Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid future questions

    Scheduled Pinned Locked Moved Cache/Proxy
    16 Posts 6 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by JonathanLee

      Hello fellow Netgate community members,

      If one wants to continue to use Squid with knowledge of the vulnerabilities is there still a way to do that in the future, or should we stop upgrading our PfSense firewall to continue to have Squid on the system?

      I am sad as I purchased this equipment for use with Squid. It seemed to have a lot of issues all along and now it works great, but it's also being depreciated. Again the amount of time I spent working on this was a lot. I am to invested in Squid to give up on it.

      Make sure to upvote

      perikoP S 2 Replies Last reply Reply Quote 1
      • perikoP
        periko @JonathanLee
        last edited by

        @JonathanLee I'm with u budy.

        The only way we can block users accesing domains and have a good ACL under Pfsense is Squid.

        A lot of people say, use PfblockerNG, I use this great package but still doesn't have all the ACL options Squid+SG has.

        I know that is important the security of the base system but this one of the features a lot user search for, how to protect the network from accesing a web site, can I allow this person to that and not this, ect, etc. Only Squid does.

        Can I see reports about users surfing the web? Yes Lightsquid.

        Can I see the same report from PfblockerNG...No.

        Comercial products have some great tools for this, but this is a feature a like most from pfsense I have used for years.

        I know that is not in your hands netgate, but u can see that a lo of your base users search for this tool, If pfblockerng can do it great, but I know that is not possible to let me apply all the filters that squid+SG does. I love pfblockerng but is limited.

        Hope u have in your plans pfsense(netgate) to add other web proxy for pfsense, is a Unix type and is the best OS to running this type of security tools to protec companies from outside and inside from not abusing this resource, the internet.

        A old pfsense users since 1.2...

        Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
        www.bajaopensolutions.com
        https://www.facebook.com/BajaOpenSolutions
        Quieres aprender PfSense, visita mi canal de youtube:
        https://www.youtube.com/c/PedroMorenoBOS

        BismarckB 1 Reply Last reply Reply Quote 2
        • BismarckB
          Bismarck @periko
          last edited by

          @periko

          There was/is a unofficial addon E2guardian Web filtering, dunno if its still compatible with newer versions of pfSense.

          http://e2guardian.org/

          https://github.com/marcelloc/Unofficial-pfSense-packages/tree/master/pkg-e2guardian5

          Maybe this could be an alternative option for web filtering.

          perikoP 1 Reply Last reply Reply Quote 1
          • perikoP
            periko @Bismarck
            last edited by

            @Bismarck the questions is , does that Unofficial product have vulnerabilities?

            I had try e2guardian, but is very slow the support group in my experience.

            Don't know is tomorrow netgate will say remove the package because we don't support that package.

            Is the only one I see capable to replace Squid, thanks for the input.

            Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
            www.bajaopensolutions.com
            https://www.facebook.com/BajaOpenSolutions
            Quieres aprender PfSense, visita mi canal de youtube:
            https://www.youtube.com/c/PedroMorenoBOS

            1 Reply Last reply Reply Quote 1
            • S
              slu @JonathanLee
              last edited by

              @JonathanLee said in Squid future questions:

              If one wants to continue to use Squid with knowledge of the vulnerabilities is there still a way to do that in the future, or should we stop upgrading our PfSense firewall to continue to have Squid on the system?

              https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

              pfSense Gold subscription

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You have lots of choices:

                • Continue using the old insecure version leaving yourself open to vulnerabilities both known and unknown which will only get worse over time.
                • Migrate away from squid entirely to other means of blocking (e.g. pfBlockerNG and/or external utilities like PiHole)
                • Setup another system internally with squid that isn't on your firewall to be the proxy and forward/configure traffic to go there before exiting. This could be another dedicated hardware box, a virtual machine, docker container, etc. But it should be something running a more up-to-date/secure proxy than squid if possible. -- Note that while you could use a separate pfSense VM for this, that doesn't address the security problems in squid itself

                The proxy setup is mostly automated in pfSense and so on but you can get the same effect with some manual NAT rules configured to use some other proxy elsewhere on your network (ideally in a DMZ).

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                JonathanLeeJ perikoP 2 Replies Last reply Reply Quote 2
                • JonathanLeeJ
                  JonathanLee @jimp
                  last edited by JonathanLee

                  @jimp Thanks, I am aculally in the process of migrating to OpenSense for better proxy support. Thinking about it, I am on the fence right now.

                  "Setup another system internally with squid that isn't on your firewall to be the proxy and forward/configure traffic to go there before exiting. This could be another dedicated hardware box, a virtual machine, docker container, etc. But it should be something running a more up-to-date/secure proxy than squid if possible. -- Note that while you could use a separate pfSense VM for this, that doesn't address the security problems in squid itself"

                  This is a great Idea I thought of this also, but what kind of hardware would one need? Could it be as simple as a raspberry pi for a small home network?

                  Make sure to upvote

                  M jimpJ 2 Replies Last reply Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @JonathanLee
                    last edited by

                    @JonathanLee

                    lol

                    not laughing at you..just laughing at the flow of the conversation.

                    All jokes aside - the OPNsense team may in the long run drop support for Squid. They are still weighing their options based on what ive read in the forums.

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 1
                    • JonathanLeeJ
                      JonathanLee
                      last edited by

                      look at pfblockings list of issues also ....

                      Make sure to upvote

                      1 Reply Last reply Reply Quote 1
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate @JonathanLee
                        last edited by

                        @JonathanLee said in Squid future questions:

                        This is a great Idea I thought of this also, but what kind of hardware would one need? Could it be as simple as a raspberry pi for a small home network?

                        Depending on your upstream link speed, a Pi may be sufficient, but it's hard to say for certain. No matter what you setup it should be running with a decent size SSD, not flash media, which would require extra hardware on a Pi (like an SSD hat or similar).

                        You can get a cheap mini PC for <200 with an SSD and a decent amount of RAM (8-16GB+), toss a linux distro on there (or something like proxmox) and have more than enough power for a small proxy. That's probably even cheaper than a current gen Pi with an SSD.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        M 1 Reply Last reply Reply Quote 1
                        • M
                          michmoor LAYER 8 Rebel Alliance @jimp
                          last edited by

                          @jimp
                          Other than Squid, any other proxies you can recommend? I got spoiled by pfsense and using a GUI to set up squid. No cli is needed.

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          JonathanLeeJ jimpJ 2 Replies Last reply Reply Quote 1
                          • JonathanLeeJ
                            JonathanLee @michmoor
                            last edited by

                            @michmoor me too pfSense spoiled me rotten with Squid :)

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate @michmoor
                              last edited by

                              @michmoor said in Squid future questions:

                              @jimp
                              Other than Squid, any other proxies you can recommend? I got spoiled by pfsense and using a GUI to set up squid. No cli is needed.

                              I haven't kept up with that space. Forward proxies have been dead/dying for so long I stopped paying attention. I'm not sure anything else open source is near squid in that market. There may be something else out there that's similar or forked and more up-to-date.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 1
                              • perikoP
                                periko @jimp
                                last edited by

                                @jimp hi, one of the things I love about pfsense is the web filter.
                                I know that the security is first.
                                But If a customer request a way to control internet access is a web proxy wit pfsense.
                                Pfblockerng is a great that but cannot compete vs squid+SG ACL, maybe is possible is hard to setup and mantain, I like pfblockerng and is my 2nd filter.
                                Now, if I say to my customer, you know, we need to buy 2 boxes, 1 for pfsense and the 2nd for pihole...u know the answer.

                                Does pfsense have a plan to have web filter different than squid?

                                Thanks.

                                Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
                                www.bajaopensolutions.com
                                https://www.facebook.com/BajaOpenSolutions
                                Quieres aprender PfSense, visita mi canal de youtube:
                                https://www.youtube.com/c/PedroMorenoBOS

                                1 Reply Last reply Reply Quote 0
                                • JonathanLeeJ
                                  JonathanLee
                                  last edited by JonathanLee

                                  Screenshot_20231113-215023.png

                                  Me I was a student who could never have afforded the ability to purchase the big tech version of Squid to learn proxies and web caches with. After many configuration changes, updates and many posts on the forum to get help from the Netgate community my Squid works and, it works perfectly. I learned alot about Proxy use from this as a student. I hope and please ask that Netgate provide a legacy support option for users that paided for official Netgate hardware. Users like me that already installed and use Squid. Maybe add a clear warning that were on our own. Per Squid's website they update every two years, I am sure you know. So it will be fixed in 2025. Most of the bugs are not on the version Netgate uses also. I really like using it, it just works. Again it's advanced to configure. My family hated me for all the changes from 2019 until today. Every device I installed certificates in my house has a warning on them that a root authority is installed. The devices even warn about it. Side note: We learned about pfSense in class with firewall labs. I have learned much.

                                  Make sure to upvote

                                  1 Reply Last reply Reply Quote 2
                                  • JonathanLeeJ
                                    JonathanLee
                                    last edited by JonathanLee

                                    Looks like Squid's website just released version 6.5 on Nov 4th 2023

                                    That was 10 days ago. . .

                                    Screenshot 2023-11-14 at 4.29.12 PM.png

                                    I am confused as it was said it was not updated in 2 years. . .
                                    Screenshot 2023-11-14 at 4.34.47 PM.png
                                    Was updated again Nov 6 2023

                                    Also many security issues have been resolved per the GitHub.

                                    Screenshot 2023-11-14 at 4.31.04 PM.png

                                    I am thinking install it on a raspberry pi 5 8gb and NAT to it from the firewall

                                    Make sure to upvote

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.