I've got it working. I have numerous subnet interfaces and because of that didn't see that the loopback interface wasn't enabled in dns forwarder. Don't know how it had been disabled as I doubt I unchecked it. Once it was added things started working fine. Umm, and yes if you want to utilize dnsmasq settings with explicit proxy then you need loopback enabled in either dns forwarder or resolver..

@Abhishek: i find after disabled Snort on lan interface… I'll be very glad if you could explain purpose of Snort listening on internal interface. There is something I don't understand here  ???

look at this… but remember to move away from transparent proxy first  ;)  otherwise this will obviously not work  :P

[image: 8810060f2e25f918f481eb46e7a71792.jpg]

Beyond the conclusion reached on the other thread (your settings are messed up), nothing else I could advise here. Read the FAQ, flush broken settings, flush the Squid dirs if the "Keep Settings/Data" feature doesn't work for you, reconfigure from scratch.

You also need Maximum Object Size set accordingly. No further assistance from me, this is dead end as noted above.

Sure it does  ;) As you have now explicit proxy with (soon) authentication and profiling, wouldn't captive portal do the trick ? Users will have to authenticate first at captive portal level and this will grant them for access through local FW.

@n3by: @PikkonMG Did you test it to see if it is real working or just pretend ? Because on my config all services are working ( and av updated ) but download test fail - no alert triggered. https://secure.eicar.org/eicar.com.txt https://rtcamp.com/tutorials/mail/server/testing/antivirus/ @dok A test button on interface will be more than welcome. Yes it all works. If I go to eicar and try to grab any of the test files it stops it.

As you operating system supporting proxy.pac file is Windows, you will have to create such symbolic links using mklink command and create as many logical links as needed. e.g. mklink wpad.dat proxy.pac will create a new (logical) file wpad.dat linked to proxy.pac If you modify proxy.pac content, it will modify wpad.dat too.

PiBA, yes, I totally boneheaded it and put bce instead of bge..I have several servers, some with bce and some with bge and I just confused it. After making the change and rebooting it seems to be working better. I am slowly ramping up the users but so far so good at 2500+. The stats I posted below were from Apache Bench so I need real world clients to really test it out. Thanks for reminding me to post back to the group.

Have you tried with haproxy ? You will find it on package manager.

ok. I finally got it working. Here's what I had to do: DansGuardian: General -> Highlight (turn on) both forwardedfor & usexforwardedfor Squid (Proxy): Custom Options acl other_proxy srcdomain My.Proxy; log_uses_indirect_client on; follow_x_forwarded_for allow localhost; follow_x_forwarded_for allow other_proxy; acl_uses_indirect_client on; delay_pool_uses_indirect_client on Use the name of your pfsense box in place of My.Proxy I also used "tail /var/squid/logs/access.log" & "tail /var/log/dansguardian/access.log" throughout troubleshooting this to find out what exactly was being captured in the logs. Sources for this: http://www.linuxquestions.org/questions/linux-security-4/dansguardian-and-squid-480571/ http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ (to understand follow_x_forwarded_for)

Yeah. Now, don't forget to check the Keep Settings/Data box again. :)

@trinidadrancheria: Anyone? I'm not yet even sure if i have it working. I can just see udp data going forth and back. After what feels like an age my "master" now also shows an "ON" status. Last time I checked the other node did NOT show "ON", it just showed nthing. One thing I have different is the select method (carp) and icp options (multicast-responder) I've NOT set passwords. I think the carp setting is questionable since I am using it with a loadbalancer / virtual server distributing the traffic to both proxies. But considering how underdocumented + bug ridden this is, we're just testing our luck and this seems to be lucky. (yes bug ridden, I'm not even getting logs after I set them to be stored outside /var because /var is a ramdisk. I feel noone tests anything)

Did the trick for me to….. this has been driving me mad!!!! Thanks. @chidgear: Hi! I did this: After downloading a blacklist from shallalist.de , create a target Category (call it as you want) add a least one domain and start Squidguard with the apply button (if it hasn't started yet) According to certain posts regarding to the Squidguar manual, this is a necesary condition to use blacklists and another configurations. In my particular case, I've created a target category called "White_list" on which I've added the sites contained in the default blacklist but that I wish to access anytime (for example, wikipedia.org, wikimedia.org and pfsense.org). after doing this, I can reboot the server, an the SquidGuard service boots automatically after one minute. Try it and, if it works for you, come back and tell us!

AFAIK only Lollipop 5.1.1 AOSP supports specifying an explicit PAC file per WiFi SSID. My CM 12.1 works beautifully like this. There are apps that let you use a PAC file, but they are cumbersome. Search the App Store.

Something that worked for me is Basically you have to set it on and then exclude sending the inner IPs out: Enter something like this under Squid3: Proxy Server/General Settings Tab/Custom ACLS (Before Auth) #header_replace X-Forwarded-For forwarded_for on acl mxln src 10.0.0.0/24 # RFC1918 possible internal network acl mxlno src 10.0.1.0/24 # RFC1918 possible internal network acl mxlnr src 10.0.2.0/24 # RFC1918 possible internal network reply_header_access X-Cache-Lookup deny !mxln reply_header_access X-Cache-Lookup deny !mxlno reply_header_access X-Cache-Lookup deny !mxlnr reply_header_access X-Squid-Error deny !mxln reply_header_access X-Squid-Error deny !mxlno reply_header_access X-Squid-Error deny !mxlnr reply_header_access X-Cache deny !mxln reply_header_access X-Cache deny !mxlno reply_header_access X-Cache deny !mxlnr reply_header_access Via deny !mxln reply_header_access Via deny !mxlno reply_header_access Via deny !mxlnr