Installing the Dansguardian package in PFSense - One user's experience
-
Think I may have tracked down why Dans doesn't start properly on bootup (on my setup)
I get this error:
php: : The command '/usr/local/sbin/squid -k reconfigure' returned exit code '1', the output was '2012/04/25 10:17:58| WARNING: '192.168.0.0/255.255.255.0' is a subnetwork of '192.168.0.0/255.255.255.0' 2012/04/25 10:17:58| WARNING: because of this '192.168.0.0/255.255.255.0' is ignored to keep splay tree searching predictable 2012/04/25 10:17:58| WARNING: You should probably remove '192.168.0.0/255.255.255.0' from the ACL named 'localnet' squid: ERROR: No running copy'On my squid setup I have chosen to select LAN + loopback, so that the children go through the 8080 dans proxy and my machine uses 3128 (for caching purposes)
Is it possible that this is causing the error and not allowing dans to start automatically.Still starts when I go in and press start.
Or am I just completely barking up the wrong tree…. ::)
Thanks
Chris -
Just another quick note on something that needs to be done… it appears that DG log rotation is not setup. You can enable the "logrotation" script in /usr/local/share/dansguardian/scripts/. To get it working, do the following.
1. Edit /usr/local/share/dansguardian/scripts/logrotation and change
LOG_DIR=/var/log/ to
LOG_DIR=/var/log/dansguardian
2. Make the file executable
chmod +x /usr/local/share/dansguardian/scripts/logrotation
3. Add it to your list of scheduled tasks in cron so that it executes once a week. To do so, I installed the "cron" package and added an entry as follows (executes at 2:30am on Saturday):
30 2 sat root /usr/local/share/dansguardian/scripts/logrotationHope this helps...
-
Just another quick note on something that needs to be done… it appears that DG log rotation is not setup. You can enable the "logrotation" script in /usr/local/share/dansguardian/scripts/.
Thanks for these steps, I'll take a look and implement when time permits.
-
I've just pushed some fixes do improve dansguardian boot process and checks.
On my tests, dansguardian startup time during boot process reduced to 20 seconds.
Wait 15 minutes, reinstall the package, apply config and reboot.
-
Firstly - Thanks Marcello that's excellent news. Can I just clarify that where you say "apply config and reboot" do you mean manually apply the config or restore from a saved xml config ? Would that work ? (Just saves me some time if it does).
Secondly and totally unconnected here's a strange one for Netflix users.
I recently re-installed my windows system onto a new SSD and subsequently my Netflix gave a Silverlight N8152 DRM error when starting. I tried every suggested fix I could find for what is apparently a fairly common error all to no avail. The solution I found that worked for me was to disable the Dansguardian redirect rule, start Netflix, watch a moment of some content then stop Netflix and re-enable the redirect rule for DG, no more DRM N8152 Silverlight problem…..
I have no idea why, but it worked for me.
-
Firstly - Thanks Marcello that's excellent news. Can I just clarify that where you say "apply config and reboot" do you mean manually apply the config or restore from a saved xml config ? Would that work ? (Just saves me some time if it does).
Reinstall the package, go on dansguardian gui, manually apply the config. If you whant to test boot process, reboot after apply config.
-
Hello All
Many thanks to the author of the Dansguardian-Package. This is a very usefull function added to pfSense.
I found a what appears to be a bug in the handling of the Dansguardian Package configuration on pfSense 2.
Setup:
pfSense 2.0.1-release
Dansguardian Package (2.12.0.0 pkg; v.0.1.5.3)
squid Package (2.7.9 pkg v.4.3.1)The Problem:
If I set on the configuration page of Dansguardian (>Services>Dansguardian>Daemon) the Proxi-IP to 127.0.0.1 and leave the value for the Proxy-Port empty (for the default) in the config file of Dansguardian (/usr/local/etc/dansguardian/dansguardian.conf) the value 127.0.0.1 will be written for the proxy-port entry (proxyport = 127.0.0.1).My Solution:
Manually set the value of the proxyport setting in /usr/local/etc/dansguardian/dansguardian.conf
(In the pfSense-webgui for example by browsing to the config-file via >Diagnostics>Edit File).Regards
Roman -
@rs:
The Problem:
If I set on the configuration page of Dansguardian (>Services>Dansguardian>Daemon) the Proxi-IP to 127.0.0.1 and leave the value for the Proxy-Port empty (for the default) in the config file of Dansguardian (/usr/local/etc/dansguardian/dansguardian.conf) the value 127.0.0.1 will be written for the proxy-port entry (proxyport = 127.0.0.1).My Solution:
Manually set the value of the proxyport setting in /usr/local/etc/dansguardian/dansguardian.confWhy not just fill proxy port fied? ???
-
Why not just fill proxy port fied? ???
Yes, this works, and is of course a better solution. I just not have tried it until now.
-
Hi All,
Where I could find exceptioniplist on the menu. It seems I can't find it.
Regards,
Rocel -
Where I could find exceptioniplist on the menu. It seems I can't find it.
http://forum.pfsense.org/index.php/topic,42664.msg274045.html#msg274045
-
Hi, I think there is an option under in DansGuardian to set timing. Access lists->site and url
-
Hi, I think there is an option under in DansGuardian to set timing. Access lists->site and url
-
Hi and thanks to all you where of great help..
I installed DansGuardian and Squid from packages, works fine, just a few questions,- is there a need to put in a blacklist url into Dansguardian?
- I'm trying to get "phrase" to work and it doesn't seem to?
I tried to just put e.g. "<gambling>" with or without spaces front or back but with out any response? Was able to enter any gambling site there is?
And while we are at it, where are the category settings? Also when a block comes up it just says Category regular expressions? wondering.
TIA
P.S. as a newbie using pfsense, thanks to the Makers, its unreal, great work.
and thanks to the maker of the DG pkg very nice job.</gambling> -
@hf:
I tried to just put e.g. "<gambling>" with or without spaces front or back but with out any response? Was able to enter any gambling site there is?</gambling>
You have to check to get dansguardian working before going on access lists.
Check if it's listening,
Check if dansguardian is sending traffic to squid
Check if clients are using dansguardian ip/port as their proxies.
check log files to see what is passing through dansguardian.
etc, etc, etc.This package gui follow dansguardian conf files, so you need some dansguardian knowledge to get it working
@hf:
thanks to the maker of the DG pkg very nice job.
Thanks! donations are always welcome ;D
att,
Marcello Coutinho -
Thanks,
When i put into Site e.g. "google.com" it got blocked so that tells me that it listens and works, doesn't it?And i added the rule under nat so i understand that all traffic is forwarded to DG?
Now the log files I wasn't able to figure it out? I'm using strictly the GUI.
TIA -
@hf:
When i put into Site e.g. "google.com" it got blocked so that tells me that it listens and works, doesn't it?
Did you enabled the phrase Banned Lists on default group?
@hf:
And i added the rule under nat so i understand that all traffic is forwarded to DG?
Using nat to get it transparent, you can only filter http.
@hf:
Now the log files I wasn't able to figure it out? I'm using strictly the GUI.
The log will be usefull only on console tail -f /var/log/dansguardian/access.log
-
guys, i'm at a loss here… I installed the dansguardian package and then had to uninstall it, and now after a reinstall, I can't get the gui components of the package to ever finish installing... it just stops at this part:
Removing Dansguardian components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Beginning package installation for Dansguardian... Downloading package configuration file... done. Saving updated package information... done. Downloading Dansguardian and its dependencies... Checking for package installation... Loading package configuration... done. Configuring package components... Additional files... done. Loading package instructions... Custom commands... Executing custom_php_install_command()...
Can someone please tell me what I should do here? I have DG working on another server but wanted to do it all on the pfsense box if i could…that way I can filter sites for my kids IPODs and stuff that doesn't have proxy settings easily available.
Appreciate your help, thanks in advance!
-
Can you check if there is any errors on console/system logs?
How old is your dansguardian install?
-
I didn't really see any errors on the logs or console…. i think it's probably about a year old installation at best. I have upgraded it whenever the upgrade was available from the main repository. I think dg is actually installing, but i'm not seeing any portions of it available for configuration in the GUI.
-
but i'm not seeing any portions of it available for configuration in the GUI.
If you can't see it on pfsense menu, try to remove/install the package again.
-
hi Marcello,
I've done that probably 5 times and still not showing up…it just stops at that one point and nothing happens, even if i let it sit there for an hour it never finishes apparently.i'm tempted to blow it away tonight and reinstall pfsense2 and restore backup and try again... hate to do that if i don't have to though.
doesn't appear that it's fully installing when i run the package, it goes through some of the motions but never registers the service as available and the GUI components never show up.
-
I'm have no idea what's going on with your install, I've tested here and could uninstall/install dansguardian without errors.
I'm going to test it on other machines too.
-
ok, well, i guess i have no other choice but to fully wipe the pfsense install and start over… luckily, i don't have a very involved configuration so it shouldn't take too long, just have to deal with a wife who will not be happy for me blocking her facebook time. lol
-
Nice write up.. i have installed Dansguardian and configured it as you said. but after finishing 1st step, when i test it I cannot browse anything at all, no good site, no bad site, no pfsense either. any idea what i am doing wrong.
OK.. managed to setup DG successfully. Now, how do i check the reports based on AD username??
-
OK.. managed to setup DG successfully. Now, how do i check the reports based on AD username??
with a tail -f on /var/log/dansguardian/access.log or with sarg package. :)
-
Hi all
Marcello thx for the DG packages, using this topic i have it running almost perfekt.
The problems that i have are that sarg its showing only the logs for 2 days (13 and 21 August) and only with the ip adress from my pfsense install.
In "realtime" i have the hosts names visible. With lightsquid i have couple days more, but same only with pfsense ip adress. Squid is running transparent.The second problem is: i have 2 samsung TVs and i stream internet radio with this (vtuner App). I placed the 2 TV IPs in Exception and now one its working, the second cannot connect to the stream servers. In the log file its showing "miss" and not "denied".
Thx
Viko -
Marcello thx for the DG packages, using this topic i have it running almost perfekt.
Thanks. donations are always welcome too ;D
The problems that i have are that sarg its showing only the logs for 2 days (13 and 21 August) and only with the ip adress from my pfsense install.
In "realtime" i have the hosts names visible. With lightsquid i have couple days more, but same only with pfsense ip adress. Squid is running transparent.are you using two squid?
squid(transparente) -> dansguardian -> squid?
did you tried dansguardian(transparent with nat rules) -> squid.
did you tried to run sarg on console to see what errors you get?
The second problem is: i have 2 samsung TVs and i stream internet radio with this (vtuner App). I placed the 2 TV IPs in Exception and now one its working, the second cannot connect to the stream servers. In the log file its showing "miss" and not "denied".
the miss on logs means "access allowed but not in cache".
-
Hi Marcello
Donation its already done. Thx for your help.
I have Squid (Transparent) - Dansguardian - NAT Rule. After a reboot everything is OK now.
Viko
-
-
Thank a lot guys! this is what i am looking for!
-
Hello,
Good day! Just a quick questions you gents, I'm currently running pfsense:
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6and I have created a separate computer/box/server that handles Dansguardian+Squid. On my pfsense firewall, I have installed the squid package (2.7.9 pkg v.4.3.2) then I enable transparent proxy option on that one, and added this line on the custom configuration part:
cache_peer 192.168.127.222 parent 3128 0 no-query no-digest
then I added the squid/dansguardian ip to the bypass proxy originating from this ip line. I have also used "null" for the hardisk cache system so that i won't be caching the same thing twice. Everything is working with this setup so far, the only problem I am having is that on the dansguardian/squid box, that is logged is the ip of the pfsense box and not the ips of the computers used by our users. I do understand why this is so, but I can't seem to figure out how to have the original ips passed to the squid/dansguardian box… any ideas? Thanks!
-
I do understand why this is so, but I can't seem to figure out how to have the original ips passed to the squid/dansguardian box… any ideas? Thanks!
It will always log server ip as it is proxing connections.
To have real ip on you box, you need a rule o lan using dansguardian box ip address as gateway to forward requests to it.
-
Thanks for the quick response marcelloc! as always!
The only purpose why I need to have the original IP on the dansguardian/squid box is so I can do filter groups based on the ip addresses of user's computers.
With regards to your suggestion on making my dansguardian/squid box as the gateway then route web traffic through there, can you explain a bit further? (ive attached a sample rule for it.. at least that's how interpret it.
http://tinypic.com/r/iqa4hl/6
http://tinypic.com/r/efqqkw/6You also mentioned on a previous post as reply to viko saying,
"did you tried dansguardian(transparent with nat rules) -> squid."
I'm thinking that this might be a better solution than what I currently have in mind to do. So on the pfsense box, I can install the dansguardian package and then do all the ACL and filter groups on the firewall itself then just make an external squid box that will serve as parent for the dansguardian package in the firewall. If this is possible, I wanted to ask what do you mean "transparent with nat rules"… Can you kindly give me an example? Thanks!
-
dansguardian on pfsense filtering and using a remote squid for cache is a good option for you.
The forward process to proxy server using rules is described in this post
http://forum.pfsense.org/index.php/topic,54717.0.html
-
this is brilliant marcelloc!
I'll try this out later and will give you some feedback.
-
I could not reproduce this issue but I'll include on dansguardian gui an option to force squid startup before dansguardian.
First, Thanks Marcelloc for your great work.
I am having the same issue where Dansguardian is starting before squid and locking me out of the Web Interface. I installed it just yesterday and couldn't find where the option to force squid to startup before dansguardian was. Is this implemented? If so, where do I set this?Thanks!
-
I could not reproduce this issue but I'll include on dansguardian gui an option to force squid startup before dansguardian.
First, Thanks Marcelloc for your great work.
I am having the same issue where Dansguardian is starting before squid and locking me out of the Web Interface. I installed it just yesterday and couldn't find where the option to force squid to startup before dansguardian was. Is this implemented? If so, where do I set this?Thanks!
First - create a firewall rule (or add an exception to your redirect rule) so that you can get to the pfSense UI even if DG does not start…
As far as the order of starting, I'm not sure. I haven't seen that error in quite a while and I never figured out what was controlling the order (ideas Marcello?). One way to work around it is to create your own startup script in /usr/local/etc/rc.d to startup DG last. Name it something like zz_startdg.sh just to make sure it executes last.
-
dansguardian only works for marcelloc and it's developers!
-
Works great for me… And while I will admit that I've done some modifications and spent a fair amount of time figuring out how pfSense works, I'm not "one of its developers"... I do this purely for the fun of it!
I'm going to vent a little, but it baffles me that people want to use a freely distributed, freely developed product and then complain that it doesn't work! Spend the time to learn a little bit... When I first started playing with this thing, I had no idea how pfSense was structured and had little knowledge of FreeBSD, PHP, etc. Try to debug some things on your own. If you find issues, dig in and try to resolve them rather than complaining! That's how an open source software package becomes better.
If that's not where you're at, then maybe you should purchase a commercial product. Then you can call someone in India who will tell you to "reboot and see if that fixes it..."