@Nachtfalke: Status –> System Logs --> Settings Dsiable "Log packets matched from the default pass rules put in the ruleset" OR Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging. So traffic will match this specific rule and will be allowed but not logged. Well, your first suggestion stops all pass logging it seems. The second suggestion didn't work. I'm guessing since the traffic is on the lo0 interface?

Thats true the WPAD ignores that IP goes though for a moment I thought it was WPAD now that I have been doing a deep analyze its not it. Not even sure what to do now…

I found how to fix Captive Portal, so now I may try to use CP for squid authentication. For anyone that read this thread, DHCP can be run on the Domain and CP will still work, it is not required to have DHCP in pfsense.

@jetberrocal: @jetberrocal: @chris4916: 2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help This is an idea that I could try.  I will write down the outcome after trying. OK.  It worked nicely.  I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected Thank you for the idea.  I was trying CP with authentication before and it did not work. (But that is another thread) Just one more question.  With this I do not need the block rules anymore? I answer my self the block rule question.  I removed them to test and it work without them.

Thank you for your reply I tried two methods which are manually configuration and WPAD but neither chrome nor firefox don't works as expected although i was sure that chrome or firefox used proxy configuration. I captured traffic and could see the CONNECT www.facebook.com but squid didn't logged domain in log file. Strange thing which i don't understand is if i close chrome or firefox, it works as expected. Best regards

Dear All, Please help on above. Regards,

Yes, that gets the socket file created with the correct ownership and everything seems to be working perfectly for me now. Thank you for the help PiBa.  You're awesome!

Apologies all… Google Foo was not playing well this morning... Thread with info I need is here:  https://forum.pfsense.org/index.php?topic=83236.0

The main problem with OpenDNS is that you can't segregate between blocked and non blocked clients You can in a way via firewall rules.  Non-blocked clients can get direct access out via port 53 to whatever DNS they choose.  Blocked clients will have their DNS requests captured and handled by pfSense.

on the backend i have added the following line to "Backend pass thru" reqrep ^([^\ :])\ /Automation/(.)    \1\ /\2 This seems to work is it possable to drop off the last forward slash / ? Cheers Rich

By default, I think squidGuard is configured to deny all so you would have to go to Target Categories, expand the list and then make sure that Default access [all] is set to Allow.

The script for cp authentication integration is updated on latest package version for pfSense 2.3.x.

I tested this using the freebsd http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/squid-devel-4.0.13.txz on pfsense 2.3.2 http and SSL filtering transparent and non transparent mode, works fine have to edit the squid.conf also. With squidguard i got short of file descriptor currently have this kern.maxfiles: 15260 with only 1 user got short of file descriptor so i move back to 3.5.19 official pfsense repo.  Same config with storeid_rewriter helper.

you cant load balance internal traffic from 127.0.0.0/8, best solution therefore is to use a parent proxy inside any of your lan and load balance that trafiic. REmember not to intercept that traffic from your parent proxy else you will be going to an infinite loop.

You also need to grant them access to "WebCfg - Package: Edit" or they can't submit info.