First idea would be to post this in the Cache/Proxy forum where it belongs.  Your issue has nothing to do with the firewall, per se.

Connection refused means exactly that.  The service you're trying to connect to refused the connection.  Check your squid access.log as well as your web server's logs for further clues.

I just did the same exact update.  Fixed OP's problem by

Service -> Proxy server -> Access control

Reverse the order of the IP's listed under "External Cache-Managers" (maybe not needed)

Click save (I think Squid config file will update to the new version)

Restart squid service.

Squid started working.

Squid seems to be blocking something. Is it true that Squid blocks by default

Squid is a web cache.  It doesn't block anything by default.  Transparent mode doesn't work with HTTPS unless you have installed a trusted certificate on every client computer that will use the proxy.

Considering that Dans has been abandoned upstream for years, I doubt there will ever be a fix.  That's why I would avoid using Dans if it's giving you problems.

Doktornotor may have fixed that package to remove the need for the manual symlink.  I would completely uninstall the package, remove the symlink and then install it again.  You may have to manually clean up old traces of Sarg.

With the config as posted i would expect the servers to be 'up'..

There seem to be missing a few things that i suspect are configured:

If these assumptions are right then a few things are missing from the server lines:
-  check-ssl ssl verify none

OK, good that it works now. :)

@gaf2014:

@lockye:

The reason I use the transparent proxy is because I have content filtering setup, it blocks all the annoying commercials even on the roku.

Hi lockye,

have you ever tried to use a NAT rule in your inbound Interface?
For me it's working. All devices that don't like SSL interception are in the Group "grp_no_https_interception". That's all.
You also need to have a firewall rule in place to allow the traffic.

hello, can you give rule firewall rule to allow the traffic  ;D (im try make firewall rule same as nat forward but cant bypass https connection)

@reinaldo.gomes:

Have you ever tried the floating rules? There you can target the firewall itself as the source. I haven't tried this yet, but soon I'll have to.

Yes I did. If you've read post # 2 of this thread, the details of the rule I've made are there.

Must be a feature to prevent people from junkware-plagued shit. Wouldn't touch the thing with 10ft pole.

@cmb991:

DNS filtering using that would be awesome, we already have it installed.  but there isn't anyway to do categories…

Some others have asked to get that incorporated into the package which I should be able to do at some point…. In the meantime, just download the Feed that you use into  /var/db/pfblockerng and extract the archive. The extraction should create the subfolders for the Feed in that base folder.

Then add a new DNSBL Alias, and in the 'Source Fields', map to the category folders that you would like to use… Add a new Source line for each category.

You could also rig a cron task to download once/day and extract to the same folder.

It says right on the main page that the list is repackaged each night.  When you open up the archive, all files and folders have a timestamp.

Nope, that's the place.  Glad to hear you got it working.

@Xeboc:

@doktornotor - I've been using pfSense for a month now, trying out the packages, reading the forums, and testing everything out.  Your information above about those packages is valuable and useful.  But how would a new person coming to this software know any of that?  Most of the useful tidbits of info I've read come from you or a few other dedicated programmers buried in a forum post somewhere.  A few packages are useful and well maintained, but, as you indicated, some are really broken and unmaintained.  Can we get a 'date last updated' added to the package manager?  Or some other indicator of what you have shared?  I like pfSense, but I've been hacking away at it for hours and combing forums for months to learn anything useful….

When I tried to mark Squid 2.7 unsupported in the package list, the PR was closed by pfSense devs telling me that Squid 2.7 is one of the few "officially supported" packages. Never mind noone's maintaining and fixing anything there and that package is buggy like hell and abandoned everywhere. There. Don't get me started with that again. The 2.7 zombie thing is gone from pfSense 2.3, thanks god. Dansguardian is gone as well, the E2G did not get anywhere last time I checked and will need bunch of fixes for 2.3 anyway. Squidguard is still there and is still broken and I still get severe headaches when I look at the code, cannot see myself fixing it anytime soon. Rewriting from scratch would probably be easier.

As for "last updated", you can see that on Github.

on webgui proxy server tab setting and you found name "SSL man in the middle Filtering"  ;)