we decided to go with: xyz-web -- for all internal web interfaces

e outra coisa eu tenho duas interface lan 192.168.1.1 e wifi 172.168.0.1 na lá esta ok mais como devo fazer pra usar na wifi tbem pq são faixas de ip diferente

hello today I ran into this problem, and in the last version available today (I think it was 1.16.18_20) when checking the system log I could see that the error is due to the file being treated as a ".tar" file without compression. When I downloaded the file on another host, unzipped it, and used the url with the .tar file, it managed to extract and process the list of categories correctly. Here is the log that showed what the package was trying to do: Sep 10 14:01:33 firewall php[10138]: squidGuard_blacklist_update.sh: The command '/usr/bin/tar zxvf /tmp/squidguard_blacklist.tar -C /tmp/squidGuard/unpack' returned exit code '1', the output was 'tar: Failed to set default locale tar: Error opening archive: Unrecognized archive format' Sep 10 14:01:43 firewall php[10138]: squidGuard_blacklist_update.sh: The command '/bin/cp -f -p /tmp/squidGuard/arcdb/blacklist.files /usr/local/etc/squidGuard' returned exit code '1', the output was 'cp: /tmp/squidGuard/arcdb/blacklist.files: No such file or directory' greetings

[image: 1631110364845-5491a6f4-4c82-4788-b155-a39e2d260f55-bild.png] So this is what I need to get a away from since there is obviosly a max number of rows pfSense accepts. I have reached that maximum.....

Right so if Squidguard is blocking that traffic it will try to display an error page but that is hosted in the firewall behind that self signed cert over https. As a test only try setting the firewall webgui to http. If that works you need to change the Squidguard settings to either not display an error page or redirect to an externally host page over http. Steve

@rupesh issue resolved.Found this great post @ (https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Note **My Squid is not on Transparent mode because I need to authenticate users.

@derelict thanks a lot for providing insights on your setup! I'd be interested in setting up something similar and have a couple of question I was hoping you could help answer. I made an RFC1918 VIP on localhost. Unfortunately it's this very first point I already don't understand If my understanding of the documentation is correct then an IP Alias (VIP) is simply an additional IP address one can assign to an interface, right? If so, what is the purpose of assigning it to localhost? So that it is reachable from each of the local interfaces/networks? HAproxy binds to that. Why not binding it to the WAN interface/address? I port forward WAN to that. I guess that's necessary because the HAProxy is bound to the VIP and not the WAN address? I have split DNS inside pointing to the inside VIP address. What does this mean exactly? Do you have a domain override for your domain(s)? If so, what's the purpose of that? To avoid NAT reflection that you mentioned in your post above? Outside DNS, of course, points to WAN through various Dynamic DNS trickery. I CNAME all the domains to one record that is updated via Dynamic DNS (on hurricane). I use a wildcard certificate and have only a * CNAME and an A DNS record pointing to my WAN address (dynv6.com as dynamic DNS provider). I have the DNS-01 challenge running and the certificate is currently retrieved via a dedicted certbot instance and used on a dedicated nginx instance. However, I'd like to switch to the pfsense HAProxy/ACME setup. It all works great. The nextcloud app on my phone does not care if it is inside or outside. It just works. The ACME package handles all the certs. inside or outside get the same ones. Connections to the backends are unencrypted. And, like you, I grew weary of maintaining certificates on all the backends and haven't thought about it for months. If I'm not mistaken, I could keep the traffic encrypted even in the backend with my dedicated nginx reverse proxy, right? So HAProxy would do the SSL/TLS offloading and communicate via https with my dedicated nginx reverse proxy (which in turn is proxying to the various docker containers/services I have). The HAProxy would be used also for other various hosts on the network (via host overrides), including the pfsense host itself, in order to get rid of the self-signed certificate warnings. As all the other hosts have https enabled by default, the complete traffic should be encrypted and a valid certificate should be proviced by the HAProxy. Or am I missing something here? The only thing that might need further consideration is limiting access to the internal hosts, i.e. they should not be reachable from outside. I guess that's what the HAProxy access lists are for?

@kasalencar below this line $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");

@kom I'm totally open to rethinking it . I was reading about what Squid does with caching and figured it would be really useful. But hey if it's not then it's not. One less thing for me to worry about. I'll look into webcrawlers and site downloaders. My connection speed is rarely an issue, but you know our connection to a site is only as fast as the site is. Even then, maybe I will just dump the entire idea. Thx for the reply!

@Michele-trotta I'm not using transparent mode, but to make WhatsApp work, I had to whitelist whatsapp.net and whatsapp.com.