@jonathanlee dns_v4_first the maintainer has to update the GUI and remove that option, nothing to worry. The 2nd line is telling u that squid is already running. If u don't handle the console, reboot pfsense, if yes, them kill all the squid process and restart the services. Regards!!!

thanks for your infos heper, swithcing on/off proxy to use the vpn is so easy ;) switching ip is more "hardcore" ... i don't want to end up in my limited guest vlan2 ;) Anyways, i just give up for the moment and set the defaut routing to the vpn and exclude to it all outbound traffic of LAN, squid use the "auto" interface in this case ... i just put a failover to wan if the vpn fail ... i have spend days to try to understand what's going on !!!! The only difference between theses 2 setup is the default gateway of the pfsense .... i just don't get it ! i have check everything ... nat outbound to vpn / routing table , switching on/off netgates auto rules etc ... for me it's clearly a problem of routing ... but why squid start to retrieve the begining of the webpage and just hang ? it's not cache related i have disable it for testing .... if the webpage is small it success to download it ! but if it's longer it hang at the middle !!! i want to know why ! WHY !!! WHYYYYYYYYYYY !!!!!!!!!! it's more a problem of understanding ;) have nice days ;)

@michmoor yeah i am just playing around with trying to cache https content and filter https site content using e2guardian. This is not a production environment and more of a learning exercise. I am finding that MITM bump breaks a lot of things.

@slu Thank you for responding, You were right I had a capital letter that was messing me up. So I fixed it. Everything is good thank you very much for pointing it out.

@deeztek Sorry for the delay, it took a little longer to get time to sit and screen shot these. I didn't snap an image, but the SSL_Offload_FrontEnd and piWeb-80 backends have the "Use Client-IP to connect to backend servers." option selected in the advanced section. Let me know if you need any other sections or anything else. Hope this helps! I also set up the OpenVPN to port share with my SSH server, so I have my WAN router doing the SSL offloading, passing decrypted traffic to my web server, the OpenVPN sharing the same 443 port, and SSH getting passed from the router to the OpenVPN server and then off to the SSH server also on port 443. Works great and haven't had any issues serving the multiple domains from my web server. Front Ends: [image: 1671679571815-frontends.jpg] Back Ends: [image: 1671679583394-backends.jpg] OpenVPN-TCP Back End: [image: 1671679617587-backend1.jpg] SSL_Offload_FrontEnd Back End: [image: 1671679635001-backend2.jpg] piWeb-80 Back End: [image: 1671679672388-backend3.jpg]

@jonathanlee Hey Jon. Wanted to follow up here. I got WPAD working with the help of an Apache server. Took about 1hr of googling as im not a sysadmin but its working flawlessly. During this process i discovered that SquidGuard does not work well with Transparent mode. This is the need for WPAD comes into play. Really grateful for your help here.

@jeffrey_223 One last note, for Wpad to work with the blocked sites like this. . . [image: 1671035919391-3277a6f1-2f50-4c8b-845c-105902b74bcb-image.png] (Image: Hotjar blocked and splash screen showing) You have to adapt the admin access certificate to be a intermediate, it must use the ca that you created with Squid, or it will give common name errors. Or use a PfSense CA and make a intermediate just for admin access [image: 1671035900568-32c12094-7306-4a3e-9c7b-56f33456a6aa-image.png]

@iorx Me too did you ever find a solution to this?

@impatient https://forum.netgate.com/topic/176445/squid-cache-table-showing-year-1969-over-and-over/3?_=1670984881914 I have the same issue is there any solution to fixing this in a Netgate 2100 max? Everthing else works caching url blocking Clam AV SSL intercept and Clam AV. This log just shows 1969 After the helper starts or clear cache is ran it shows the right date and after it goes right back to 1969

@lakitu78 I have hits, and refresh unmodified showing in the logs above. But is this for registration of users?

@persia1364 Yes I believe that you can install Squidguard, configure the LDAP integration and then filter based on usernames but this is not simple and I have not tried it myself.

@cobca I do not know if you are running Squidguard, if so also make sure you have a loopback dummy ACL that lets the firewall and the proxy work. If you do not have this it will fail to reach wpad and will not work correctly as Squidguard will block the redirects. [image: 1670693775198-screenshot-2022-12-10-at-9.35.14-am-resized.png] (Image: My dummy acl) I have mine set up to allow the loopback and the firewalls ip address to talk to one another and also let the wpad work. [image: 1670693895852-screenshot-2022-12-10-at-9.37.56-am-resized.png] (Image: Group acl with loopback and firewall Ip) [image: 1670693938072-screenshot-2022-12-10-at-9.38.33-am-resized.png] (Image: location of group acl that attaches to the dummy acl rules)