Go to Services - Proxy server - Local Cache - External Cache-Managers.  Put the LAN IP address of your pfSense box in here after the default entry.  Click Save at the bottom.  Mine looks like this:

10.10.4.1; 127.0.0.1

No idea.

What I do is create an alias for the proxy and an alias for the web ports (80, 443).  Then I create an Allow All pass rule at the top for the Proxy alias.  Under that, I put a block rule for All with dest ports being the Web Ports alias.  Save & done.

This bugs me for some quite some time, too.
Enabling transparent works for a couple of calls to websites - then it dies…
Scarry is the right description...

3.1.20 pkg 2.1.2 on pfsense 2.1.5
I have to say that the previous package (whichever that was!?) was running just fine!

Was the first thing I tried, However it did not work.

OK fix it, it was a few different ip's that i need to add

thanks marcelloc

ohhh never mind i got it sorry for the ignorance  :-[

https://doc.pfsense.org/index.php/Lightsquid_Troubleshooting

1 - Deny access to internet through your firewall except from proxy
2 - configure your proxy
3 - set up WPAD so that clients easily point to your proxy

With such design, you can configure policy routing that will apply and also benefit from proxy (squidguard) filtering.

BTW, from architecture standpoint, this design is better than services running on pfSense.

Hi Guys
I think I found a bug:
When the option "Enable logging" is ON and you specify exclusions of IP's through ACL's, these ACL's do not get honoured, BUT If you switch "Enable logging" OFF and you specify your logfile in your ACL, it gets excluded.

Actually, If you leave "Enable logging" is ON and specify your logfile in your ACL, the entry gets duplicated except for the excluded IP…

Example ACL:

acl IP-LIST src "/root/ip-list.txt" access_log /var/squid/log/access.log !IP-LIST

If the "Enable logging" OFF - You get one logfile entry in your logfile and the excluded IP's are excluded.

If the "Enable logging" ON - You get two logfile entries and the excluded IP's gets logged once.

So, it seems there needs to be some kind of "PRE PROCESSING" needed to exclude IP's from your logfile…

Please could someone confirm?
kind regards
cyber7 - AKA Aubrey Kloppers; Cape Town; South Africa

on pfsense 2.1.5-amd64  I am using squid3-dev with captiveportal authentication  flawlessly

Apparently you are the one in a million  8)

Thank For your answer and i will following your instruction if can't fix it.
:D :D

From a pure technical standpoint, you could do this:
(&((|(memberOf=cn=group_A,ou=staff,dc=domain,dc=co,dc=uk)(memberOf=cn=group_B,ou=staff,dc=domain,dc=co,dc=uk))(sAMAccountName=%s))

or use one single group in Squid that is matching one group in AD containing multiple AD groups. Does this work?

I'm also not using pfSense Squid package  ;) therefore I don't know the interface neither features that are exposed but Squid allows to create multiple rules. The first one matching will apply. Therefore you're not obliged to merge everything into one single LDAP search isn't? (unless pfSense implement brings some restrictions here  :-[)

Because "Disable Ping" wasn't available in 2.1?

Hi
Thank you PiBa, you were right, the problem was windows servers, that did not return the traffic, I talked to our windows and network administrator, and they corrected the routing.
now everything is working.
thanks

What we are talking about is getting reports on the captive portal users with their user ID instead of their IP address using the Squid captive portal authentication method.

Ahh ok now I understand it better!

dgall, if you continue to block using IPs, it's much more practical to use pfBlockerNG to download the list of IPs from "Hurricane Electric" and the package will download updates on a frequent basis.

See the following thread (#6) -

https://forum.pfsense.org/index.php?topic=86212.msg485046#msg485046

Yeah, you can't go around blocking CDNs or you will have problems with lots of popular sites.

So I am still not sure exactly what the heck is going on. In some cases, it does appear that SYNs are not being responded to. I am not sure why. Then shortly after, it works…???

I added the following to my Squid config, on the General tab in the "Custom ACLS (Before_Auth)" section, and this is helping a lot...though still not good enough for "production":

connect_timeout 2 forward_max_tries 2 connect_retries 2