Transparent Proxy issue?

KOM

Squid by itself does not do any filtering, just caching. I suspect that you have a corrupted SquidGuard install and it's still running. Shell into your pfSense box and run:

ps -ax | grep squid

What does it output?

zaf

its not letting me type | ?

zaf

sorry found it, it was the # key that had that, see attached output.

squid.PNG_thumb

KOM

Hmm, SquidGuard is not running. Are you running another content filter, like DansGuardian? This is certainly a strange one.

zaf

no I am not, ive been pulling my hair for weeks but cant seem to find a solution.

If it makes it easier for you, I don't mind giving you remote access over team viewer 9 ?

let me know.

Thanks

KOM

I'm just some random Internet guy, so giving me access to your box probably isn't good for security.

I would make a backup of your configuration and then do a reinstall. That shouldn't take very long and it may get you past a glitch.

I still cant' get past how SquidGuard is not running, but you get access denied errors that look exactly like SquidGuard's default error msg page.

You have tried with different browser or client computer to rule out an weird caching issues?

What happens if you completely uninstall SquidGuard?

zaf

If I uninstall it I get still the same result, so I really don't think its squid guard, I believe its an issue with transparent proxy!

Thanks

KOM

But like I said, Squid by itself doesn't do any filtering. None at all. It's a caching proxy and that's all.

zaf

ok lets take the squid guard out of equation.

so what I want is transparent proxy with lightsquid and I still get the same result?

Thanks

Tikimotel

You had setup not-transparent mode first right?
Perhaps the switching to transparent mode did not complete the firewall rule changes to accommodate the squid proxy rules to redirect to the proxy-port.

Does /tmp/rules.debug contain something like this?


# Setup Squid proxy redirect
no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128

zaf

correct I had not set transparent first, but it was installed as the first package out of three I have installed.

sorry im not familiar with command and im new to pfsense, how do I check the /tmp/rules.debug?

please can you explain in steps..

Thanks for all your help so far!

zaf

Tikimotel can you please respond?

Thanks

Tikimotel

Sorry, for the late response..

The tmp/rules.debug can be viewed via WinSCP or using the command "cat /tmp/rules.debug" in pfsense GUI: diagnostics->command.

I've checked the "squid.inc" file in the package, and that will normally create the appropriate rules on pressing "save".
I'm not sure on how to fix that manually if it turns out to be wrong.

zaf

Hi Tikimotel,

here is the out put of the command, what does this mean?

Setup Squid proxy redirect

rdr on de1 proto tcp from any to !(de1) port 80 -> 127.0.0.1 port 3128

Thanks

KOM

Redirect on interface de1, protocol TCP, from Source "Any" to Destination "NOT LAN Address", and send it to localhost on port 3128. Basically it means that anyone on your LAN sending anything to port 80 (HTTP) but not directed to your pfSense box will be redirected to your pfSense box port 3128.

It's the redirect rule that turns Transparent mode on or off.

Tikimotel

rdr on de1 proto tcp from any to !(de1) port 80 -> 127.0.0.1 port 3128

redirect all traffic using tcp protocol on port 80, from any source other than the de1 and redirect that to the localhost using the proxy port.

So it only half of what is needed.
You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.

Do you have "Allow users on interface" enabled?

Tikimotel

I've unchecked this "Allow users on interface" and saved.
Now I get a denied message, too.

Please check "Allow users on interface", or add the allowed subnets manually in the tab "ACLs"

Have you added anything to the "Authentication" tab?
Can you try and set "Authentication method" to "none", or add the subnets to "Subnets that don't need authentication" field below that.

zaf

So it only half of what is needed.
You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.

Do you have "Allow users on interface" enabled?

see attached, so how I do I add the other line?7

Thanks

proxy.PNG_thumb

zaf

authentication tab is set to none?

authen.PNG_thumb

zaf

the strange thing is when I turn transparent proxy on, google page works (hit and miss), but if I try another site say bbc.co.uk it say page cannot be displayed?

:-\

really confusing the hell out of me!