Installing the Dansguardian package in PFSense - One user's experience

viko

Hi all

Marcello thx for the DG packages, using this topic i have it running almost perfekt.

The problems that i have are that sarg its showing only the logs for 2 days (13 and 21 August) and only with the ip adress from my pfsense install.
In "realtime" i have the hosts names visible. With lightsquid i have couple days more, but same only with pfsense ip adress. Squid is running transparent.

The second problem is: i have 2 samsung TVs and i stream internet radio with this (vtuner App). I placed the 2 TV IPs in Exception and now one its working, the second cannot connect to the stream servers. In the log file its showing "miss" and not "denied".

Thx
Viko

marcelloc

@viko:

Marcello thx for the DG packages, using this topic i have it running almost perfekt.

Thanks. donations are always welcome too  ;D

@viko:

The problems that i have are that sarg its showing only the logs for 2 days (13 and 21 August) and only with the ip adress from my pfsense install.
In "realtime" i have the hosts names visible. With lightsquid i have couple days more, but same only with pfsense ip adress. Squid is running transparent.

are you using two squid?

squid(transparente) -> dansguardian -> squid?

did you tried dansguardian(transparent with nat rules) -> squid.

did you tried to run sarg on console to see what errors you get?

@viko:

The second problem is: i have 2 samsung TVs and i stream internet radio with this (vtuner App). I placed the 2 TV IPs in Exception and now one its working, the second cannot connect to the stream servers. In the log file its showing "miss" and not "denied".

the miss on logs means "access allowed but not in cache".

viko

Hi Marcello

Donation its already done. Thx for your help.

I have Squid (Transparent) - Dansguardian - NAT Rule. After a reboot everything is OK now.

Viko

marcelloc

@viko:

Donation its already done.

Thanks for supporting this package  ;D

Munis

Thank a lot guys! this is what i am looking for!

baud

Hello,

Good day! Just a quick questions you gents, I'm currently running pfsense:

2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6

and I have created a separate computer/box/server that handles Dansguardian+Squid.  On my pfsense firewall, I have installed the squid package (2.7.9 pkg v.4.3.2) then I enable transparent proxy option on that one, and added this line on the custom configuration part:

cache_peer 192.168.127.222 parent 3128 0 no-query no-digest

then I added the squid/dansguardian ip to  the bypass proxy originating from this ip line.  I have also used "null" for the hardisk cache system so that i won't be caching the same thing twice.  Everything is working with this setup so far, the only problem I am having is that on the dansguardian/squid box, that is logged is the ip of the pfsense box and not the ips of the computers used by our users.  I do understand why this is so, but I can't seem to figure out how to have the original ips passed to the squid/dansguardian box… any ideas? Thanks!

marcelloc

@baud:

I do understand why this is so, but I can't seem to figure out how to have the original ips passed to the squid/dansguardian box… any ideas? Thanks!

It will always log server ip as it is proxing connections.

To have real ip on you box, you need a rule o lan using dansguardian box ip address as gateway to forward requests to it.

baud

Thanks for the quick response marcelloc! as always!

The only purpose why I need to have the original IP on the dansguardian/squid box is so I can do filter groups based on the ip addresses of user's computers.

With regards to your suggestion on making my dansguardian/squid box as the gateway then route web traffic through there, can you explain a bit further? (ive attached a sample rule for it.. at least that's how interpret it.

http://tinypic.com/r/iqa4hl/6
http://tinypic.com/r/efqqkw/6

You also mentioned on a previous post as reply to viko saying,

"did you tried dansguardian(transparent with nat rules) -> squid."

I'm thinking that this might be a better solution than what I currently have in mind to do.  So on the pfsense box, I can install the dansguardian package and then do all the ACL and filter groups on the firewall itself then just make an external squid box that will serve as parent for the dansguardian package in the firewall. If this is possible, I wanted to ask what do you mean "transparent with nat rules"… Can you kindly give me an example? Thanks!

marcelloc

dansguardian on pfsense filtering and using a remote squid for cache is a good option for you.

The forward process to proxy server using rules is described in this post

http://forum.pfsense.org/index.php/topic,54717.0.html

baud

this is brilliant marcelloc!

I'll try this out later and will give you some feedback.

cakewipe

@marcelloc:

I could not reproduce this issue but I'll include on dansguardian gui an option to force squid startup before dansguardian.

First, Thanks Marcelloc for your great work.
I am having the same issue where Dansguardian is starting before squid and locking me out of the Web Interface.  I installed it just yesterday and couldn't find where the option to force squid to startup before dansguardian was.  Is this implemented?  If so, where do I set this?

Thanks!

rjcrowder

@cakewipe:

@marcelloc:

I could not reproduce this issue but I'll include on dansguardian gui an option to force squid startup before dansguardian.

First, Thanks Marcelloc for your great work.
I am having the same issue where Dansguardian is starting before squid and locking me out of the Web Interface.  I installed it just yesterday and couldn't find where the option to force squid to startup before dansguardian was.  Is this implemented?  If so, where do I set this?

Thanks!

First - create a firewall rule (or add an exception to your redirect rule) so that you can get to the pfSense UI even if DG does not start…

As far as the order of starting, I'm not sure. I haven't seen that error in quite a while and I never figured out what was controlling the order (ideas Marcello?). One way to work around it is to create your own startup script in /usr/local/etc/rc.d to startup DG last. Name it something like zz_startdg.sh just to make sure it executes last.

Guest

dansguardian only works for marcelloc and it's developers!

rjcrowder

Works great for me… And while I will admit that I've done some modifications and spent a fair amount of time figuring out how pfSense works, I'm not "one of its developers"... I do this purely for the fun of it!

I'm going to vent a little, but it baffles me that people want to use a freely distributed, freely developed product and then complain that it doesn't work! Spend the time to learn a little bit... When I first started playing with this thing, I had no idea how pfSense was structured and had little knowledge of FreeBSD, PHP, etc.  Try to debug some things on your own. If you find issues, dig in and try to resolve them rather than complaining! That's how an open source software package becomes better.

If that's not where you're at, then maybe you should purchase a commercial product. Then you can call someone in India who will tell you to "reboot and see if that fixes it..."

Hugovsky

Works great for me too. Using it with 300+ users and fiber. Thanks to Marcelloc and to all that contribute. Awesome job.

NemesisXIII

I was able to get it reasonably configured and it seems to work for most everything I want but I have a persistent problem with Google.  I am unable to filter google's search results to be safe only.  It seems they changed all their search to https only and it is preventing me from enforcing safe mode (Searches for naughty words still show thumbnails of naughty content even though none of it is clickable.)  In my search I have found multiple modify statements none of which work.  Has anyone been able to find a way to enforce safe search or prevent searches of certain keywords from being successful?
The best I've been able to manage is that http://216.239.32.20/ is the google search IP address and searches on it are properly caught by dansguardin(and properly safe search enforced); however any regular browser bar search or putting google.com into the address bar brings me back to my original problem of being unable to modify the ssl and search queries.

Thanks for any help.

rjcrowder

You can enter DNS overrides in the DNS settings to force resolution of google.com to nosslsearch.google.com (216.239.32.20).

Ricardozam

Hello

I'm new to pfSense and although I have managed to put into operation

pfSense 2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013
FreeBSD 8.3-RELEASE-p11

with squid3 2.0.6 pkg v3.1.20

on this box
CPU Type Intel (R) Core (TM) 2 Duo CPU E7500@2.93GHz
2 CPUs: 1 package (s) x 2 core (s)
2GB Memory
100GB HD

with up to 100 users for two weeks without problems

I would like to advise me if it is possible to have Dansguardian v2.12.0.3 pkg v.0.1.8 with this setup and maintain a fully functional squid3 cache

Thanks for your advice on this regards.

q54e3w

I've followed this guide but can't for the life of me get traffic to flow. The dansguardian and squid logs show zero activity so something pretty fundamental is wrong.
My first pfsense box 192.168.10.1 runs openvpn, suricata and firewall.
I've got a second pfsense box 192.168.10.2 running dansguardian and squid only which was intended to replace an untangle setup.
The only difference I can see from this guide is I'm using a bridged connection to group my onboard wan, lan*3 ports plus my quad i350 and dual x520 with the first box. To reduce complexity I've reduced this down to a sole wan & lan bridged connection but no joy. Everything worked correctly prior to introducing dansguardian and squid so the bridge setup is sound.
Is the bridge setup likely to cause problems?

aGeekhere

Hi all,

I would like to add Dansguardian to my squid3-dev squidgarden for Transparent Proxy with ssl filtering.
squidgarde is working and filtering (just need to workout how to allow update services like windows update and adobe creative cloud, if anyone had any advice on this I would be much appreciated) UPDATE solved windows updates https://forum.pfsense.org/index.php?topic=73640.45

The problem is that Dansguardian does not want to filter anything (http or https, i turned off squidgarden  to test this).

I have tried creating  a NAT rule for Dansguardian  and put it on the TOP of the list
LAN TCP * * LAN net 80 (HTTP) 192.168.1.1 8080 dans

Dansguardian setup
Listen interface: LAN
port: 8080
Proxy IP: 192.168.1.1
Proxy Port: 3128
SSL man in the middle Filtering using my certificate

Squid setup
http Proxy interface lan
http Proxy port 3128
Transparent Proxy interface lan
Bypass proxy for these destination IPs 192.168.1.1
SSL Intercept interface(s) lan
SSL Proxy port blank

Anyone have any suggestions?