[WPAD] How to configure it?
-
Under Services -> DHCP Server you get a list of dhcp servers for each of your pfSense interfaces that are statically assigned. There is an option under each server for "Custom Options" or maybe "Advanced", I don't remember. You add three entries to that section. The entry format is:
252 Text http://your_pfsense_ip/wpad.dat 252 Text http://your_pfsense_ip/wpad.da 252 Text http://your_pfsense_ip/proxy.pacYou need to make sure that you have those files available on your pfSense's www path. And then, how do your clients access those files? For me, I block all traffic on port 80 except special stuff. My regular lighttpd serves the pfSense webgui via SSL only. To serve wpad I have a dedicated instance of lighttpd serving port 80 just for client wpad access.
-
In my DHCP tab I got this :
The only other configuration I have done on this page is my DHCP range.
My proxy.pac looks like this :
function FindProxyForURL(url,host)
{
return "PROXY 10.98.62.209:3128";
}In usr/local/www I got a proxy.pac file and I have done symbolic link to wpad.dat and wpad.da.
I put autodetect in my browser (firefox and Internet explorer).
I still got the promp "you should configure your proxy".
How can I check where my browser is looking to find his configuration?
Is my proxy.pac file ok? -
To test, point your browser at http://your_pfsense_domain/wpad.dat. Does it download the file?
You might have firewall rules preventing access to your_pfsense_domain:port 80.
You might need to have a server serving wpad.dat (like I briefly mentioned I do, with a dedicated lighttpd instance).
Also, my understanding might be wrong but https will instigate a direct connection via port 443 so it will bypass wpad anyway. You could maybe try a NAT rule to redirect 443 traffic to your proxy but that might be a bad idea. I'm not sure if you can also serve wpad via port 443 or if that's a bad idea.
One other thing to bear in mind is if you have your pfSense webgui on 443 and you redirect 443 with NAT, you probably don't want that. Same if pfSense webgui is on port 80. Consider changing pfSense ports to something else or you'll need special firewall rules to allow access.
I don't really know what I'm talking about so take all I say with a grain of salt.
-
I am still looking for what's wrong.
My Browser download the file without problem.
All port are open from the lan.
(thanks for your help by the way)
-
Close your browser, open it again (sometimes mine seemed to be relying on persistent old settings and required a restart).
Reboot pfSense if you've made significant changes.
When you try to open a webpage, if I'm using Chrome it says something like "downloading proxy script" in the bottom status bar sometimes when I start a new session. I'm pretty sure that's Chrome downloading wpad.
One thing I thought of - in your initial post you had Squid enabled in transparent mode. I don't use that. You mentioned you want to use wpad instead, but if Squid is in transparent mode I assume it will redirect all traffic on port 80 automatically, probably bypassing wpad altogether. Did you turn transparent mode off?
-
Ok i have deleted Squid proxy.
If I put auto detect in my browser it doesn't work.
If, in firefox, I choose to point on "Automatic proxy configuration URL" and choose http://192.168.0.1/wpad.dat it works just fine.
I see a beginning of solution.
-
Firefox doesn't seem to work with dhcp:
https://bugzilla.mozilla.org/show_bug.cgi?id=356831
-
Whatever is serving your wpad might need to be configured with the correct definitions for ".dat" and ".da" files.
E.g., my lighttpd_for_wpad.conf file has similar lines as the ".pac" line for the other two filetypes:
http://redmine.lighttpd.net/projects/lighttpd/wiki/Mimetype_assignDetails
Also read this. You can't just add the mimetype lines to your system's lighttpd.conf, you would need to modify system.inc or have a dedicated lighttpd with it's own unique conf like I do.
Same deal if you choose to use Apache or nginx to serve wpad I would guess.
-
I am using the default web server used by pfsense. I actually don't know much about this part. I really need to work on it.
Those links looks more than interesting by the way. I'll work on it asap.
-
Do you connect to pfSense's webgui via https? If so, your web server will not be serving anything via port 80 (I'm pretty sure, it will be quite clear in the file lighttpd.conf). That might explain why requests for normal web pages, accessed via http/port 80, are not finding wpad.dat.
I had some difficulty configuring wpad too. For a while I had a NAT rule instead redirecting outward bound port 80 traffic towards my proxy. It's a less elegant, less flexible, more brute force approach IMO. I'm not sure how it is configured right now, I'll have to check. It might be an option for you too though.
-
Yes I am accessing webgui by Https.
I am still working on it. So far I have a custom webpage explaining how to configure the proxy.
I'll keep you inform as soon as I have found a good solution.
-
Here are my relevant NAT entries:
With these rules, my wpad.dat is still hit (I just checked) but if anything tries to bypass wpad it is redirected to my proxy setup. My wpad does nothing currently, just redirects to the proxy the same as NAT. Some of the devices on my network aren't capable of auto-detect, so they are either pointed directly to the proxy or NAT handles it.
Here is an extract from my lighty-proxy-wpad.conf:
The server.bind line has my pfSense private IP between the double quotes. The mimetypes entry has all the other entries deleted to make the image smaller, but you can see that I added two lines for .dat and .da files. I also commented out all the 443 and SSL stuff. This file was originally a copy of the webgui's /var/etc/lighty-webConfigurator.conf. Then I have lighttpd running like this:
/usr/local/sbin/lighttpd -f /path/to/wpad/lighty-proxy-wpad.conf
This is my webserver for port 80 requests, that serves my wpad to client devices on my network. I use a service to start lighttpd up and monitor it, but you can use a entry in the config. Or another method.
I also have firewall rules to allow traffic on my interfaces to wpad, my proxy and other services:
