If Facebook now owns Instagram, could it be that some Instagram services are co-mingled with Facebook servers?  If you're blocking the "Facebook" domain, depending on how Instagram resolves, it may land on a blocked Facebook server.  Other times when pfSense is resolving Instagram it could resolve to a non-blocked (not Facebook) server.  I think I read that pfSense uses the first IP of a domain and it will re-resolve when it needs to.
(?)
Just a shot in the dark.

Ok found the issue, when you clear your cache and go to the SDK Download page it asks what country, you must select USA to not get the redirect issue.
With downloading adobe AIR I do no know why they are just liking to the homepage.

@RickTosch:

Hi there,

I hope my reply does not come across as a hijacking one.
Similar scenario as LIGISTX. pfsense +squid in transparent more + SSL MITM. I just had to deploy certificates to Windows, Linux, iOS and android devices. My home environment consists of 10 machines so super tiny.
I guess I wont see much of a caching benefit?
The primary reason for squid for me was the use of built in Antivirus. I could not find HAVP in the package manager, like many guides reference too.

Can I ask please how you installed on Android?  I've installed my certificates, but when I disconnect from my wifi my devices 'connect' but on the devices they say they have no IP address.  They work with transparent HTTP but screw up when I add HTTPS, so I have to add them to the bypass filter.

Thanks in advance.

i know its been a while but i'll post my experience for future reference.

i had the same issue for quite some time and i solved it by making sure no peer (web server) had spaces on the names, i switches all the spaces to underscores and it was solved.

i can see you have a web server called "Win7 Test" … change that to "Win7_test" and that should do the trick. (at least it did it for me)

i hope it can solve the issue for at least some of you guys.

cheers.

i know its been a while but i'll post my experience for future reference.

i had the same issue for quite some time and i solved it by making sure no peer (web server) had spaces on the names, i switches all the spaces to underscores and it was solved.

i hope it can solve the issue for at least some of you guys.

cheers.

It has nothing to do with your or somebody else settings.

Its a Squid bug,
http://bugs.squid-cache.org/show_bug.cgi?id=4606

I guess we have to wait when it is fixed by Squid team and then when new package will be built by pfSense team later.
Interim solution will be to wait for pfSense team apply the patch (if there is patch that is confirmed functional and not causing any additional bugs)

How is your traffic forwarded to Barracuda Cloud Content Filtering ?
Please post your squid.conf here

@aGeekHere:

https://forum.pfsense.org/index.php?topic=112335.0

thanks a lot! this consumed me so much time without realizing it is nothing from end.

Thanks again!

It will only block what you have told it to block.

What you might find surprising is that when you go to a site like stackoverflow.com it most likely includes third-party libraries or content from Google, like analytics, and some of that might come from app.google.com. So you get redirected because the browser tried to load content from a site you told it to block.

Enable logging in squidGuard and on the ACLs/Categories then check the squidGuard logs. You'll see exactly what triggered it.

It's also possible that things not blocked are using HTTPS and you didn't configure it to catch HTTPS (e.g. didn't enable HTTPS interception / splice all properly)

Read the post above!

@doktornotor:

@marcelloc:

Didi you tried to do not select the loopback interface on squid transparent mode GUI config?

That's not even available for obvious reasons. https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.xml#L263

Plus, the firewall rules have been redone with https://github.com/pfsense/FreeBSD-ports/pull/305

People just should not necropost.

i tried and still didn't work , many thanks for your help

TQ DUDE…SOVLE MY PROB...HEHHEHE

No. There is no way to do that. It can only exit via the WAN with the firewall's default gateway.

Ok thanks for your reply! But for me it is not clear which part of configuration i have to add in the custom field. Is it enough to insert the following lines:

acl networkx src 172.16.0.0/16

ssl_bump splice network 1
ssl_bump bump all

Or is it necessary to insert something like "ssl_bump splice whitelist" somewhere between? (to get default behaviour)

Thanks!

You'd be a whole lot better off testing the unofficial E2G package: https://forum.pfsense.org/index.php?topic=128116.0

Hello,
many thanks for your reply.
With snort service up and Squid down everything was fine. So I was sure the problem was with Squid and some setting.

During the week end i found the problem and I report the solution for any newbie like me.

The problem was in SquidGuard and the standard categories: you have four option per each category, -, allow, deny, whitelist.
I configured all categories with deny or allow. For categories for which you are not interested if you put the - option and populate with deny only the ones you want to block, then everything works fine.

I'm still missing the reason and as a newbie it is still not very clear to me the difference between the - option and the allow.
In other professional appliances, you must put the option allow or by default it is intended as blocked.

As general experience after installing pfsense, what I miss is a comprehensive manual where all options are described and related effects are listed. For the rest, this firewall is great and has nothing less than several professional appliances.