BUMP anyone?? So i did a fresh install everything worked then all of sudden…stopped again not even sure what is going on.... [image: Capture.PNG] [image: Capture.PNG_thumb] [image: Capture1.PNG] [image: Capture1.PNG_thumb]

Dont want to overpost here but I know this is an old post but not sure if this applies or if anyone had solved it So i keep getting UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.3.3/- - GET'. Future Squid will treat this as part of the URL. where 192.168.3.3 is my IP but Not sure what the upgrade warning means? should be concern? or let it be? Im running transparent mode +WPAD so i leave the option rewrite to int blank page and that annoying pinger: initializing ICMP PINGER....

For the win2k12r2 web application proxy to work it needs to communicate with an adfs server, during installation and configuration of the wap you'll be asked to set this up. So yes, I'm afraid you'll need 2 servers: DMZ win2k12r2 wap Internal network win2k12r2 adfs

Hello. Thanks for the info. OK, If there is a web server in the LAN/DMZ this is the good solution. Regards

That gets rid of the errors, but also defeats its purpose. Why should I do that? Thank you

Are you saying refresh patterns periodically redownload the content? If so I guess I misunderstood the usage. Is there a good guide that explains use and parameters of the refresh patterns?

But you know whats odd…If i put pfSense as HTTPS internet explorer keeps blocking the sites but not chrome or firefox soo odd..but anyway Also which computers exactly are not auto detecting? WPAD is pretty powerful and forces all client to the proxy ONLY IF the auto detect proxy settings is checked

Hello cmb, thank you very much for your very quick reply (and sorry by the way as I created that topic in the firewall forum's instead of the proxy's one). So, I've tried to do what you told me, unfortunately, I can't make it to work as my pfsense box is setup to be used with HTTPS (and transparent proxy can only handle HTTP). So, if i'm logged in on the wireless interface and type 192.168.0.1 in my address bar, it will redirect me to https://192.168.0.1 even if I ask squid to not allow that. Also, sorry for that, my previous post isn't clear about my rules, so here is a screenshot (easier to see the rules i set up). [image: UIIzdECp9rJv.png] As you can see on that picture, I first block eveything to the LAN network. Then, it's OK, i cannot access https://192.168.0.1, but as a downside effect, websites don't show properly or take ages to load (I think it's because elements blocked by the proxy show a white pixel located on the pfsense box accessible through 192.168.0.1. To make websites load properly I have to set it up that way. [image: 9zXP9kKhiSnn.png] But, the downside effect is that I can access the pfsense login page (and I don't want people I don't know connecting through WIFI to be able to access or see that page). And, I think I finally find a workaround. It seems to work fine, but you guys might find a better way of doing it. I just changed the block rule to LAN to reject like this: [image: qAc4pPiJiXPW.png] Now, websites show normally (quickly as it should), and I cannot access my pfsense through the LAN IP 192.168.0.1 or pfsense.domain.com. It seems that computers connected to the WIRELESS network are still able to access the login page though the WIRELESS gateway 10.0.0.1. I'll look for a firewall rule. Or, is there a way to tell pfsense to allow login only through the LAN interface and not any other one? Also, what do you think of that firewall setup, does it look restrictive enough for you? Is there an easier method of achieving the same goal? Thanks a lot again for your help. I'll let you know :)

sure So let me get this: A group of users to ignore the squid proxy? A group of users to use squid proxy and block pages? LDAP? yikes :( I would rather just create a grey list

Well I found, so here's the ugly hack. In local cache, activate Cache Dynamic Content and add the following in Custom Refresh Patterns logformat special %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %ss:%sh<br="">access_log /var/squid/logs/access.log special</st> There are already predefined logformats like the special here so you could actually just add access_log /var/squid/logs/access.log common but in my case, I can play with the format. Also, log into ssh and launch service squid.sh restart to see whether there are error messages or not.

There's a French University list which is quite complete out here: http://dsi.ut-capitole.fr/blacklists/ They have a special pfSense version (english language categories so it won't break pfSense's squid) here: http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz Regards, Ozy.

Try cleaning it up. Go to /var/db/squidGuard/ and do a 'rm -rf' Then download your blacklist again. Once it is done, it should populate back all the folders in this location. Next, clean up your old ACL. /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf - Scroll to the bottom and find a section called acl. Change the 'pass xxxx' line to 'pass all' Go to squidGuard's first page and click apply, then go back to your 'common' to select the categories you want to block.

So i think i might have figured out a workaround not the best but its something. I created a !ignore list for ONLY users that need to connect to another site that is running OpenVPN in my case its only 1 person because hes a programer and connects to other sites that also have pfSense. Theres no need for him blocking sites either because hes a freelancer and He still gets the transparent proxy working also. EDIT: NVM…It was working because i uncheck the automatic proxy settings  :'( [image: Clipboarder.2016.03.19-007.png] [image: Clipboarder.2016.03.19-007.png_thumb]

What mode of OpenVPN connection are you using?

That's not gateway monitoring, it's part of Squid. Moved to that board.