You can create a set of custom ACLs to control which clients can access the internet through squid. You need to create the following in the Custom ACLS (Before Auth) box under Advanced features in the squid proxy configuration: ## Allow internet access for specific LAN clients acl internet_access_allowed src <ips and="" ip="" ranges="" to="" allow="" internet="" access="" for=""> http_access allow internet_access_allowed ## Allow access for pfSense firewall http_access allow localhost ##Block internet access for all other LAN traffic http_access deny all</ips> You may still need to use firewall rules for SSL traffic.

worked it out i needed to add to allowed network my home network

Sorry been busy lately i will come back with more details on my problem and how i have setup things to have everything working Thanks

well for blocking social sites i recommend squid3 with squidguard to block only http and https you have 2 choices use WPAD or use PfblockerNG

@aGeekHere: Then it was said NOT use LAN_IP, use 127.0.0.1 No. No such thing has ever been said. You were told to make Squid listen on loopback in addition to whatever other interface in case you insist on messing with similar cache managers shit (because that's the only interface allowed by ACLs by default). That's all there's to it. @aGeekHere: I think I am completely confused here. Yeah. Definitely. Way over your head. Just leave the proxy stuff alone and move on.

Transparent mode won't filter HTTPS unless you install a pfSense CA cert on every client on your LAN.  Is this the case with your config?

To locate source on LAN, you need to look at Squid logs…

https://forum.pfsense.org/index.php?topic=100167.msg559137#msg559137

To filter HTTPS, you will have to install a pfSense CA trusted certificate on every client that will use the proxy.  Since this is inconvenient, so it is better to set squid from transparent mode to explicit mode and then implement WPAD so that your clients an find the proxy automatically.  Some clients will have to be configured manually.

Also just to add something. I have 2 pfsense setups on my vm. pf1 192.168.1.1 has 2 isp being load balance pf2 192.168.1.2 is getting internet from 192.168.1.1 and has squid installed

First idea would be to post this in the Cache/Proxy forum where it belongs.  Your issue has nothing to do with the firewall, per se. Connection refused means exactly that.  The service you're trying to connect to refused the connection.  Check your squid access.log as well as your web server's logs for further clues.

I just did the same exact update.  Fixed OP's problem by Service -> Proxy server -> Access control Reverse the order of the IP's listed under "External Cache-Managers" (maybe not needed) Click save (I think Squid config file will update to the new version) Restart squid service. Squid started working.

Squid seems to be blocking something. Is it true that Squid blocks by default Squid is a web cache.  It doesn't block anything by default.  Transparent mode doesn't work with HTTPS unless you have installed a trusted certificate on every client computer that will use the proxy.

Considering that Dans has been abandoned upstream for years, I doubt there will ever be a fix.  That's why I would avoid using Dans if it's giving you problems.

Doktornotor may have fixed that package to remove the need for the manual symlink.  I would completely uninstall the package, remove the symlink and then install it again.  You may have to manually clean up old traces of Sarg.

With the config as posted i would expect the servers to be 'up'.. There seem to be missing a few things that i suspect are configured: mode http option httpchk If these assumptions are right then a few things are missing from the server lines: -  check-ssl ssl verify none