But you know whats odd…If i put pfSense as HTTPS internet explorer keeps blocking the sites but not chrome or firefox soo odd..but anyway Also which computers exactly are not auto detecting? WPAD is pretty powerful and forces all client to the proxy ONLY IF the auto detect proxy settings is checked

Hello cmb, thank you very much for your very quick reply (and sorry by the way as I created that topic in the firewall forum's instead of the proxy's one).

So, I've tried to do what you told me, unfortunately, I can't make it to work as my pfsense box is setup to be used with HTTPS (and transparent proxy can only handle HTTP).
So, if i'm logged in on the wireless interface and type 192.168.0.1 in my address bar, it will redirect me to https://192.168.0.1 even if I ask squid to not allow that.

Also, sorry for that, my previous post isn't clear about my rules, so here is a screenshot (easier to see the rules i set up).

As you can see on that picture, I first block eveything to the LAN network. Then, it's OK, i cannot access https://192.168.0.1, but as a downside effect, websites don't show properly or take ages to load (I think it's because elements blocked by the proxy show a white pixel located on the pfsense box accessible through 192.168.0.1.

To make websites load properly I have to set it up that way.

But, the downside effect is that I can access the pfsense login page (and I don't want people I don't know connecting through WIFI to be able to access or see that page).

And, I think I finally find a workaround. It seems to work fine, but you guys might find a better way of doing it.

I just changed the block rule to LAN to reject like this:

Now, websites show normally (quickly as it should), and I cannot access my pfsense through the LAN IP 192.168.0.1 or pfsense.domain.com.
It seems that computers connected to the WIRELESS network are still able to access the login page though the WIRELESS gateway 10.0.0.1.
I'll look for a firewall rule.

Or, is there a way to tell pfsense to allow login only through the LAN interface and not any other one?

Also, what do you think of that firewall setup, does it look restrictive enough for you?
Is there an easier method of achieving the same goal?

Thanks a lot again for your help.
I'll let you know :)

sure So let me get this:

A group of users to ignore the squid proxy?

A group of users to use squid proxy and block pages?

LDAP? yikes :( I would rather just create a grey list

Well I found, so here's the ugly hack.

In local cache, activate Cache Dynamic Content and add the following in Custom Refresh Patterns

logformat special %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %ss:%sh<br="">access_log /var/squid/logs/access.log special</st>

There are already predefined logformats like the special here so you could actually just add access_log /var/squid/logs/access.log common but in my case, I can play with the format.

Also, log into ssh and launch

to see whether there are error messages or not.

There's a French University list which is quite complete out here:
http://dsi.ut-capitole.fr/blacklists/

They have a special pfSense version (english language categories so it won't break pfSense's squid) here:
http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz

Regards,
Ozy.

Try cleaning it up.

Go to /var/db/squidGuard/ and do a 'rm -rf'

Then download your blacklist again. Once it is done, it should populate back all the folders in this location.

Next, clean up your old ACL.

/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf - Scroll to the bottom and find a section called acl. Change the 'pass xxxx' line to 'pass all'

Go to squidGuard's first page and click apply, then go back to your 'common' to select the categories you want to block.

So i think i might have figured out a workaround not the best but its something. I created a !ignore list for ONLY users that need to connect to another site that is running OpenVPN in my case its only 1 person because hes a programer and connects to other sites that also have pfSense. Theres no need for him blocking sites either because hes a freelancer and He still gets the transparent proxy working also.

EDIT: NVM…It was working because i uncheck the automatic proxy settings  :'(

Clipboarder.2016.03.19-007.png
Clipboarder.2016.03.19-007.png_thumb

What mode of OpenVPN connection are you using?

That's not gateway monitoring, it's part of Squid. Moved to that board.

@japr:

I've solved the problem, I found the solution in a similar post only have to apply this code

killall -9 php; killall -9 lighttpd; /etc/rc.restart_webgui

You have 2 ways:
The first is through the SSH console (if you have it enabled) you put your username and password, then selects the option 8 "SHELL" and executes the code

the second is using a monitor and keyboard connected to pfsense server and do the same procedure as above (select option 8 "SHELL" and run the code).

The server works perfect again, I hope it is helpful to many here in the forum

You can select Option 11 i.e Restart webConfigurator .
It will work.

Hi Jsheed,

I followed your steps, however I'm able to use "" to enter "domain-name\username", are you using the latest pfsense version, have you tried copying and pasting "domain-name\username" from notepad

misc-proxy.JPG
misc-proxy.JPG_thumb

@KOM:

No idea where that config might hlive, but it will be overwritten at every pfSense upgrade so that's not really the best solution.

Hey Kom,

Thanks .

For now i have done changes in /usr/local/pkg/squidguard_configurator.inc

now the value is permanent after, Save + Apply.

Not just quickly, it's working like there's nothing in between. Just as it should be.

To summarize for everyone who might have this or a similar issue, I got this problem fixed by going the route of non-transparent proxy(or explicit if you will). Some bumps along the road, but comrade KOM helped me see the error of my ways and set me on the right path.

Phase 1 complete, Phase 2 of my "Ban-Facebook-and-Youtube-for-EVERYONE" is just starting…

@Naughty:

i did create a text file with the below content :
function FindProxyForURL(url,host)
{
return "PROXY 192.168.1.1:3128";
}
but as per the article i can't loaded in the specified path "/usr/local/www/" as it's not supported in pfsense 2.2.6 so it went to /tmp/wpad.dat.

so would u please explain to me if that will work <<

Hi, if it helps follow how i set up my wpad
https://forum.pfsense.org/index.php?topic=93060.0

I tried to make it work with perl in pfsense 2.6 with little success.

anyways I did make a helper in PHP with and loaded with some configs and rewrite parterns

works pretty fine altough I had some hangs in steam do not know why.

https://github.com/rudiservo/pfsense_storeid

Great @KOM, thanks!  Deleted the archived (the .0) access and cache files and it greatly freed up HD spaces and keeps pfsense working.  I've not checked upon reboot but I think it will be okay.

Again, many thanks KOM!

Hello Everyone,
This is my first post on pfsense.org
As a System / Network admin it is really difficult to adapt new changes happening in technology or in Internet World. As well as end users on a Restricted network always look for bypass & which leads to serious flaws to the security policies deployed by System Admin or to the entire company.
I am not a System / Network admin but I am a geek & want my Home Network to be secured from External attacks as well as I make sure that no one will breach the policies that I deploy for my network.
(My home network used by 6 homes of my Family & friend with extended routers or repeaters) To secure the whole network & ensures that everything on my network stay under control, I strictly monitor whole traffic every time using OpenDNS. I have been using OpenDNS for a long time & I am a kind of expert in that. Now if you want to block an access to the UC Browser that I found sometime back was able to bypass my OpenDNS rules, so I did an extensive research & continuously monitoring my network traffic, reading hundreds of forums. Simultaneously I was using UC Browser as well as mini to understand its working.
      i found following hosts of UC Browser & blocked access to them using OpenDNS. Now not a single query or single request disobey my OpenDNS law. i ruled UC & I am having complete control over my network.

BLOCK THE FOLLOWING DOMAINS & THEIR SUB-DOMAINS:

1. baidu.com
2. mandriva-art.org
3. meego-central.org
4. ucweb.com
5. ijinshan.com (This is I think DNS Resolver for UC Browser which leads to proxy server connections & allows users to access blocked sites.)
6. umengcloud.com
7. uc.cn
8. 9game.com (UC Game Market Place)
9. 9apps.com (UC App Market Place)
10. umeng.com
11. ucweb.co

Block all above domains to restrict access on UC & remain under control of your firewall.

No difficult firewall rule creation, no hassle. Just add above domains in block list.

NOTE: Block all the sub-domains of above mentioned domains. Then only you will receive 100% result. BLOCK ALL SUB-DOMAINS OF ABOVE DOMAINS!

Please let me know that whether this works for you or not.

Screenshot_20160311_104737.png
Screenshot_20160311_104737.png_thumb
Screenshot_2016-03-11-10-12-10.png
Screenshot_2016-03-11-10-12-10.png_thumb