Can I ask for a little more info, are you setting up a pfsense box for filtering (something like squid)? I have a pfsense box setup behind a standard router and it works well, like you my router (I have used BT and Sky routers) have little to no filtering.

The main point is to allow google services to work without issue?

Is there a specific question you're asking?

I tried it with one group and it's working well.

So then do the same thing with the other ACLs.

Hard to tell what go's wrong without the haproxy.cfg content that you might have. When using proxy-protocol between backend and next frontend the 'src' should still match the external client ip's afaik.. as for acl's some automatically disaprear depending on the mode chosen.. But when traffic is offloaded the 'ssl_fc_sni' returns the sni value. Not the 'ssl_sni' which is only used with tcp-passthrough.. Such acl's are also automatically hidden in the webgui on a frontend which knows the mode its going to run with better..

I will check out..Thank you so much.

Hi,

I think this an aged old quirk since the early days of Squid running on pfSense.
This is my own findings, your solution to this problem can be different to mine,
if you find a better way to solve this problem, do let me know.

I am not sure whether the option: 4) Reset to Factory defaults at the pfSense Console,
has got the same effect or not. If it does, then probably it will reset everything including
package settings to the defaults, and you have to redo it again one by one will be too
time consuming.

Thank you. 👌

You want to start all configuration/settings again....... You want to uninstall Squid Proxy Server...... You want to uninstall SquidGuard Proxy filter........ What happens when UNSELECTED/UNTICKED: 1) Keep the Settings/Data = unticked in Squid proxy Server -> General (because you don't want to keep the old settings) 2) Uninstall the (1st)SquidGuard Proxy Filter + (2nd)Squid Proxy server Later...... 3) You reinstall (1st)Squid Proxy Server, next..... 4) You reinstall (2nd)SquidGuard Proxy Filter...... ---------------------------------------------------- ---------------------------------------------------- But you discover that old settings still remain!!!!! What a bummer!!! ---------------------------------------------------- ---------------------------------------------------- Here is the workaround solution that I found in other post in the forum. Backup the config.xml by going to: Diagnostic -> Backup & Restore Go to Backup Configuration Accept the default settings. Press the "Download configuration as XML" blue button. Save the "config-XXXX.xml" file in your location of your choice. open the "config-xxxx.xml" with Window's WordPAD program. Press "CTRL" + F, type in the word: "squid", press Find Next. To find all the squid wordings. ------------ For example: ------------ <squid>YYYY</squid> <squidusers>YYYY</squidusers> <squidnac>YYYY</squidnac> <squidguardgeneral>YYYY</squidguardgeneral> <squidguarddefault>YYYY</squidguarddefault> <squidguarddest>YYYY</squidguarddest> --------------------------------------- YYYY -denotes the data in between --------------------------------------- Delete it 1 by 1, slowy. Yes delete the all the data in between e.g: <squid>YYYY</squid> e.g: <squidusers>YYYY</squidusers> etc........ (Be careful, don't delete any unnecessary data) Save this file you just edited. Rename the file: config-squid-start-over-again.xml Restore this xml file in pfSense: Diagnostic -> Backup & Restore. Restore the file. pfSense firewall OS will automatically reboot. After rebooted, log into the system. You will greeted with a Yellow message: "Packages are currently being reinstalled in the background." Let it run and press the F5 key to refresh. Normally you have to wait the CPU usage quietened down...... like, the usage will be running low" 2-4% This means it has finished reinstalling, press the F5 key to refresh. If you see the red bell notification, saying: General: Package reinstall process finished successfully @ yyyy-mm-dd xx:xx:xx This means the whole process of reinstalling has completed. Click on the button: "Mark All as Read" next, click on the button: "X Close" Go to Squip proxy server and check whether all the settings are empty or not. If it does, then you have successfully uninstall Squid and you can start from fresh. DONE.

Thank you for these suggestions. I'll try them.

That’s pretty poor. Do you get an error message when trying to access it? Are you able to try a free proxy to use a different IP? Try this https://whatismyip.network/ instead of Myip.com.

@Actionhenk Nice. One other thing: I haven't looked at it but I assume if you need double quotes in a string like that in the future you can just escape the ones inside the string with \"

I believe that they are stored in definitely. SSH in and go to /var/lightsquid/report and you will see the report structure. It as a folder for every day, and inside each folder are the particulars for that day. The main report has options for showing year to date, so it must keep everything forever.

for other people with the same error. The problem was how mikrotik redirects the traffic. He used a dst nat rule which breaks the chain of trust. "Mangle" should be used

You can set the outgoing source address for requests which will effectively set the gateway used.

That is done using the tcp_outgoing_address directive in the custom options before auth field.

You would need static IP(s) to use that though.

Steve

@douglas-filipe So after a big research I not found any solution... I tried to use HAProxy, without success too...

I believe that reverse proxy packages doesn't work together with pf2ad solution or any other proxy auth solution. I'm right?

I did new pfsense with no proxy auth and reverse proxy publish works great !

Best regards team!

@WD_Doug If none of the stock methods for reporting the user work for that, then you're going to have to hack something up. These might be useful:

http://lightsquid.sourceforge.net/How%20It%20Work.html

https://forum.netgate.com/topic/88886/lightsquid-not-showing-users/7

@mauricio2669 Not really, and even the report itself is built on the fly from several pieces so it's not easy to parse yourself.

@wesleylc1
Then it seems you have answered your question why the host header must be send in checks 👍 . HAProxy's health-checks by default do not send this header and your nginx configuration needs it to find the correct virtual host with the server_name configuration. The 'default virtual host' likely returns the 400 response status. Its nice to know that doing some research and actually understanding how things work you can succeed with fishing without needing other people to give you the fish, that will definitely help with future diagnosing of issues.