chidgear Thanks Your Logic worked for me using SSL with transparent mode and skype working Fine. including group conversation + File send / receive All what we need to do, as Microsoft added some IP's in its AS Number Network IP series. use this to find it. whois -h whois.radb.net '!gAS198015' Link is here , you get the Info. http://bgp.he.net/AS198015#_asinfo Cheers !!!! ;) :) :) :) :) 8) @chidgear: Okay, I respond partially to myself (this isn't over yet), but if someone gets it useful, here are some progress I did. Looking on other forums and internet articles, I found a buddy having a similar trouble, caused by his skype version. Once discarded that their windows and IE version where the problem, one user said: What do you see now when you open this link in your Internet Explorer? https://apps.skypeassets.com/static/skype.client.l​​​​​​​​​ogin/3.0/3.30/release/login.html This gave me an idea… I tried it on a restricted machine and Voila! it showed the IP's I needed in the squid error screen saying that there was a handshake error. I putted the IP's on the bypass and skype worked again. I can log in and out anytime, and send messages without the message saying that cannot be delivered. (It could change on time, but until today, these where the IP addresses: 23.73.247.53 23.2.99.20 23.11.250.157 all of them provided (in some or another way) from apps.skypeassets.com I added these ips, and the FQDN apps.skypeassets.com to the bypass and the login issue was over. Now, there is another issue. The files cannot be sent, and I cant see all my contacts in realtime. I guess this is a matter of the skype cloud, so I'll keep digging. If someone wants to help, or has some information about the skype cloud IPs, I'll be gratefull. 0_0)b Good luck! references: Sorry, we couldn't connect to skype. please check …

I dont know that how I attach squid log

Check with firebug or embeded site debug available on current browsers. Check network status to see it the authentication are poping up for each image. Or if show site erros on JavaScript

Does it look like what you need? [Internet] [real IP address] [Proxy 1] – 192.168.4.70  [192.168.4.0/24]  192.168.4.80  –--- [Proxy 2] –--- 10.30.30.1    -----  LAN users                                                   --  192.168.5.70  [192.168.5.0/24]  192.168.5.80  –--                ----- 10.30.30.2    --------- When you give IP to users, will it be proxy IP or gateway IP? Or it does not matter? Why do you need to mask proxy, exactly? Could you explain in detail, preferably live example? Are you good at networking or newbie ?

if it helps for web filtering https://forum.pfsense.org/index.php?topic=112335.0

You'd have to set that in your squid settings somehow. All the firewall sees is the client talking to the proxy on the proxy port. Beyond that it's the proxy handling whatever the client wants.

Its a project for work so I do need the https filtering but as its BYOD I can't push certs. Splice all works, its just that there is no url database that comes close to what Fortigate offers. I didn't expect it would work as well, the databases being provided for free after all. So I do want https filtering I just don't want to push certs but all sichent posts assume I'm ok with certs ;) In short: Splicing blocks https but the lack of a solid (paid) database means pfsense won't be an alternative to our Fortigates.

https://forum.pfsense.org/index.php?topic=124402.msg688335#msg688335

Hi a big thanks The problem was i don't define a name for the acl action  :-[ :-[ :-[ thank you for your help. Lolo

Sorry, I was absent and haven't access to forum I find source of problem. It's appear when in field "Remote syslog host" I fill "/var/run/log", recommended for local logging. And after I clear this field - no problem with log files. But I not see any messages from Haproxy in local log.//

i have apply the modification, i will see today  if there are any changes (i have meet the problem not with the portail 365 but the outlook 201x) an other question when we use splice whitelist bump otherwise, (squidguard will not work ??), so we should enter the domains that we will allow in acls whitelist ?? just that ?? the target categories of squidguard also no ?? Thanks

Create Aliases Called add WindowsUpdate and the following list for the networking group 157.54.0.0/15 157.56.0.0/14 157.60.0.0/16 65.52.0.0/14 70.37.0.0/17 70.37.128.0/18 207.46.0.0/16 131.107.0.0/16 66.119.144.0/20 23.96.0.0/13 204.79.195.0/24 204.79.196.0/23 208.76.44.0/22 208.68.136.0/21 216.220.208.0/20 209.240.192.0/19 204.14.180.0/22 206.191.224.0/19 192.92.90.0/24 208.84.0.0/21 104.40.0.0/13 192.197.157.0/24 204.231.192.0/24 104.208.0.0/13 129.75.0.0/16 204.79.179.0/24 64.4.0.0/18 167.220.0.0/17 167.220.128.0/18 167.220.192.0/19 192.92.214.0/24 207.68.128.0/18 13.64.0.0/11 13.96.0.0/13 13.104.0.0/14 146.147.0.0/16 52.145.0.0/16 52.146.0.0/15 52.148.0.0/14 52.152.0.0/13 52.160.0.0/11 52.224.0.0/11 52.96.0.0/12 52.112.0.0/14 52.120.0.0/14 52.125.0.0/16 52.126.0.0/15 52.130.0.0/15 52.132.0.0/14 52.136.0.0/13 138.196.0.0/16 150.171.0.0/16 40.74.0.0/15 40.76.0.0/14 40.80.0.0/12 40.96.0.0/12 40.112.0.0/13 40.120.0.0/14 40.124.0.0/16 40.125.0.0/17 40.64.0.0/13 40.126.128.0/17 40.127.0.0/16 40.126.0.0/18 204.13.120.0/21 204.152.18.0/23 Then you go to Services –-> Squid Proxy Server ----> Bypass Proxy for These Destination IPs Enter the created aliase called WindowsUpdate And this way it fixes all the updates for Windows with Transparent Proxy

@ozbob: After updating to pfsense 2.3.3 lost squid ntlm integration I installed with a samba script Shit like installing Samba on the firewall is NOT supported. ::) ::) ::)

What kind of states are there? On wan or lan side? Having a acl or not should have no effect to the number of states.. Are you using transparent-Client-Ip on the backend? To get rid of states you could possibly make some stateless floating rules, then pfsense wont track states anymore. Make sure to allow both ways and all types of flags..

False positives need to be reported to signatures maintainer, not here

When I try to request a certificate, I get an error. The manual call of the URL supplies a service unavailable. http://aaa.bbb.com/.well-known/acme-challenge/key [123.123.123.123]: 503 I think the ACME-Backend works not as expected. How can I configure the firewall/HAProxy to listen on port 8080 for serving the files ACME wants to see?

You may look at the package Service Watchdog also for restarting stopped services.