Both pfBlockerNG and Snort inject rules into the ruleset.  You might try disabling them, if possible, and see if that has any effect.

Looks like I figured it out.  For us to be able to block ports 80 and 443 we had to create a custom error page in another server and configure squidguard to redirect the errors to it in Group ACL  > Redirect mode  set to ext url err page (enter URL) and on the redirect box http://other_server_ip/path_to_custom_error_page/index.php?clientAddress=%a&clientName=%n&clientUser=%i&clientGroup=%s&targetGroup=%t&clientUrl=%u

I'm not the greatest at web pages but this is the code for the basic custom error page, once it is displayed you will realize that it is obviously based on the pfsense built in error page

$clientAddress = $_GET['clientAddress']; $clientName = $_GET['clientName']; $clientUser = $_GET['clientUser']; $clientGroup = $_GET['clientGroup']; $targetGroup = $_GET['targetGroup']; $clientUrl = $_GET['clientUrl']; echo "\n"; echo "\n"; echo " ### Request denied by pfSense proxy: 403 Forbiden"; echo " \n"; echo " **Reason:** \n"; echo " * * * "; echo " **Client address:** "; echo "$clientAddress"; echo " \n"; echo " **Client group:** "; echo "$clientGroup"; echo " \n"; echo " **Target group:** "; echo "$targetGroup"; echo " \n"; echo " **URL:** "; echo "$clientUrl"; echo " \n"; echo " * * * "; echo "\n"; echo "\n"; #RESPONSE CODE http_response_code(403); ?>

Great steps so far but im stuck at the point of joining the domain, i keep getting
cannot join as standalone machine

can anyone help with this?

Yes its the version 3.4.10 available in the public Package Repository.

If you would like to install the squid-3.5.3-… from the pfsense files then you have to "build" your own Custom Package Repository and manipulate the "pkg_config.10.xml".

But be carefull, dont try it in a live environment. Also please read about "peak and splice" on the squid homepage.

Here is the link to Creating a Custom Package Repository https://doc.pfsense.org/index.php/Creating_a_Custom_Package_Repository

edit:

BTW you could see the version of installed squid version by enabling ssh , and connect via ssh to your pfsense server and type squid -v. Then you see the build options and version number.

For real though, Squid3 will both eliminate problems now and prevent future ones from happening. Just use it.

Isnt there a option to enable auto update or do i have to make a cronjob for that?

Or a script perhaps.

@ganewbie:

Well,
Thanks to all for the great support, now I got squid3 working no issue however the squid-guard does not want to run.
After searching on forums, I found out that you need to re-download the blacklist sites after each reboot. Not sure why? but in any case when I do that it works meaning, both services could show green and running under status–> Services.

The interesting thing is when I deny for example Porn it does not do anything and you can still have access to Porn. Is there a special package or even some different approach to block or deny certain site categories?

Thanks,

I had the same issue on pfsense 2.2.1.  I solved the problem by putting one item into "target categories" at squidguard. Choose a name for the entrance and put one URL into the URL-List.
Save the item and apply the changes. Download the blacklist again. After a reboot the blacklist is still active.

Yes, if you've assigned the bridge and given that the interface address for the subnet then use that.
However you would normally have that assigned as the LAN in that case so maybe you haven't.

Steve

Same issue in thread https://forum.pfsense.org/index.php?topic=96984.0 .

Please have a look at it.

WOW…  :o

I don`t need to filter Access by Clients (Groups ACL or Common ACL), but by Target Categories (hosts, URLs). The blacklist redirection should be integrated in Target Categories or Blacklist tab some how, but it is not. So how to tell to blacklisted sites go to ext URL?

the wrong line inserted, problem solved, used this string to get Qualys grade A with https://forum.pfsense.org/index.php?topic=82914.15:

some.domain.tld options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4 dhparams=/usr/pbi/squid-amd64/local/etc/squid/dhparams.pem sslflags=NO_SESSION_REUSE

it's for squid 3 reverse proxy

You could try.. going to a website that should be blocked (IE: Pornhub) and see if it is blocked….

Hi, there seems to be an issue with this PFSense version and Squid3 making Squid3 unavailable in the package list.
There also is an issue with Squid3 when you upgrade from < 2.2.4 making that it doesn't start.
The resolution for that issue is discribed in another post.

You could install 2.2.3, install squid3 and then upgrade to 2.2.4 and follow a short fix that I described in this post https://208.123.73.68/index.php?topic=97211.0.