2.42 is now merged. ;)

@exograpix:

You have to select lan.

Thanks, fixed above…

@OP: The interfaces MUST match. You have some wild mixture of Proxy Interface(s) vs. Transparent Proxy Interface(s) vs. SSL Intercept Interface(s). Make sure the thing match each other.

@maverik1:

How are you trying to enforce safesearch? Via url re-write or dnsmasq?

This is most likely the right and ultimate question  8)

There is something sometimes not well understood:

one of the differences between transparent and explicit proxy is that transparent proxy doesn't resolve any name. Packets are intercepted at default gateway level once target is found, meaning after DNS resolution. Therefore workstation DNS settings are used here. On the other hand, when using explicit proxy, browser sends URL to proxy and name resolution is handled at proxy level. Depending on your configuration, this may show different result  ;)

@Netizen1:

If you're using XP still, then at least try to ditch IE for Chrome or Firefox…. Highest version of IE for XPSP3 is IE8 :-\

IMO, XP machines should no longer have internet access. Whitelist specific applications only and block everything else. Definitely don't use IE6!

Did you read my answer?
My XP machines normally don't have web access - in this case it's just drunk science.

In VMware i have XP Pro SP3 IE6, XP Pro SP3 IE7, XP Pro SP3 IE8, Vista IE9, Win 7 IE10, OS X El Capitan < all for playing around.

And yes I also use XP on dedicated PCs. One example is MAME connected to a RGB CRT TV.
I also have 2 DOS PCs, 1 Win95 and 1 Win98 running because 3dfx Voodoo and ols Games needs the right OS ;D

Dear Netizen1

Thank you for your reply, I found the solution in the below topic.

https://forum.pfsense.org/index.php?topic=90961.15

BR,
Ahmed

I solved the problem, somting to do with the config file. I downloaded the config file on Diagnostics > Backup/restore. I opened the config and releted all items os squid, squidguard and lightsquid. Loaded the new config and installed the packages.

Thank you
Best Regards

@dims:

Suppose, I didn't configure domain manually but configured IP manually, i.e. not using DHCP. This means WPAD won't work then?

As described in draft RFC about WPAD and also in RFC3040, DHCP is only one mechanism tat can be used, client side, to find proxy.pac file.
Other mechanism exist and some should be implemented if you want to ensure that most clients benefit from WPAD.

The resource discovery mechanisms utilized by WPAD are as follows:
      *  Dynamic Host Configuration Protocol DHCP
      *  Service Location Protocol SLP
      *  "Well Known Aliases" using DNS A records
      *  DNS SRV records
      *  "service: URLs" in DNS TXT records

implementing DHCP, "well known alias", "DNS SRV records" and "service: URL" is pretty simple.
You will find examples here and there easily.

pfSense documentation covers some aspects. I tried to produce something with wider coverage (goal was more to focus on proxy design that WPAD) here. internet contains a lot of useful example

What you need to understand (and that is not yet clear if I read correctly your posts) is that "well known alias" mechanism relies on your local domain configuration and therefore local DNS too.

This mechanism, launched client side, relies on host FQDN.
Say your workstation name is:
workstation.sub_level2.sub_level1.domain.com
well known alias mechanism will search first for:
wpad.sub_level2.sub_level1.domain.com
then for:
wpad.sub_level1.domain.com
then
wpad.domain.com

By configuring one of these entries in your local DNS, it will allow you browser to find web server hosting proxy.pac file.

Hi chris,

Sorry for late reply. By Block I meant I cann't browse. It says Connecting…. on title bar of browser and just wait... nothing on screen. I cann't even access pfsense box. I just get locked. I wish  someone can provide me step by step way to configure squid with captive portal authentication.

regards,
Ashima

Ok doktornotor, if ClamAV is a toy the only thing left is blocking.

And here i see sometimes sites don't work if something (Ads) are blocked.
So Adblock Plus is the better solution?
But what about Ads on TVs, consoles or in-game Ads (Android, Windows Phones)?

It's not that i don't have a Adblocker on Android but i want to check the possibilities.
I saw somewhere it's possible to use the EasyLists in SquidGuard?

If blocking Ads is better on the clients then there is from the Shalla's Blacklists left:
Spyware (Trojans, phishing sites) and Tracker

At the moment i pay for squidblacklist.org and want to get rid of it.
I use from them:
Malicious (Virus, botnet, malware, adware, apt, drive by, infectious) and Proxies (Http proxies users may attempt to use to bypass your filters)

I guess it would make sense to block:
Virus, Botnet, Malware, Adware, APT, Drive-By Download, Infectious, Espionage, hosts that perform IP tracking for media companies and associations like RIAA/MPAA, Http proxies users may attempt to use to bypass your filters

If all this is not really usefull the only thing left is caching with Squid and i ask myself if all the hassle with getting wpad to work is worthwhile for a normal household?

You're very welcome

Thanks KOM for the info, we had to put the Project on ice for a time, other things :( but Will be starting up again soon. We will be looking for sending Proxy settings automatically or maybe have to set up Website on the Proxy to Redirect.
We just have a WiFi and LAN that we want to provide Internet using a Login with mulitple (2) Internet connections. that was our purpose in choosing pfsense.
Thanks again and any suggestions are appreciated.

The biggest room in the world is the room for improvement.

And IE?  What URL specifically?

Cache size has already been experimented with, as has the RAM allocation.
No difference either way with memory usage.

There's no MD5, there's DES. See crypt() docs It silently truncates passwords to 8 chars - read e.g. here: http://www.certpal.com/blogs/2010/05/crypt-des-and-8-character-truncated-passwords/

I cannot see how the patch here adding some MD5 salt nonsense to DES would work for anyone, just doesn't make sense. Perhaps if your replaced crypt() with md5(), it'd actually do something meaningful?!

Thank you very much doktornotor!

It worked perfectly.

His work is very important for the adoption of the platform.
A big hug.

You'll really need to dig into the C-ICAP docs. If you figure out some working configuration, it can be put to the package, but I certainly don't have time to play with radios streaming ATM.