You guys helped me out.  DHCP went out on me and my disk was full.  I got a 5:45AM call from my coffee shop client that some devices weren't working on the network.
I had installed, but hadn't yet configured Sarg and Squid, and apparently Sarg was filling my 2GB internal memory (hadn't set up NAS for logging yet).  The unit had been installed for less than a month.  I uninstalled the packages for now until I am ready to set up a logging drive.

hello
what is the problem really? how did you configure squid and squidguard please?

OMFG!!!! blowmind!!!!
I never thought that where possible!
I have to try that… when i get some PC to do the tests. I cannot risk to do it on the working enviroment.
Thanks for the advise.

yeah cool but if you want limiter it will break it :( but now not sure if limiter is worth it when traffic shaping using codel seems to work wonders for now on the VOIP

Hey thanks for the reply

So this is what i have see picture

But when i go to sarg reports and go to the denied pages I dont see the pages that have been blocked I tried going to sites blocked but nothing :(

Thank you

Clipboarder.2016.02.02.png
Clipboarder.2016.02.02.png_thumb

jimp is right, In "Diagnostics" -> "Ping" do a ping to www.shallalist.de and verify if it responds. if not, your interface or routing settings (including gateway config) may be wrong.

anyone?

There is no easy solution for this. Everytime you install a package the new version is fetched from repository, so if the new package has compatibility issues with the installed pfSense version you will end up with a broken installation. A possible workaround would be to clone the installation from a working system with the old version of pfSense and packages, but I haven't tried that so far.

Good luck.

Yeah now that you have squidguard you need to edit the common acl catergories or create groups if you want certain people to have access and other dont if not just have common ACL enabled to block tracker, ads etc. click save then click enable then appy

ummm for the cache downloads i have not had any luck so far only caching a few sites :(

Turns out adding a rule to allow all hosts in VLAN100 -> 127.0.0.1:3128 made it all work. Still a bit confused on why it was needed.

No, unfortunately not,
i searched everywhere and tested everything what comes to my mind, but i didn't get a solution until now.

regards
gruner

I thought that having the Transparent Proxy option unchecked put me in explicit mode?

That is correct.

How do I block off ports 80/443 from the LAN?

By adding a block rule above the Allow All rule.

old topic but curious how about Cache Dynamic Content?

I noticed that too.

I installed Cron and edited the daily schedule for Squid, removing the rotate command.

Before:

/usr/pbi/squid-amd64/sbin/squid -k rotate -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf

Now:

/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf

–--

I'm sure someone will jump here and say no change was made to Squid or Sarg that affects this... right...

I got the same Problem here :-/

This errormessage is spamming my log with far over 30 lines per second :-(

i have no IPv6 configured in my Network…

Edit:
I think i found the Bug

I have had the WAN Device set up to IPv6 DHCP, but i didn't got some IPv6 address.
After setting it to IPv6 none and restarting squid, the spamming stoppped.

Try This !!!

ln -s /usr/pbi/squidguard-amd64/local/lib/libldap-2.4.so.2 /usr/lib/libldap-2.4.so.2
ln -s /usr/pbi/squidguard-amd64/local/lib/libldap-2.4.so.8 /usr/lib/libldap-2.4.so.8
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb-5.3.so.0 /usr/lib/libdb-5.3.so.0
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb-4.6.so.0 /usr/lib/libdb-4.6.so.0
ln -s /usr/pbi/squidguard-amd64/local/lib/libdb41.so.1 /usr/lib/libdb41.so.1

have nice day :3

Hi Trumee,

Ah i overlooked that indeed, if your using TCP mode it is not possible to modify the http content inside the encrypted ssl connection.
1- So to use the options i wrote you need to perform offloading on haproxy and load the certificates on pfSense.

Other options are:
2- proxy-protocol (on the server line you could add a advanced setting "send-proxy" or -v2 -v2-ssl -v2-ssl-cn , but the backend must be configured to expect those..) http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#5.2-send-proxy
3- Transparent-Client-IP (this is a setting on the backend, but do read the warnings.!.)

If you dont want to decrypt ssl traffic on haproxy then option 2 would probably be best if your nginx supports it..

Regards,
PiBa-NL

good to know, I'll make some changes.

thanks a lot.. thats wht i want to know : )