Hi, i probe re-intalling all pfsense and install squid and squidguard by default all right but when i active safe search in squidguard re-appear me the same problem but i uninstall all and appearme the same message in youtube, anybody can tell me why this?

official pfsense talk on the topic: https://www.youtube.com/watch?v=xm_wEezrWf4

sorry Linux guy here … corrected above  8).

actually i do.  like for example, normal group type and deny by ip. if im going to read deny by ip, its only deny by ip but does it include normal url filtering? it doesnt say but your option is to try while if it says deny by ip + normal filtering that would be faster and easier to decide and chose. another thing, if i select the icap amd av options, would that enable antivirus and where would i see that.  unlike squid, there is tickbox to enable so that would be more meaningful  but  i guess i can complain since  i am mere user. but i think you dont get it, if your description would be more descriptive and informative there not much to ask. but i ask since this is pfsense forum and i have no knowledge aside from the docs. but still if there is a book, there would still be questions.

Squidguard requires squid to be installed first, I believe, since it modifies squid's configuration.  It's also not really a service.  It's a helper application that gets spawned by squid in realtime for every URL being processed.

@ravegen: @marcelloc: @ravegen: I see the Deny IP- Deny Access to any ip based url.  But if I choose this, I cannot use the Normal Group (default) type where I also need to use that to filter base on ACLS. Just select the option I'm telling you and test. This is for sure the option you are looking for. If I select this option, I can still filter base on ACLS ? You are applying a group based setting… If you want other users to have access via IP then throw them into another group after setting up some way of authenticating the users. Simplest is IP.

@ravegen: susamlicubuk, I do not know what ip are used by dropbox application or yahoo messenger application or our 3rd party application.  So I also asked where will I find those since in the realtime tab, I do not see those client user blocked. It's not blocked, per say. Like I mentioned in the other thread, it's due to the programs not trusting  the certificate from E2 Guardian… Don't enable MITM until you understand networking enough to run packet captures and make exceptions..

@ravegen: pfsensation, so theres no need to specify subdomains ? For this particular case, and in my testing. There wasn't a need, as Dropbox only seemed to care about its main domain. Dropbox.com.

@ravegen: so to block dropbox, skype, yahoo messenger is to mitm ssl disrupting connection and to allow them under mitm ssl connection is to place them on exemption, right? Pretty much, yes. Although if you completely want to block them, use banned list and don't rely on the SSL pinning to block it as the developers of the platform can change things.

Squid can use captive portal authentication. this will help lightsquid get complete http/https report.

This is exactly the setup I would like to configure as well. Effectively it looks like we would need to be able to set IPSEC as the applicable interface within squid, but that doesn't seem to be an option. Has anyone else been able to get this working effectively?

Hi, I had the same problem on SG-3100. I have checked logs and got info: 2018-05-16 19:59:52: (mod_auth.c.525) password doesn't match for / username: admin, IP: so for test I renamed user from admin to testadmin and works. It seems that webGUI is not changing password for default user admin :-( Best regrads, Andcza

yes squid is enabled and started as seen on pfsense gui

Thanks very much for explaining this to me! Very much appreciated! :)

cool, thanks! will look onto it

but if you put me where I should do those configurations I'd appreciate it. That depends on your OS.  For Windows, in the proxy definition dialog there is a 'Bypass for local addresses' checkbox or something similar.

Hi, in my opinion you need to create a new list in Target categories called Denied sites, writte youtube.com (Domain List) and youtube.com/ (URL List), then you need Denied the list in Groups ACL. APPLY in General Settings.

I don't think so.  Here is what you have to work with when using a squidguard ACL: Enter client's IP address or domain or "username" here. To separate them use space. Example: IP: 192.168.0.1 - Subnet: 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - IP-Range: 192.168.1.1-192.168.1.10 Domain: foo.bar matches foo.bar or *.foo.bar Username: 'user1' Ldap search (Ldap filter must be enabled in General Settings): ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))