Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense newbie configuration problem

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    43 Posts 5 Posters 14.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Multiple clients logging in with the same credentials? Too many simultaneous sessions?
      I'm speculating. I agree it seems unlikely.

      Steve

      1 Reply Last reply Reply Quote 0
      • V
        vdecristofaro
        last edited by

        @stephenw10:

        There is no need to add the proxy information to pfSense, you only need to do that as a convenience for machines behind pfSense and to enable the box itself to have web access. You can just add the proxy to the clients behind pfSense as would for boxes in front it. You won't be able to update from the webgui.
        It maybe that the upstream proxy has a problem with NATed clients connecting to it perhaps by design. It would seem reasonable for your network admin to not won't people running their own routers.

        Steve

        Well even if I remove the proxy informations I am not able to navigate the web from the pfSense machine.
        This continue to appear very strange to me and I am still convinced of a configuration problem….

        Look at this screenshot (taken from the pfSense machine) to understand why I am saying this...

        How it is possible that I can do nslookup without any problem and getting "No address record" when using fetch??

        1 Reply Last reply Reply Quote 0
        • P
          podilarius
          last edited by

          If you do a fetch with the IP, does it work? (fetch http://173.194.65.105)
          I think generally you want to be file specific with fetch so you don't get to much. Perhaps:
          fetch http://files.chi.pfsense.org/jimp/foo/shiny/ehrmagerd/pfSense-Full-Update-2.0.2-RELEASE-i386-20121004-1028.tgz

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            If you have removed the upstream proxy settings from pfSense then this won't work. Assuming the network admin has blocked non proxied http access.

            Steve

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              So do you need a proxy to get out??  This has been verified right?  Have you set this for fetch to use?

              I believe you can view this with the echo of the $HTTP_PROXY variable

              echo $HTTP_PROXY
              HTTP_PROXY: Undefined variable.

              also what is in your /etc/resolv.conf file

              Do you have any limitation on dns in any of your rules or the dns server your trying to use?

              This proxy on your network - how is it implemented.  Do you have to set it explicit, is wccp used?  Is a transparent proxy?  Is there any sort of captive portal setup where you have to auth or agree to something before you get access using the proxy?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • V
                vdecristofaro
                last edited by

                @podilarius:

                If you do a fetch with the IP, does it work? (fetch http://173.194.65.105)
                I think generally you want to be file specific with fetch so you don't get to much. Perhaps:
                fetch http://files.chi.pfsense.org/jimp/foo/shiny/ehrmagerd/pfSense-Full-Update-2.0.2-RELEASE-i386-20121004-1028.tgz

                @stephenw10:

                If you have removed the upstream proxy settings from pfSense then this won't work. Assuming the network admin has blocked non proxied http access.

                Steve

                Yes I have removed the configuration. But I am just trying to get to the internet from the pfsense shell…

                @johnpoz:

                So do you need a proxy to get out??  This has been verified right?  Have you set this for fetch to use?

                I believe you can view this with the echo of the $HTTP_PROXY variable

                echo $HTTP_PROXY
                HTTP_PROXY: Undefined variable.

                also what is in your /etc/resolv.conf file

                @johnpoz:

                Do you have any limitation on dns in any of your rules or the dns server your trying to use?

                This proxy on your network - how is it implemented.  Do you have to set it explicit, is wccp used?  Is a transparent proxy?  Is there any sort of captive portal setup where you have to auth or agree to something before you get access using the proxy?

                There is an internal DNS server in a Windows 2008 VM which is running at 192.168.83.11 and which serves the clients of the virtual network 192.168.83.0.
                On this server I also have configured to forward queries to 192.168.83.1 (the pfSense router). As you can see from the previous screenshot, the pfSense router has DNS of my host network in resolve.conf.
                I dont really know how to verify if there are any limitations.

                The proxy it is a Squid 2.7v9 with Basic Authentication. On our client pc's we can configure it directly using the sintax I've used above or even with a wpad autoconfiguration script which provides load balancing. It does'nt make any difference for the clients.
                It is not a transparent proxy. We dont have wccp.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  So from that http_proxy output fetch would be using that proxy to resolve dns would it not?  When using a proxy, normally proxy does the dns lookup.  Looks like your putting username and password in the proxy url.

                  Does your proxy allow that? Have you tried this method with fetch

                  HTTP_PROXY=http://proxy.example.com:8080
                    HTTP_PROXY_AUTH=basic:*:<user>: <pwd>You sure pfsense is even resolving the fqdn you have in there for your proxy?  If its an internal fqdn, why are you hiding it?</pwd></user>

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • V
                    vdecristofaro
                    last edited by

                    @johnpoz:

                    So from that http_proxy output fetch would be using that proxy to resolve dns would it not?  When using a proxy, normally proxy does the dns lookup.

                    Right! I was almost sure but unfortunately I have just verified that the pfsense VM does not resolve the name of the proxy server.
                    This is just very strange because the wan configuration is exactly the same as my host machine (!!!).
                    I did change the HTTP_PROXY environment variable to use the IP address instead of the name and now "fetch" works :)

                    @johnpoz:

                    Looks like your putting username and password in the proxy url.

                    Does your proxy allow that? Have you tried this method with fetch

                    HTTP_PROXY=http://proxy.example.com:8080
                      HTTP_PROXY_AUTH=basic:*:<user>:</user>

                    Both methods works

                    @johnpoz:

                    You sure pfsense is even resolving the fqdn you have in there for your proxy?  If its an internal fqdn, why are you hiding it?

                    pfSense was not resolving the name (that is understandable for me). I am hiding the name of the server just because of the privacy. In that name there are reference to the name of the customer I am working for and I do not wish to cause any problem to anyone…

                    Now that I am able to browse the web from the router itself I am still unable to browse the web from internal network guests which are simply configured to have the router IP as their gateway...

                    1 Reply Last reply Reply Quote 0
                    • P
                      podilarius
                      last edited by

                      Well it cannot be simply pointing a server to a router an expecting it to work when there is a proxy involved. The proxy setup you did was just for pfSense to get version information and packages installed. This is not for everything else behind it. If you want to do that, you are going to have to setup pfSense with Squid to be a proxy itself, and a transparent one at that. Alternatively, you can just setup the proxy the same as everything else, even the same as pfSense, and pfsense will route traffic on port 3128 to that proxy.
                      Hope that made since.

                      1 Reply Last reply Reply Quote 0
                      • V
                        vdecristofaro
                        last edited by

                        @podilarius:

                        Well it cannot be simply pointing a server to a router an expecting it to work when there is a proxy involved. The proxy setup you did was just for pfSense to get version information and packages installed. This is not for everything else behind it.

                        what you say confirms what I said at the this thread. that is I am a beginner and that my knowledge about it is very poor  :'(

                        @podilarius:

                        If you want to do that, you are going to have to setup pfSense with Squid to be a proxy itself, and a transparent one at that. Alternatively, you can just setup the proxy the same as everything else, even the same as pfSense, and pfsense will route traffic on port 3128 to that proxy.
                        Hope that made since.

                        Ok. I need to read a little bit to implement the "clean" solution with Squid.
                        But for the "easy" way, do you mean that I can configure the guests behind the router to use http://<router_ip>:3128 as proxy?</router_ip>

                        1 Reply Last reply Reply Quote 0
                        • P
                          podilarius
                          last edited by

                          Yes. the same proxy you used with pfsense and your workstation.

                          1 Reply Last reply Reply Quote 0
                          • V
                            vdecristofaro
                            last edited by

                            @podilarius:

                            Yes. the same proxy you used with pfsense and your workstation.

                            Ok! Finally I have got my target  ;D ;D

                            I have installed and enabled Squid to be a transparent proxy against internal network.
                            I have also enabled Squid to use an upstream proxy (the one of the network I am in).

                            It seems that everything is working. Thank you so much for helping

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.