The config like you have should allow you to access the website with: https://192.168.172.251:443 , though i do find it strange that the frontend has a private ip, and your backend seems to point to a public ip..
The backend server is usually on the lan/dmz network and likely using a private ip..
The frontend should be listening on the wan-ip (or where you want to accept connections) firewall rule is needed to allow access to this port.
Not sure if this answers your question..? I couldnt make complete sense of it.
The Dansguardian inserts the user name in the log if the authentication mode is Proxy-Basic (Maybe other modes will do it). I was using Proxy-NTLM. (Authentication was successfull with NTLM and it was connecting to LDAP successfully also)
By default squid will only allow 5 connections to squidguard if u have more than 5 users at the same time u are doom.
Now that u are in your shell check cache.log and see if u have something like this:
2013/10/25 09:44:24| WARNING: All redirector processes are busy.
2013/10/25 09:44:24| Consider increasing the number of redirector processes in your config file.
If this is your case, just remember a formula:
of Squidguard threats x memory size each one=RAM memory for squidguard.
Because squidguard depends on RAM that is why is fast.
Will snort (lan) work with an access point connected directly to Pfsense?
Sure, why not? It's just a WLAN.
I think Snort (lan) doesn't work if a switch is connected and the data is being sent directly to the other device through the switch and basically bypassing the firewall?
Yes, that's kind of obvious. Snort on pfSense can only scan the networks attached to it. It your existing WLAN goes to a switch that's upstream from pfSense then pfSense isn't even path of the network path for your wireless clients.
Thank you Kom, still a little new at this. Just to confirm, traffic between clients on a WLAN will pass through Pfsense (if directly attached)? Or does it work like a switch and traffic flows between wireless clients without passing through Pfsense?
Why don't you use a double firewall then? Leave the phone plugged into the first router (192.168.1.1), the PFSense box on the Wan interface can either be the IP you said or get a DHCP from the first router.
Then on the LAN side make it a 10.x.x.x IP scheme so that none of the LAN side will even see the same subnet as the first router. Then put all your computers behind the second router (PFSense).
I have that working here at home now. I think Dansguardian would be a better choice as it is a content filter not just a DNS URL blocker.
You will still need to have the SSL man in the middle working or google won't get filtered.
That sort of setup isn't possible currently. It would take a lot more code to allow the proxy to run multiple instances and use separate settings for each one. Probably more than double the code it has now, if not more. It's not likely to happen any time soon, the old style kernel FTP proxy may come back before that would happen.
ok looks like the problem was an intervace without IP config was inadvertedly selected under proxy interfaces on squid config page. Seems to be working now (at least service starts) these errors/warnings remain:
php-fpm: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2015/03/31 18:38:12| Warning: empty ACL: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"'
which came from "Cache Dynamic Content" being unselected while multiple options like "Windows Update" where selected below it… so enabling it again got rid of that warning above.
Yes, you did. Thank you very much for posting the fix. I applied it by patching the 2 new lines of code into my local version; it was a perfect diff save for those so I could also just have dropped your new file in.
It worked perfectly on the following configuration:
The proxy PAC file is provided by the filtering service provided to the school and nothing owrks without it.
However, I may now have a way past this as I'm being sent a fixed proxy IP and port which pfSense will take.
Hello, no I dont use captive portal. I Think this is related to the newer FreeBSD base operating system on 2.2, that it cannot listen on low ports. I get same error in HAproxy. I have disabled WebGUI redirect.
I will try to do a forwarding rule from port 80 to a higher port i firewall rules settings
After uninstalling installing round and round I finally got it working. :)
I believe there's and issue if you ad your 1st webserver then add 2 mapping's right away it wont allow any other connections to work. I had to add 1 webserver at a time and 1 mapping at a time then go back and add the second mapping.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.