Fixed in -devel:
https://redmine.pfsense.org/issues/11680

Ok, this was a side effect of this problem: https://forum.netgate.com/topic/162978/unbound-stop-working-on-127-0-0-1-after-2-5-1-upgrade

@hannesk
Put both of the 2 acl names behind the use_backend action.?

@task Update: i discovered that adding a manual route to my WAN ip in my device works. I'm tring to make is automatic by using the push command in open vpn Custom Options:

push "route X.X.X.X 255.255.255.255"

But adding the push route breaks the vpn connection. Any suggestion?
Thanks

@marcelloc
I have installed the WPAD package, added the DNS host overrides in the DNS Resolver

wpad pfsensedomain.local 192.168.1.1 wpad

added the DHCP additional BOOTP.

number: 252 type: string value: "http://192.168.1.1/wpad.dat" number: 252 type: string value: "http://192.168.1.1/wpad.da" number: 252 type: string value: "http://192.168.1.1/proxy.pac"

pfsense webConfigurator is set to https with webGUI redirect selected

However I am having issues downloading the wpad file

http://192.168.1.1/proxy.pac This site can’t be reached https://192.168.1.1/proxy.pac 404 Not Found nginx http://192.168.1.1/wpad0/proxy.pac This site can’t be reached https://192.168.1.1/wpad0/proxy.pac the pac file downloads

I seem to only be able to download the proxy.pac with

https://192.168.1.1/wpad0/proxy.pac

Am i missing something?

UPDATE: I had the wpad listen port set to the proxy port 3128, changing it to port 80 now downloads the file

The two 00's - is your domain stanmore or stanmoore?

You leave your description open, and then you try and hide it in the domain name? So not sure.

if your server is 192.168.8.36

Then create a host override in pfsense to point whatever.domain.tld to this IP..

Create a CA, then create a cert with this CA. Trust the CA in your browser - and then use that cert on your server. Done.. NO proxy needs to be involved. Makes no sense to use the proxy unless you want outside people to get in, and to be honest you wan to offload the ssl to the proxy and not do it on the server.

I have a few guides around here about doing just that - let me see if can dig one up and link to it.

Here - walk through I did back in 2019
https://forum.netgate.com/post/831783

edit: To finish that off.. Here is CA trusted by my browser.. And here are 2 devices using certs I signed with my trusted CA. Switch and Nas.

installed.jpg

Keep in mind that browsers have backed off on how long a cert could be good for - not that long ago you could make then for like 10 years and be done with it. But now browsers can have issue certs valid longer than say 1 year

https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/

So for your certs you can only do them for that long - or your browser will complain - some of mine where done before those changes went into effect..

Other advantage of just doing it this way - is you can add in IPs into the certs via SAN, and then either name or IP works and your cert is trusted.

switch via name or ip

switch.jpg

Notice in the cert for my nas above - its lists subject alternative names for nas.local.lan and 192.168.9.10

@lgwapnitsky No, I moved to a dedicated host for HAProxy and just about to deploy I realized it doesn't have that robust of support for directory accounts. I use Active Directory.

Also, since I asked pfSense 2.5 is came out and it's got a ton of new stuff: it now has the current (or very close to current) HAProxy, supports TLS1.3. I'll try again and come back if I'm successful, good luck to you too! :)

________

PS: If you're open to alternatives for authentication, take a look at Keycloak from (backed by) Red Hat. It does federation, clustering, it provides many clients (to integrate with). OpenID Connect, OpenID, LDAPS, SAML, hardwarekeys/tokens, socials, SMS, you name it, it does it all and it doesn't even need installation, you just run the WildFly (or Tomcat/JBoss/etc..) servlet. Just charge an iPad or 'cause you'll be doing plenty or reading. It's not hard though. :)

@sweety which version u have (squid and SG)?
Can u show Bypass Proxy for These Destination IPs?
Can u show the advanced options from squid(Integrations)?
Regards!!!

@viktor_g excellent, thanks.

@viktor_g Updated, category filtering now works well.
But still there is something broken:
In the past, when I add/remove user from group ACL, it was enough just press Save&Apply.
But now I have to restart SquidGuard service to apply new membership.

@viktor_g Updated this morning and tested now, so far is working fine as it was in 2.4.5, thanks @viktor_g .

@piba
Okay, thank you for confirming. I will go with decoding and encoding the traffic. Blocking the traffic at the first possible stop and having one central place for the configuration seems the better option (for me).