PfSense newbie configuration problem
-
Multiple clients logging in with the same credentials? Too many simultaneous sessions?
I'm speculating. I agree it seems unlikely.Steve
-
There is no need to add the proxy information to pfSense, you only need to do that as a convenience for machines behind pfSense and to enable the box itself to have web access. You can just add the proxy to the clients behind pfSense as would for boxes in front it. You won't be able to update from the webgui.
It maybe that the upstream proxy has a problem with NATed clients connecting to it perhaps by design. It would seem reasonable for your network admin to not won't people running their own routers.Steve
Well even if I remove the proxy informations I am not able to navigate the web from the pfSense machine.
This continue to appear very strange to me and I am still convinced of a configuration problem….Look at this screenshot (taken from the pfSense machine) to understand why I am saying this...
How it is possible that I can do nslookup without any problem and getting "No address record" when using fetch??
-
If you do a fetch with the IP, does it work? (fetch http://173.194.65.105)
I think generally you want to be file specific with fetch so you don't get to much. Perhaps:
fetch http://files.chi.pfsense.org/jimp/foo/shiny/ehrmagerd/pfSense-Full-Update-2.0.2-RELEASE-i386-20121004-1028.tgz -
If you have removed the upstream proxy settings from pfSense then this won't work. Assuming the network admin has blocked non proxied http access.
Steve
-
So do you need a proxy to get out?? This has been verified right? Have you set this for fetch to use?
I believe you can view this with the echo of the $HTTP_PROXY variable
echo $HTTP_PROXY
HTTP_PROXY: Undefined variable.also what is in your /etc/resolv.conf file
Do you have any limitation on dns in any of your rules or the dns server your trying to use?
This proxy on your network - how is it implemented. Do you have to set it explicit, is wccp used? Is a transparent proxy? Is there any sort of captive portal setup where you have to auth or agree to something before you get access using the proxy?
-
If you do a fetch with the IP, does it work? (fetch http://173.194.65.105)
I think generally you want to be file specific with fetch so you don't get to much. Perhaps:
fetch http://files.chi.pfsense.org/jimp/foo/shiny/ehrmagerd/pfSense-Full-Update-2.0.2-RELEASE-i386-20121004-1028.tgz
If you have removed the upstream proxy settings from pfSense then this won't work. Assuming the network admin has blocked non proxied http access.
Steve
Yes I have removed the configuration. But I am just trying to get to the internet from the pfsense shell…
So do you need a proxy to get out?? This has been verified right? Have you set this for fetch to use?
I believe you can view this with the echo of the $HTTP_PROXY variable
echo $HTTP_PROXY
HTTP_PROXY: Undefined variable.also what is in your /etc/resolv.conf file
Do you have any limitation on dns in any of your rules or the dns server your trying to use?
This proxy on your network - how is it implemented. Do you have to set it explicit, is wccp used? Is a transparent proxy? Is there any sort of captive portal setup where you have to auth or agree to something before you get access using the proxy?
There is an internal DNS server in a Windows 2008 VM which is running at 192.168.83.11 and which serves the clients of the virtual network 192.168.83.0.
On this server I also have configured to forward queries to 192.168.83.1 (the pfSense router). As you can see from the previous screenshot, the pfSense router has DNS of my host network in resolve.conf.
I dont really know how to verify if there are any limitations.The proxy it is a Squid 2.7v9 with Basic Authentication. On our client pc's we can configure it directly using the sintax I've used above or even with a wpad autoconfiguration script which provides load balancing. It does'nt make any difference for the clients.
It is not a transparent proxy. We dont have wccp. -
So from that http_proxy output fetch would be using that proxy to resolve dns would it not? When using a proxy, normally proxy does the dns lookup. Looks like your putting username and password in the proxy url.
Does your proxy allow that? Have you tried this method with fetch
HTTP_PROXY=http://proxy.example.com:8080
HTTP_PROXY_AUTH=basic:*:<user>: <pwd>You sure pfsense is even resolving the fqdn you have in there for your proxy? If its an internal fqdn, why are you hiding it?</pwd></user> -
So from that http_proxy output fetch would be using that proxy to resolve dns would it not? When using a proxy, normally proxy does the dns lookup.
Right! I was almost sure but unfortunately I have just verified that the pfsense VM does not resolve the name of the proxy server.
This is just very strange because the wan configuration is exactly the same as my host machine (!!!).
I did change the HTTP_PROXY environment variable to use the IP address instead of the name and now "fetch" works :)Looks like your putting username and password in the proxy url.
Does your proxy allow that? Have you tried this method with fetch
HTTP_PROXY=http://proxy.example.com:8080
HTTP_PROXY_AUTH=basic:*:<user>:</user>Both methods works
You sure pfsense is even resolving the fqdn you have in there for your proxy? If its an internal fqdn, why are you hiding it?
pfSense was not resolving the name (that is understandable for me). I am hiding the name of the server just because of the privacy. In that name there are reference to the name of the customer I am working for and I do not wish to cause any problem to anyone…
Now that I am able to browse the web from the router itself I am still unable to browse the web from internal network guests which are simply configured to have the router IP as their gateway...
-
Well it cannot be simply pointing a server to a router an expecting it to work when there is a proxy involved. The proxy setup you did was just for pfSense to get version information and packages installed. This is not for everything else behind it. If you want to do that, you are going to have to setup pfSense with Squid to be a proxy itself, and a transparent one at that. Alternatively, you can just setup the proxy the same as everything else, even the same as pfSense, and pfsense will route traffic on port 3128 to that proxy.
Hope that made since. -
Well it cannot be simply pointing a server to a router an expecting it to work when there is a proxy involved. The proxy setup you did was just for pfSense to get version information and packages installed. This is not for everything else behind it.
what you say confirms what I said at the this thread. that is I am a beginner and that my knowledge about it is very poor :'(
If you want to do that, you are going to have to setup pfSense with Squid to be a proxy itself, and a transparent one at that. Alternatively, you can just setup the proxy the same as everything else, even the same as pfSense, and pfsense will route traffic on port 3128 to that proxy.
Hope that made since.Ok. I need to read a little bit to implement the "clean" solution with Squid.
But for the "easy" way, do you mean that I can configure the guests behind the router to use http://<router_ip>:3128 as proxy?</router_ip> -
Yes. the same proxy you used with pfsense and your workstation.
-
Yes. the same proxy you used with pfsense and your workstation.
Ok! Finally I have got my target ;D ;D
I have installed and enabled Squid to be a transparent proxy against internal network.
I have also enabled Squid to use an upstream proxy (the one of the network I am in).It seems that everything is working. Thank you so much for helping
