I've fixed it. The solution was to install abandon pfsense and install ubuntu server 16.04 with the squid3 package. Then configure squid3.conf with some simple values.

I solved it by putting these two urls in the whitelist.

How can I debug this to see what being blocked in order to find what causes this issue?

Ahh … still get issue ...
i use external radius here

meanwhile i disable transparent squid + squidguard since its still broke with cp
i hope the dev have solid fix this issue soon

Of course it is. The chance is higher to find a virus, trojan and so on earlier the more security features and tools you are using.
Just want to give you an additional argument to decide if it is worth to buy new hardware only for ClamAV or if there are other possibilities to secure your network.

Today I've setup a copy of the problematic instance and I have solved the cause of the issue…

The clickable "Target Rules List" field disappears if more than 7 "Target categories" are defined.

Looks like one for an bug report...

By the way... how do I mark this thread as solved?

Lars

Created a ticket for this issue:
-> https://redmine.pfsense.org/issues/6471

So far the only way I have been able to update is to backup the system. Edit the xml backup and restore… Guess will have to wait for the package to be upgraded.

An out of state packet is one that was part of an established session but that session has since been torn down.  All of those blocks are for a FIN ACK (or FIN PUSH ACK), you will note.  The pfSense side says "I'm going to tear this connection down and close it!"  The other side says "OK", but pfSense has already torn the connection down so it sees the OK reply as an unsolicited new connection attempt and blocks it.

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

Awesome.. thanks Nachtfalke! I wasn't aware of that "System Patches" package.

I tried this with my SquidGuard changes today and Squid + SquidGuard were working perfect.
Everything seemed great until I did a final reboot test. Something went wrong after that to a point where Unbound and DHCP wouldn't load. I was getting some weird certificate type errors on Unbound.
I had to revert back to the other slice to recover.

I'll have a bit more of a play though and see if I can get it going.

Thanks again!

@gersonofstone:

Hi

reinstall the proxy reports

Hi, I've already re-install. Uninstall and install. But still the same. No log after June 1. :(

Confirming this worked for me as well.
my error message was:
ERROR: No forward-proxy ports configured.

Hi Blendin_Blandin,

For HTTP health checks you can do the following:

enable 'ssl' on the backend server Http check method : HEAD
Though i would probably set a very low check frequency (once a minute or so.?.) or maybe not check at al..

As for the certificate, as your passing the traffic with mode tcp so haproxy doesnt need any additional settings there, a valid certificate needs to configured for the webgui though for the name your typing in the browser.

Regards
PiBa-NL

@steve1515:

(…)
Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that?  :D

If you know the FQDN of all other clients, then just put these clients into the alias. But to be honest. Because you can do it it is not always the best way to do this. In the thread there are mentioned other possibilities like WPAD and so on.

Other ways are to configure DHCP with static entries so that the three clients will always get the same IP address. This will make things easier.

Good luck!