Squid and ACLs

JonathanLee · Dec 14, 2023, 9:37 PM

@mcury I have it manually set to bypass proxy for 192.168.1.1 on lan side devices. I did have that issue until I did that but I never added that to the bypass it on the poxy itself inside the firewall. Thanks I didn't think about that, I will test tonight. What's weird why does this work for 23.05.01?

TAC wants me to move my 8080 rule to the top next tonight.

I have to swap out my "everything bagel" 🥯 SSD and put the 23.09.01 SSD back in to test it.

Everything bagel is the software where everything works perfectly for everyone in our house.

mcury · Dec 14, 2023, 9:38 PM

@JonathanLee said in Squid and ACLs:

Thanks I didn't think about that

I'm 99% sure that it will solve that issue.

@JonathanLee said in Squid and ACLs:

What's weird why does this work for 23.05.01?

I really can't tell, but what I can say is that I got into similar problems in the past.
I'm searching for the topic here, but it is very very old.. It was jimp who gave me the tip to fix that at that time..

mcury · Dec 14, 2023, 9:42 PM

@JonathanLee said in Squid and ACLs:

TAC wants me to move my 8080 rule to the top next tonight.

That is a good idea, but if I'm right, that alone won't help.
As I see it, you are getting intercepted by the proxy while going to the pfsense's GUI.

Also note that NAT is processed first than a firewall rule in the pipeline.. So, if I'm right, moving that rule won't solve the problem..

Edit:
Found the link, it wasn't jimp, memory failed me..
https://forum.netgate.com/topic/110072/squid-dnsbl-problem

Edit2 :

Oh, it would be easier to just change the firewall management port, choose any port that is not being used by any services in the firewall and not being intercepted by the transparent proxy.

JonathanLee · Dec 14, 2023, 11:03 PM

@mcury thanks for the information

JonathanLee · Dec 14, 2023, 11:04 PM

@mcury is port 8080 used by something else? My GUI is currently set to port 8080.

mcury · Dec 14, 2023, 11:15 PM

@JonathanLee said in Squid and ACLs:

@mcury is port 8080 used by something else? My GUI is currently set to port 8080.

No, not by default.
But some websites use that port, so it is usual to see users include that port in the allowed ports in the Squid settings.

If its not there, then, I don't think this is the problem.

Just to be clear, my suspicious is that the NAT that transparent proxy creates is intercepting that port when you are accessing the GUI, and sending it to the proxy 3128.

JonathanLee · Dec 14, 2023, 11:55 PM

@mcury I got it. It should also work to add bypass 192.168.1.1:8080 on the Squid bypass settings right

mcury · Dec 15, 2023, 12:03 AM

@JonathanLee said in Squid and ACLs:

It should also work to add bypass 192.168.1.1:8080 on the Squid bypass settings right

Yes, just bypass connections to destination 192.168.1.1.

Usually, most of the times if not always, you don't want to proxy connections to local networks, so I would bypass everything to:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

As far as I remember, you said a few weeks ago when we were trying to fix your Nintendo Switch problem, that you use both modes, transparent and explicit.

So, you need to make sure that you bypass these networks for both methods.

For transparent mode, you need to include those networks in Squid configuration, or if you created the NAT manually, include those networks there, you can use that reverse destination alias as previously mentioned in that thread.

For explicit mode, you would need to set it in the browser settings, or through the PAC file.

JonathanLee · Dec 15, 2023, 12:06 AM

Thanks I got the PAC file working. I bet 23.05.01 had some default Netgate proxy rules that 23.09 doesn't include.

mcury · Dec 15, 2023, 12:09 AM

@JonathanLee said in Squid and ACLs:

Thanks I got the PAC file working. I bet 23.05.01 had some default Netgate proxy rules that 23.09 doesn't include.

hm.. could be but I don't think so.

JonathanLee · Dec 16, 2023, 9:20 AM

It was this old separators that were deleted however still listed in the 23.05.01 config.xml file.

It mixed up every rule on the config.xml side and left it looking correct on the GUI side. I just deleted them and it fixed it for my 23.09.01

mcury · Dec 16, 2023, 4:51 PM

@JonathanLee said in Squid and ACLs:

It was this old separators that were deleted however still listed in the 23.05.01 config.xml file.

It mixed up every rule on the config.xml side and left it looking correct on the GUI side. I just deleted them and it fixed it for my 23.09.01

Oh, that certainly wasn't a easy shot, good work =)

JonathanLee · Dec 16, 2023, 4:51 PM

@mcury I also had to disable some ethernet rules that all the sudden showed a lot of activity