My PFBox setup is squid + squidguard wpad i will give it a try. or maybe putting an IP Address in Proxy Server-> Access Control -> ACLs will do the trick?

What news are you expecting?  WPAD requires an HTTP server, not HTTPS. https://technet.microsoft.com/en-us/library/cc995261.aspx?f=255&MSPPError=-2147217396 Implementing DNS or DHCP Consider the following criteria when deciding whether to use a DHCP WPAD entry, a DNS entry, or both: WPAD entries in DNS can only be used by client computers that belong to a domain, and clients must be configured to resolve DNS names. When implementing WPAD with a DNS server, entries must be configured for every domain containing clients enabled for automatic discovery. A valid DHCP server must be installed. When using DNS to publish WPAD, automatic discovery must be configured to use port 80. Alternatively, the outgoing Web requests must be configured to listen on port 80. WPAD in DHCP is limited to specific user groups on some client computer operating systems. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions." Generally, using DHCP servers with automatic detection works best for local area network (LAN)-based clients, while DNS servers enable automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility. If you configure both DHCP and DNS, clients will attempt to query DHCP for automatic discovery information first and then query DNS.

When you make any changes to squidguard, you need to remember to go back to the General settings page and click the Apply button or nothing you did will take effect.

Clear cache. Proxy Server: Cache ManagementLocal Cache

Hi, this does not work when the explicit proxy is configured. example, I configure the squid + sslbump on a vlan (ex: vlan10), i configure snort on the vlan10 with all appID = Result nothing is detected without the proxy everything is detected by appID. Thanks Best regards, fred

Personally, I find pfBlocker too heavy of a package for me to want to deal with just to block ads.  I use Pi-hole myself on a cheap little Pi.  Works like a charm.

Thanks In advance brother

I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first. Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest. Stunnel rule Listen on 192.168.1.1  (internal IP of pfSense firewall LAN) Listen on port 3456 Redirect to 192.168.1.15  (Camera software box) Redirects on port 81 NAT rule Interface  WAN Protocol  TCP Dest Address  WAN Address Dest Ports  3456 NAT IP  192.168.1.1 NAT Ports  3456 NAT created FW rule Protocol  IPv4 TCP Source  * Destination  192.168.1.1 Port  3456

Absolutely sure.  We don't use policies or any other sorts of enforcements.  We tried to build our network around KISS. I took a look at the trace I saved: The process querying for the WPAD data got no name (is called "unavailable"), but the "GET /wpad.dat" packet says:  "User-Agent: WinHttp-Autoproxy-Service/5.1".  So I believe it is a std Windows process. If you never set up proxy settings to be automatic, it does not query for wpad.dat (at least not within the first 2-3 hours after initial Win10 install - I did not wait any longer).  It starts doing this after the first time you set up the proxy settings to be automatic.  Windows initially gets the wpad.dat and then the proxy answers "304 Not Modified" for the following queries.  And after each of these following queries for wpad.dat, "manual settings" are unchecked, "automatic settings" are unchecked, but wpad.dat settings are active again.  And any data entered into the manual fields are cleared. It may take 10 minutes or it may take 60 minutes for the following "GET /wpad.dat" to be sent.  For me it looked like "out of a sudden someone asks for wpad.dat and resets my settings".  At first I thought it would be time to do something else because I can't concentrate anymore… The clean install of Windows 10 does not even have any AV software, which often does some sort of proxy stuff. Maybe it has to do with a specific Windows version after lots of OS updates that come in after install.  I have no clue... I just wanted to let others know, because this drove me crazy.  Maybe it's gone again with next Windows updates.

Great to hear I'm not the only one with that issue. We have over 15 sites with PFSense with that issue. For the moment I'm using a cron job to delete the log file every night as it grows so fast and already caused lack of disk space on some sites. It would be great if the developers could describe how the squid config really works in terms of squid.conf and squid.inc etc. So far no reply from them. Thanks, Rafe

crickets nothing? no help? I pinpointed my issue more towards router iptables anyway. I was told the brightest people on this subject would know how to get this going I guess they were wrong, either that or people too lazy to read a long thorough post instead of guessing the setup and giving wrong replies.

@sichent: If you need to bypass the HTTPS description you cannot just whitelist in pfSense UI I guess. You need to actively splice by ssl::server_name. Now I have a question! ??? So, what's the whitelist purpose?

Worked like a charm! Thanks anything else you noticed in my haconfig that should be changed?

Thanks for the reply.  Will move over there, thanks.

In case of 'shared frontends' only 1 frontend is written to the config, and the configuration settings are 'combined' so that might be ok. The webserver server line does also count bytes in/out ? What if you run a 'curl http://webserver.example.net/' request to the haproxy frontend.? Does that timeout as well? Or does it perhaps redirect to a https://wanip:443/ while haproxy is listening on :80 or perhaps a redirect to https://url:9001 ? In which case the timeout would make sense as those ports are likely not open.. What do haproxy logs tell for the request? Either send them to a syslog server elsewhere on the network, or to the local log socket so it will show in status\packagelogs.

@KOM: Isn't Diladele some paid application??  You don't need them to do URL filtering. Thanks for pointing that out. I'm at work and gave the guide he posted a quick look, and the first page had what appeared to be clear instructions. I didn't realize he was promoting a company… Was definitely misled. -RYknow

Haproxy just makes a plain tcp connection to port 25 and sends a few commands.. to push out a receiver subject and body.. the mailserver must be configured to not require authentication from haproxy's ip for this to work. No authentication setting is available: http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#3.6

An update… I connected a laptop to the WAN side segment and I was able to connect to the proxy. So seems the problem is the router port forward... it is like it needs another port besides 3128 to connect. Leo Manes