@venom3: do you have a custom whiltelist setup? are the services running? As venom 3 said, yo need at least one custom category defined in "Target categories" with at least one domain, url or regular expression. May I suggest a "White_list" category, where you put the addresses you want to be accessed without any trouble (like google or similar)? Good luck!

Do you have enabled the Squid Log?

Hi!, seems that maybe yo have missconfigured something in the ACL. A pair of questions: ¿Are you using Explicit or transparent proxy? ¿Are you using a blacklist file (like shallalist.de) in squidguard? in case of yes, please indicate which. ¿Did you create a custom category? (the blacklist needs at least one custom category in "Target Categories") If you could attach a screenshot of your "Common ACL" Target categories section, it would be very helpful. Greetings!

Simply upgrade your pfSense and don't use outdated buggy versions.

Hi, installed SquidGuard again, it seems that it had preserved all my settings including the dummytarget … and its also not starting at the moment. Then i was searching the complete WebGUI inside the SquidGurad for the E2Guardian Options and what maybe could setup in there, but unfortunaly found nothing. Then i googled for E2Guardian. Ok, it seems to be a completely other thing ... instead of using SquidGuard  ;D ... which i can't install over the package manager. HiHi. I completely misunderstood ... never hadn't heard before about E2Guardian, sorry ... lol. So you mean it would better to let SquidGuard simply SquidGuard, not use it and have a look to E2Guardian, if its available as a package?! Then I'm deinstalling SquidGuard again and have a look, time to time, if E2Guardian is available in the future. Thx for the hint.

now lmiter is working protcol https I have found a temporary solution to this problem but it is not clean by using nat requests from port 443 to port 3129 and using rule limter nat proxcy 127.0.0.1 3129 but i want developers to fix this problem to make clean work im using pfsense 2.4 include vmawer esxi 6 [image: jjj.jpg] [image: jjj.jpg_thumb]

Chrome is using system proxy settings. If misconfigured, it won't of course use any proxy at all. Also, if bypassing proxy is such a huge issue, you should either use transparent proxy, or block direct access via firewall.

@doktornotor: @vielfede: Sorry Dok, Maybe I missed something… although i read every squid manual in this forum... but... I do not understand, how can I filter sites without SG? Could you exlpain briefly please? Well, it's briefly explained in the Squid GUI when you click the i next to SSL/MITM Mode. Sorry again… I'm quite confused... but I understand SG is needed in Splice All… Splice All: This configuration is suitable if you want to use the SquidGuard package for web filtering. All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP. You do not need to install the CA certificate configured below on clients. Content filtering (such as Antivirus) will not be available for SSL sites.

@doktornotor: Well I don't get the question really… that's the whole purpose of the feature. If you don't want it, do NOT make the proxy transparent (or whitelist stuff that's not supposed to get proxied). Again thanks for the guidance But to control some sites, I need to enable this option, and on the other hand, I have the problem

Unsupported hack: https://forum.pfsense.org/index.php?topic=121387.msg670943#msg670943

Well it simply never worked in pfSense, no idea whether it ever worked in FreeBSD but the 7+ years old hints about rdr don't produce any working result for anyone who tried.

yes that was the problem. After I disabled it, it worked fine. Thank you

Thanks for your input KOM, Much appreciated! If anyone else can shed some light that would be fantastic! Cheers, Nick.

You cannot mess with squid.conf directly. There are at least 3 advanced fields for custom ACLs in the GUI (General tab, click the Show Advanced Options button) – may I suggest investigating the GUI configuration more thoroughly?

Found the right configuration with the help of the Squid Users mailing list. I had to add different options to ignore cache control and force the cache to keep and serve the content. But it's working now. For the record, I'm posting the working Squid Configuration below. http_port 10.10.10.10.108:3128 icp_port 0 digest_generation off dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname pfSense Firewall cache_mgr pfsense@virtualdesk.cloud access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 7 debug_options rotate=7 shutdown_lifetime 3 seconds forwarded_for on uri_whitespace strip refresh_pattern -i \.(jpg|gif|png|txt|docx|xlsx|pdf) 30240 100% 43800 override-expire ignore-private ignore-reload store-stale cache_mem 128 MB maximum_object_size_in_memory 20480 KB memory_replacement_policy lru cache_replacement_policy lru minimum_object_size 0 KB maximum_object_size 50 MB cache_dir ufs /var/squid/cache 100 16 256 offline_mode on cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp:    1440  20%  10080 refresh_pattern ^gopher:  1440  0%  1440 refresh_pattern -i (/cgi-bin/|\?) 0  0%  0 refresh_pattern .    0  20%  4320 #ACL allow all acl allsrc src all http_access allow allsrc request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings https_port 10.10.10.10.108:443 accel cert=/usr/local/etc/squid/599eae0080989.crt key=/usr/local/etc/squid/599eae0080989.key defaultsite=tenant.sharepoint.com vhost # cache_peer 13.107.6.151 parent 443 0 ignore-cc no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_sharepoint

Try this https://datalogus.blogspot.com/2016/06/pfsense-231-security-explicit-squid.html

Noone read the GUI descriptions these days? Sigh… [image: xV1HYlFXR9e4HGcdW3hPZw.png] Stop ticking that checkbox or configure a valid CA certificate created in Cert. Manager.

Disregard, turns out these sites were being blocked by Snort.