https://doc.pfsense.org/index.php/Lightsquid_Troubleshooting

1 - Deny access to internet through your firewall except from proxy 2 - configure your proxy 3 - set up WPAD so that clients easily point to your proxy With such design, you can configure policy routing that will apply and also benefit from proxy (squidguard) filtering. BTW, from architecture standpoint, this design is better than services running on pfSense.

Hi Guys I think I found a bug: When the option "Enable logging" is ON and you specify exclusions of IP's through ACL's, these ACL's do not get honoured, BUT If you switch "Enable logging" OFF and you specify your logfile in your ACL, it gets excluded. Actually, If you leave "Enable logging" is ON and specify your logfile in your ACL, the entry gets duplicated except for the excluded IP… Example ACL: acl IP-LIST src "/root/ip-list.txt" access_log /var/squid/log/access.log !IP-LIST If the "Enable logging" OFF - You get one logfile entry in your logfile and the excluded IP's are excluded. If the "Enable logging" ON - You get two logfile entries and the excluded IP's gets logged once. So, it seems there needs to be some kind of "PRE PROCESSING" needed to exclude IP's from your logfile… Please could someone confirm? kind regards cyber7 - AKA Aubrey Kloppers; Cape Town; South Africa

on pfsense 2.1.5-amd64  I am using squid3-dev with captiveportal authentication  flawlessly Apparently you are the one in a million  8)

Thank For your answer and i will following your instruction if can't fix it. :D :D

From a pure technical standpoint, you could do this: (&((|(memberOf=cn=group_A,ou=staff,dc=domain,dc=co,dc=uk)(memberOf=cn=group_B,ou=staff,dc=domain,dc=co,dc=uk))(sAMAccountName=%s)) or use one single group in Squid that is matching one group in AD containing multiple AD groups. Does this work? I'm also not using pfSense Squid package  ;) therefore I don't know the interface neither features that are exposed but Squid allows to create multiple rules. The first one matching will apply. Therefore you're not obliged to merge everything into one single LDAP search isn't? (unless pfSense implement brings some restrictions here  :-[)

Because "Disable Ping" wasn't available in 2.1?

Hi Thank you PiBa, you were right, the problem was windows servers, that did not return the traffic, I talked to our windows and network administrator, and they corrected the routing. now everything is working. thanks

What we are talking about is getting reports on the captive portal users with their user ID instead of their IP address using the Squid captive portal authentication method. Ahh ok now I understand it better!

dgall, if you continue to block using IPs, it's much more practical to use pfBlockerNG to download the list of IPs from "Hurricane Electric" and the package will download updates on a frequent basis. See the following thread (#6) - https://forum.pfsense.org/index.php?topic=86212.msg485046#msg485046

Yeah, you can't go around blocking CDNs or you will have problems with lots of popular sites.

So I am still not sure exactly what the heck is going on. In some cases, it does appear that SYNs are not being responded to. I am not sure why. Then shortly after, it works…??? I added the following to my Squid config, on the General tab in the "Custom ACLS (Before_Auth)" section, and this is helping a lot...though still not good enough for "production": connect_timeout 2 forward_max_tries 2 connect_retries 2

Time to upgrade.

answering my question I used custom options - Custom ACLS (Before_Auth) and put cache_peer 138.203.144.56 parent 1080 7 no-query never_direct allow all it works now.

@BBcan177: pkg_edit.php is used in several places, you will need to provide more details to see what the issue is. When I try to use the group acl as pictured [image: filter.gif] As you can see it displays the warning and error message and the drop down is empty. I looked at the file and it looks like this: 576 - $size = ($pkga['size'] ? " size='{$pkga['size']}' " : ""); 577 - $onchange = (isset($pkga['onchange']) ? "onchange="{$pkga['onchange']}"" : ''); 578 - $input = "<select id="" . $pkga[" fieldname']="" .="" "'="" $multiple="" $size="" $onchange="" name="&quot;$fieldname&quot;">\n";579 - foreach ($pkga['options']['option'] as $opt) {580 - $selected = (in_array($opt['value'], $items) ? 'selected="selected"' : '');581 - $input .= "\t<option value="&quot;{$opt['value']}&quot;" {$selected}="">{$opt['name']}</option>\n";582 - }But of course I have no idea what the error is.ThanksJabo</select>

Its not possible to manually edit the config files and keep your changes when for example rebooting.. For haproxy you could configure most items manually by using the 'advanced' textbox on the settings tab if you really want to.. Though haproxy 1.5 packages allow for configuring certificates from its gui..

1.4 and 1.5 both support 'redirect scheme' http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#redirect http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#redirect For ssl-offloading at least 1.5 is required. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt You can install it by using the haproxy-1_5 or haproxy-devel package.