Yes, it is possible.

BUT you cannot use transparent proxy and authenticated (password protected) proxy at the same time.

Squid's basic auth is crap. It's based on crypt and cannot use any password over 8 characters long.

In prior versions the password was silently truncated and accepted, now it's rejected, which is more correct.

Nevermind, I solved the problem.

Since my company uses Google Apps for work, there was a "cloud" policy under Google Admin Center which sent the proxy to all linked accounts on Chrome.
The policy was explicit set to connect directly to the internet.

That´s why the "change proxy" button was even grayed out.

post your LDAP settings and filter criteria please

@monkeyx:

Hi,

The settings below were copied from a forum post, that I used to help improve performance of squid on pfSense 2.2. Could anyone advise if these settings are still needed on 2.3?

add this to the /boot/loader.conf kern.ipc.nmbclusters=32768 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.ip.portrange.last=65535 or just delete it and replace with autoboot_delay="1" #kern.ipc.nmbclusters="0" hint.apic.0.disabled=1 kern.hz=100 #for squid kern.ipc.nmbclusters="32768" kern.maxfiles="65536" kern.maxfilesperproc="32768" net.inet.ip.portrange.last="65535" you might ask why squid is so slow? its because default configuration of pfsense is router not as a server thats why kern.ipc.nmbclusters="0" <- is set to zero. if you just simply remove this squid will be just fine. but to tune the squid i add this kern.ipc.nmbclusters: 32768 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.ip.portrange.last: 65535

I believe kern.ipc.nmbclusters is the only /boot/loader.conf.local variable you need to set. All of the other settings are managed by pfSense/FreeBSD and are bigger than the values recommended for pfSense 2.2 and earlier:

[2.3.2-DEVELOPMENT][root@pfSense.lan]/root/scripts: sysctl net.inet.ip.portrange.last net.inet.ip.portrange.last: 65535 [2.3.2-DEVELOPMENT][root@pfSense.lan]/root/scripts: sysctl kern.maxfilesperproc kern.maxfilesperproc: 232389 [2.3.2-DEVELOPMENT][root@pfSense.lan]/root/scripts: sysctl kern.maxfiles kern.maxfiles: 258216 [2.3.2-DEVELOPMENT][root@pfSense.lan]/root/scripts: sysctl kern.ipc.nmbclusters kern.ipc.nmbclusters: 1000000 [2.3.2-DEVELOPMENT][root@pfSense.lan]/root/scripts:

No, you cannot have authentication active in squid while also having transparent mode active.

There may be some other way to reach the same goal, however, it wouldn't involve strictly using pfSense (e.g. second proxy box you could manually configure with auth, or maybe 802.1x auth to drop into another VLAN, etc)

yes i did.. anyways thanks for the help i already fixed the problem

CHEERS!

It is hard to keep in mind all nuances in all threads :D
I never had to use that guide, but as I can see - this exactly what you need, working OVPN as one of backends and X-Forwarded for web requests.

You are using a domain name instead on an IP.

as I remeber filtering was working. I had lan interface aitting in default vlan while other interfaces in different vlans an different subnet, requests from that subnets was filtered but not badwidth. bandwidth was my problem. squid was listening to lan interface in default vlan. forget to mention that on lan interface was tagged other vlans not to other physical interfaces.

I have the same problem, the server have internet conection and the time its ok, but i can't install anything
help pls.

Yes, Facebook has multiple IPs and FQDN. If I use the Firewall Alias option I can just load up the Alias (facebook.com fb.com www.facebook.com www.fb.com). The alias blocks fine.

I have not tried to keep cycling the service. I was taking for granted the 'Apply' under Squid Filter was refreshing the config and clearing the cache. Does any one know for sure?

@KOM:

You should probably post your question in the forum for your native language, if it exists, because your questions don't make much sense.  You would access those web resources using their URLs just as you have put them.  Squid isn't going to intercept anything on port 7001 without you adding an ACL to Squid's Custom ACLS section.  To intercept HTTPS on transparent proxy, you need to enable Man in the Middle SSL filtering and install pfSense certificate son every client.

KOM, Thank you very much, you solved my problem!

Can someone confirm the problem or is it just me?

Hi jimp,

thanks for your reply. :)

I tried to give Squid the Custom config
tcp_outgoing_address 87.199.9.9
in the field "Custom ACLS (After Auth)".
But the IP did not change.. The "WAN Address" is still shown to the public.

If i put that line in "Custom ACLS (Before Auth)" i am getting the squid error page while loading a website "The System answered [No Error]".
I also get the error page when i put the line in the "Integrations" field.

The IPs are configured as IP Alias.
Any more hints? :)

Greets