbin/squid -k rotate -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf

Now:

/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf

–--

I'm sure someone will jump here and say no change was made to Squid or Sarg that affects this... right...

I got the same Problem here :-/

This errormessage is spamming my log with far over 30 lines per second :-(

i have no IPv6 configured in my Network…

Edit:
I think i found the Bug

I have had the WAN Device set up to IPv6 DHCP, but i didn't got some IPv6 address.
After setting it to IPv6 none and restarting squid, the spamming stoppped.

Try This !!!

ln -s /usr/pbi/squidguard-amd64/local/lib/libldap-2.4.so.2 /usr/lib/libldap-2.4.so.2
ln -s /usr/pbi/squidguard-amd64/local/lib/libldap-2.4.so.8 /usr/lib/libldap-2.4.so.8
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb-5.3.so.0 /usr/lib/libdb-5.3.so.0
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb-4.6.so.0 /usr/lib/libdb-4.6.so.0
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb41.so.1 /usr/lib/libdb41.so.1

have nice day :3

Hi Trumee,

Ah i overlooked that indeed, if your using TCP mode it is not possible to modify the http content inside the encrypted ssl connection.
1- So to use the options i wrote you need to perform offloading on haproxy and load the certificates on pfSense.

Other options are:
2- proxy-protocol (on the server line you could add a advanced setting "send-proxy" or -v2 -v2-ssl -v2-ssl-cn , but the backend must be configured to expect those..) http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#5.2-send-proxy
3- Transparent-Client-IP (this is a setting on the backend, but do read the warnings.!.)

If you dont want to decrypt ssl traffic on haproxy then option 2 would probably be best if your nginx supports it..

Regards,
PiBa-NL

good to know, I'll make some changes.

thanks a lot.. thats wht i want to know : )

Update:

Not more than a minute after I posted this I found the solution.  Under the Group ACL tab and then under Target Rules is the following message:

ACCESS: 'whitelist' - always pass; 'deny' - block; 'allow' - pass, if not blocked.

Simply changing my target category to whitelist corrected the problem.

checked ,
Group 1 (192.168.0.230-192.168.0.254)

with Movies and other allowed

Group 2 192.168.0.2 -192.168.0.229

with movies blocked ,

now when there is two groups with first group in allow all  , squid guard filtering is not doing even thought squidguard is showing its running but its not blocking any sites

It all depends on your needs you have! If you don´t need Squid as a proxy you don´t need to
install squid for sure. It is like all other services, functions and features or options, if you don´t
need them really you don´t should install or activate them then.

It can be useful if there are children in a household and/or the family size is really big likes
5 till 10 persons in total. So you would be able to install Squid & SquidGuard with a user
authentication and then all things can be logged down the road what the whole family
was doing and it could also be regulated what they are all can do.

Hi,
Thank you for the reply,

Well..lets say I give that user access to 443 yes the Emails will come though but now he can navigate to https sites with no issue.

I was wondering if theres a way to force everything using NAT to redirect to squid ports

So after that all the programs would have to use port 3128

That being said bitdefender uses port 80 it works when i have transparent proxy and Yes if it comes to that I have gravity point and could just do it on the console with the proxy updates.

But I just dont like the fact blocking port 80/443 seems pretty radical

Sorry once again I failed to provide the version numbers…

pfsense 2.2.6-RELEASE (amd64)
SG 1.9.18
squid3 0.4.7

The integrations field contains the following:

url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0

I am not knowledgeable enough with squid to know what this does, so if you spot anything shady, please let me know!  At least, there is some references to squidguard..

I hope transparent proxy with squid works with 2.2.X otherwise whats the point of having the option to do so?  Plus it worked (somehow and not stable) in older versions of pfsense.

Regarding the antivirus, pfsense runs on a dual core CPU at 3.2GHz with 12GB RAM… So far it doesnt seem to be hindering bandwidth but I'll try to disable it to see if its faster.