Maybe Squid and Snort can stay as holiday packages 📦 😉😉

My ticket was finally rejected because Squid will be removed in the next major version: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

Thank you very much. Works fine.

I use PfSense Plus so I can't test it

Ensure that the upstream Squid proxies (xxx.xxx.243.53 and xxx.xxx.243.54) are reachable and responsive. You can test this using tools like telnet or nc from the Netgate firewall. Double-check your Squid configuration settings to make sure there are no typos or misconfigurations. Pay close attention to the upstream proxy settings. Ensure that the version of Squid you are using (5.4.1) is compatible with your current environment and the other proxies. And remember, you can buy proxies quickly, but it's important to find a company you trust. Check the release notes for any known issues or updates related to your configuration. If the issue started after upgrading Squid, you might consider downgrading to a previous version that was stable in your environment. You can check the Squid release history and choose a version that was working well for you. Verify that there are no firewall rules blocking the Squid proxy from establishing connections to the upstream proxies. This includes both the Netgate firewall rules and any external firewalls.

@CZvacko @michmoor : Thank you for your answers.

I have just seen the deprecation notice: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software.

(And this is sad because out-of-the-box Squid support was 50% of the reason why I bought the Netgate 6100).

@viragomann Thank you!

I've got it working. I had 2 problems:

From what I have read, duckdns shares the txt file for let's encrypt on all your subdomains, that is the reason why the second SSL certificate Issue never completed. I have created another subdomain (in one custom domain), created the certificate and selecting it in Additional Certificates everything worked.

Thanks again

@vlurk
I tried to do this but the result was the same and I started to have more problems on my network with other devices, so I decided to leave squid in transparent mode for http and uninstall squidguard, and in squid I did not activate ssl; For https filtering I do it with pfblockerNG which updates with thousands of blacklists and the update is done with the period of time I want. Therefore, if you are not going to perform an exhaustive analysis of the certificate, I recommend this scenario.

@hyanviana SSL/MITM Mode use Splice All

@Gertjan yes i just saw that.. Well i'll look for an alternative then

@johnpoz side note I finally found my invasive container it's on my 2019 Motorola g-power the thing is registering all sorts of Snort open AppID items I am not using, everything else on my network is matched to app use. It even saw Opera browser I don't even use that, alongside Snapchat, LinkedIn on and on even a bunch of Stripe payment service, and endless Skype. It was the smartphone.

Looks like Squid's website just released version 6.5 on Nov 4th 2023

That was 10 days ago. . .

Screenshot 2023-11-14 at 4.29.12 PM.png

I am confused as it was said it was not updated in 2 years. . .
Screenshot 2023-11-14 at 4.34.47 PM.png
Was updated again Nov 6 2023

Also many security issues have been resolved per the GitHub.

Screenshot 2023-11-14 at 4.31.04 PM.png

I am thinking install it on a raspberry pi 5 8gb and NAT to it from the firewall

This seems to be working now/resolved.

I bounced the whole firewall and my (pihole) dns servers and came back to it 30 minutes later and now it is working.

I don't understand what bouncing the pihole servers, or the full firewall ( given I previously bounced the dns resolver / haproxy services) might have done but with the haproxy backend happy, everything is now working.

hopefully this helps the next guy :)

Still noone?

Nice!

I forgot to link to the issue ticket: https://redmine.pfsense.org/issues/14764

What is the next official Netgate product that will continue to support a proxy with SSL intercept that can be purchased? Now that this is being twightlighted?

What version should I upgrade too for proxy cacheing abilities? I have a SG-2100 currently. Should users move to Palo Alto?