Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Installing the Dansguardian package in PFSense - One user's experience

    Scheduled Pinned Locked Moved Documentation
    86 Posts 27 Posters 156.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      Chewy,

      Thanks for your mini howto and experiencie feedback  :)

      I'm involved on a lot of packages now but if I have some time in the future, I'll try to include transparente mode with a BIG security warning  ;)

      att,

      Marcello Coutinho

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • R
        root2020
        last edited by

        Couple of issues that some people may have. By the way this is a great easy to follow Dans setup, thanks!

        #1 When I installed squid my Proxy interface in squid was at "loopback", I changed that to LAN an things are fine now.
        #2 Just a note if you use the firewall to redirect port 80 to 8080. Make sure that your firewall rule that was created by the portforward, is located above your "LAN-any" rule so that it gets executed properly.

        1 Reply Last reply Reply Quote 0
        • W
          Wezz
          last edited by

          I did get the Dansguardian to work if I manually set the proxy, but I've added the rules to FW without any luck.
          I've put the rule
          Proto: TCP
          Source: LAN net
          Port: *
          Destination: 192.168.1.1
          Port: 8080
          above the lan-any rule, so it should work but it does not?
          How to solve?
          I can provide screenshots if asked.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Your nat is not correct, pay attention on nat description from the first post and apply on your config.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • W
              Wezz
              last edited by

              @marcelloc:

              Your nat is not correct, pay attention on nat description from the first post and apply on your config.

              I've done that,
              First is NAT

              Edit: I totally forgot that I'm connecting via VPN on my client, my bad.
              Thanks for a great "user experience"

              1 Reply Last reply Reply Quote 0
              • C
                Chewy
                last edited by

                I've only just had a chance to come back to see if there were any replies and this is a pleasant surprise. I'm delighted it's helped people.

                1 Reply Last reply Reply Quote 0
                • C
                  chris23
                  last edited by

                  thanks guys this really helped me out alot.

                  I have a question, what if I want to add in squidguard to control access at times of day.  Say 9am til 5pm only, on certain machines with a certain IP address.

                  Had a bit of a try and I seem to be able to get on the net anytime with the config I tried.

                  Anyone tried this??

                  Thanks
                  Chris

                  My weather station: http://rollestonpark.myzen.co.uk

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    You mean dansguardian,squid and squidguard? ???

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • C
                      chris23
                      last edited by

                      Yeah, can you not use squidguard as well?

                      Or can I just put some settings into danguardian to control time of day access?

                      Thanks

                      (by the way marcelloc, good work!!)

                      My weather station: http://rollestonpark.myzen.co.uk

                      1 Reply Last reply Reply Quote 0
                      • C
                        Chewy
                        last edited by

                        I'm going to make a suggestion Chris but I've not tried this solution, it's speculative, so feel free to shoot me down if I missed something.

                        Firewall>Schedule is possibly what you're looking for to solve the problem. If you only want content filtering between 9 - 5 then apply the schedule to the redirect rule such that DG and Squid are bypassed outside of the access hours. If you don't want any access at all outside of those hours then you can construct a rule that blocks certain IP and is only activate outside of those hours.

                        Hope that helps

                        1 Reply Last reply Reply Quote 0
                        • C
                          chris23
                          last edited by

                          aagghhh,

                          genius.  Why did I not think of that.  So simple really, it passed me by….

                          Thanks a lot Chewy

                          My weather station: http://rollestonpark.myzen.co.uk

                          1 Reply Last reply Reply Quote 0
                          • C
                            Chewy
                            last edited by

                            Update - I don't seem to be able to edit the original post which I can see makes some sense for integrity reasons so I'll add some updates here (these aren't necessarily requests for change just observations for fellow travellers).

                            Refreshing Dansguardian when changes have been made seems to be a bit hit or miss. The only entirely reliable method I've found is that suggested by Zgruk from the command line issue "dansguardian -Q". The "save" buttons work sometimes but not others which I suspect is entirely to do with DG and not the packaging.

                            Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid, hence, any requests to DG fell into a black hole including the access to PFsense to fix the problem. Because of my (insecure) set up I could manually direct the browser at Squid to access PFsense, refresh DG using a simple save and that seemed to establish the socket between DG and Squid giving me back normal access.

                            If you're not as insecure as me (and I don't recommend it for any professional set up) then the way to get back access would be to use the command line refresh I mentioned above.

                            There may be a way to force squid to come up before DG I'm not sure. I'm more of a Linux man than BSD and despite their shared heritage they're different enough for me to have to research that change. If there's anyone out there who can supply the answer I'd be really grateful.

                            1 Reply Last reply Reply Quote 0
                            • C
                              chris23
                              last edited by

                              Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid

                              Exactly the same issue here too.
                              I normally have to cycle the DG service after bootup.

                              Not sure quite what's happening here.

                              My weather station: http://rollestonpark.myzen.co.uk

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                @chris23:

                                Rebooting the PFsense box caused me some odd problems. DG started before Squid and doesn't seem to keep trying to establish a socket with Squid

                                Exactly the same issue here too.
                                I normally have to cycle the DG service after bootup.

                                Not sure quite what's happening here.

                                Can you check these steps posted on dansguardian topic at packages?
                                http://forum.pfsense.org/index.php/topic,43786.msg253812.html#msg253812

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • C
                                  Chewy
                                  last edited by

                                  Checked the thread and this appears to be the same problem as reported by Cino :

                                  I think the problem I have, dansguardian is starting before squid.

                                  We've had a long weekend in the UK so I did some checking into how the start up tasks are set in BSD. Forgive me if I'm telling you things you already know but it seems BSD uses directives (e.g #PROVIDES) within the start up jobs to create a dependency order. The directives show what a daemon provides and requires, which in turn are used by rcorder to order the job starts.

                                  Marcello uses the directives in the Dansguardian start up job but squid doesn't use them which results in a random start order at best. The way to fix this would be to use the native BSD system consistently but it seems that historically this hasn't been done. I can imagine a work around which alters the "squid.inc" file to copy a template start up script in the same way that Marcello does it and in this squid template include the standard directives hence dictating the start up sequence.

                                  The other idea I had was to check for squid.sh in /usr/local/etc/rc.d and if it exists start it in the Dansguardian script. Something like this before the code to start DG:

                                  
                                  if [-e /usr/local/etc/rc.d/squid.sh];
                                  then
                                       /usr/local/etc/rc.d/squid.sh
                                       echo "#! /bin/sh" > /usr/local/etc/rc.d/squid.sh
                                  fi
                                  
                                  

                                  As I mentioned previously, I'm no expert with BSD so if I've got this wrong please do correct me (as much for my education as others).

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    Thanks Chewy, I'll do some tests and feedback.

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      chris23
                                      last edited by

                                      yeah, the message I get on reboot is:

                                      Dansguardian no process found
                                      Dansguardian no process found
                                      Dansguardian no process found

                                      I just start or restart it once boot is complete and all is OK.
                                      No biggee, but slightly annoying.

                                      Thanks and wouldn't be without it….

                                      My weather station: http://rollestonpark.myzen.co.uk

                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        I've tested it today on a clean install and dansguardian did worked after reboot.

                                        It still takes 1minute to start but it works.  ???

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          rjcrowder
                                          last edited by

                                          Curious to me that it worked for you… I had the same problem - DG wasn't working because it started before Squid. I couldn't figure out how the package manager controlled the order of startup scripts, so I did a little hack. I simply created another startup script called z_fixstartup.sh and placed it in /usr/local/etc/rc.d. Contents of the script is...

                                          #!/bin/sh

                                          This file was automatically generated

                                          by the pfSense service handler.

                                          rc_start() {
                                          /usr/local/sbin/dansguardian -Q
                                          }

                                          rc_stop() {
                                          }

                                          case $1 in
                                          start)
                                          rc_start
                                          ;;
                                          stop)
                                          rc_stop
                                          ;;
                                          restart)
                                          rc_stop
                                          rc_start
                                          ;;
                                          esac

                                          I had another small issue that someone else might want to be aware of. If you create a NAT rule to autoforward port 80 traffic, this somehow breaks XBox downloads. I had to exclude the IP address of the XBox in the forwarding rule.

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            Chewy
                                            last edited by

                                            RJ - Nice fix I'm going to try that one. What I still don't understand though is, as you say, how does the package manager control the start up order ? Is there no consideration to the order designed in to the mechanism ?

                                            Marcello - I don't get it and I'm wonder if it's somehow random ? Does DG sometimes start after Squid or does it sometimes retry the connection, I have no idea, but it's very frustrating particularly when we can't reliably recreate the problem. Your comment about the time taken makes me wonder if I wait longer would the connection between DG and Squid eventually start ?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.