Try this setup a WPAD (make web browser use it ) Manual configure any device that cannot use a WPAD Use transparent proxy with MITM splice all to catch the rest https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3/178

You need to monitor it, see where it's really going and then block that.

@lido14 'Normally' IPFW is not running when only pfSense is used without captive-portal.. The quickest fix is probably to give pfSense a reboot.. Haproxy loads and configures IPFW if it 'needs' transparent-client-ip with its current config settings.. If none of the backends require this the IPFW related configuration code is likely completely skipped. It does not remember that it still needs to disable the old ipfw settings.... I guess i need to set a little 'flag' that transparent-client-ip was used and check that to remove the last rules if the current config doesn't use it anymore.. I'm not sure if unloading ipfw itself is possible.. i think there was a issue there...

Will be nice to learn how to do it both ways - using haproxy and just using the internal CAs as @johnpoz proposes. I went the haproxy route and couldnt get it to work. I have the certs issued and haproxy setup. Perhaps @Renat you can provide a guide how to do it and I will see if that can get me over the hump since I have already done most of the steps? ( some screenshots of haproxy setup). Also anything has to be done on the synology side?

It shouldn't cause any problems, but if you're unsure then wait until there is low traffic and then try it. It's easy enough to revert.

You see any errors in the cache log? That image appears to be called from some local location data:image/png;base64,iVBORw0K...... I'm not sure that would be cached at all anyway. Steve

@vacquah While it works, the Synology does not seem to automatically update the certs even though it is supposed to. I do get a reminder so can manually get it to update. On the synology side you need to set it up with the certificates part on the control panel. There are plenty of web hits on how to do this part. The HAProxy part is basically how I have it in a few posting before this. You need to be careful of the order of things as I had my pfSense path first and it was matching that and going there and never got to the synology match. After a reordering it worked as it should.

That package has ZERO to do with passive.. Its Active Client Proxy.. Ie client using active connection to server outside pfsense. When connection in passive mode the internal IP address is given to the client thru the WAN interface Yeah setup your server to give out your actual public.. here https://docs.netgate.com/pfsense/en/latest/nat/ftp-without-a-proxy.html BTW - not related to your ftp problem, but you should be on p3

Ok. So I got the system to work by disabling the firewall on pfsense itself. That led me to the firewall on pfSense and added 7445 on the actual server firewall. I just assumed that by enabling LightSquid it would have added that rule. Thanks, and I hope that helps someone else having the issue.

@sarasaunders Thanks to you for help, we will get back to you after our tests.

@tleadley This has never been answered, it was a configuration error with a hairpin DNS. It was corrected by creating the correct rules to forward to the appropriate server behind our DMZ interface. We also switched to HAproxy which gave us the ablility to host multiple sites with multiple certs! We can mark this solved!

If squid starts and then dies due to some reason, it should be logged in Status - System Logs. What do you get if you shell in and run: squid -k parse or squid -k reconfigure

@aGeekhere I don't have time to finish reading the post right now but it looks like a lot of good info. I don't remember seeing that page. The reason WPAD won't do us much good is because we have to be able to filter all internet access, including public WiFi.